US Large Models Moving Towards Closure, In the Name of Security

Author: Xiaojing

Editor: Xu Qingyang

On the morning of June 27, Anthropic announced: The U.S. government has approved the redeployment of its most powerful cybersecurity model, Mythos 5, to over 100 American institutions, including large corporations and government departments. The public-facing version, Fable 5, is "set to return soon."

According to a letter from Commerce Secretary Lutnick to Anthropic co-founder Tom Brown obtained by foreign media, Lutnick notified Anthropic that he had "determined that appropriate safeguards are now in place."

However, in the same letter, Lutnick noted that all other requirements of the initial directive from June 12 remained in effect, and said nothing about when Fable 5 might resume for the public.

Almost simultaneously, in the early hours of June 27, OpenAI officially released the GPT-5.6 series of three models: Sol, Terra, and Luna. Also at the White House's request, GPT-5.6 API access is only open to "government-approved partners on a case-by-case basis," and the ChatGPT interface has not yet been updated.

Looking back at the timeline: June 2, Trump signed the AI executive order; June 9, Anthropic released Fable 5 and Mythos 5; June 12, the Commerce Department ordered a full takedown; June 26, OpenAI released GPT-5.6 but distribution was restricted; June 27, Mythos 5 approved for limited restoration.

In less than a month, the U.S. government's control over cutting-edge AI models has undergone a complete "halt—negotiation—conditional release" cycle.

OpenAI Head of Strategy Dean W. Ball (former White House AI advisor) summarized the impact on the industry in a June 16 blog post: "Cutting-edge AI model developers now need a clear 'green light' from the government to release."

Dean W. Ball commented in his June 26 essay "What Should Be Done": "Nobody knows what the requirements for getting a license actually are. And when I say 'nobody,' I mean literally: it seems like the government agencies themselves don't know."

Figure: Dean W. Ball's essay What Should Be Done

01 Are They Really So Powerful They're Unsafe?

This is the core question of the whole affair. The government's actions are based on an implicit premise: these models' capabilities are already so strong they pose an unacceptable security risk. But the official assessments from the companies themselves give completely opposite conclusions.

OpenAI disclosed complete safety evaluation results in its GPT-5.6 release blog. According to the preparedness framework established and published by OpenAI itself, Sol did not cross the red line. This framework's red line is defined as: can the model, without human assistance, autonomously discover and exploit unknown vulnerabilities in high-value targets.

Specific test results: Sol can identify vulnerabilities and exploitation primitives on Chromium and Firefox, but "did not autonomously generate a complete, functional end-to-end attack chain under test conditions." OpenAI's own judgment: Sol is better at helping people find and patch vulnerabilities, not reliably executing complete end-to-end attacks.

But OpenAI immediately followed with a "very tactful" statement: "benchmark thresholds cannot capture every way a model may be used or combined with other tools." While it didn't cross our threshold, who knows how it might be used in the real world? Intentionally creating a vague gray area.

Anthropic was less "tactful." In a June 13 statement, Anthropic refuted the government's reasons point by point. The government claimed to have found a jailbreak method for Fable 5; Anthropic responded: First, this is just a "narrow, non-universal jailbreak," essentially making the model read a piece of code and point out flaws; Second, "other publicly available models, including OpenAI's GPT-5.5, can also do this"; Third, Anthropic invested thousands of hours in red team testing, and "no testers found a universal jailbreak."

Anthropic CEO Dario Amodei, in a lengthy June 11 article "Policy on the AI Exponential," had already anticipated this situation, stating in the declaration: "Government can block unsafe deployments, but the process must be transparent, fair, clear, and based on technical facts. This action does not meet these principles)."

Two fiercest competitors, in the same month, using their own independent evaluation systems, arrived at the same conclusion: According to the industry's self-established safety frameworks, these models do not constitute an unacceptable risk that precludes deployment.

So the question arises: if the models haven't crossed the industry's red line, on what basis does the government intervene? Dean Ball further disclosed: The government previously hired the only official with cutting-edge AI experience to head the Center for AI Standards and Innovation (CAISI). This person had worked at OpenAI and Anthropic but was fired by senior leadership within days. The remaining CAISI team was placed under a stop-work order for the entire "post-Mythos crisis period," not even allowed to communicate with other government agencies. "Of the Trump administration officials I know, none have cutting-edge AI experience."

Ball's point is that those making the control decision have neither defined clear safety standards nor assessed the technical capabilities of these models.

A further natural question is: Have Fable 5 and GPT-5.6 Sol truly crossed some "human threat singularity"? Is there an objective capability red line, beyond which control is necessary?

Multiple AI experts stated that technically, no such line exists. Model capabilities are a continuum, a growing curve. Each model generation upon release is "the most powerful ever," but only this one triggered direct government intervention.

There are three underlying conditions:

First, capabilities became "demonstrable." Anthropic itself promoted Mythos 5 as the "world's strongest cybersecurity model"; Stripe's case of migrating 50 million lines of code in a day was widely circulated. These stories allow non-technical politicians to imagine "what if bad actors use it."

Meta's former Chief AI Scientist and Turing Award winner Yann LeCun pointed out this logic as early as November 2025: When Anthropic released its first AI cyberattack threat report, LeCun directly called it "regulatory theater," accusing Anthropic of exploiting AI safety fears to "manipulate legislators" and engage in "regulatory capture."

LeCun's judgment at the time: Closed-source companies are systematically exaggerating AI safety threats to establish compliance barriers only large companies can pass, excluding open-source competitors. What Anthropic didn't expect was that the stone would be thrown at itself first.

Second, someone handed them a knife. Amazon CEO Andy Jassy submitted a report to the government on security vulnerabilities in Anthropic's models. Amazon is Anthropic's largest investor and cloud service partner, while also having its own competing in-house models (Nova series). Thus, the government obtained a source of legitimacy for action.

Third, Trump just signed the AI executive order earlier this month, giving the government 60 days to formulate "voluntary submission rules" for cutting-edge models. The executive order needed its first enforcement case to prove it wasn't just paper. Fable 5 walked right into the crosshairs.

This raises a deeper issue: if "too strong means control," and "how strong is too strong" is decided by regulators, with standards unpublished, no clear threshold, and no appeals process, then every future cutting-edge model release will face the same uncertainty. Companies won't know when their model will trigger controls.

Image generated by AI

02 Historical Mirror: The Crypto Wars 30 Years Ago

The U.S. government's attempt to use export controls to curb the spread of so-called dangerous technology evokes a very similar historical precedent: the "Crypto Wars" of the 1990s.

After the Cold War, as the internet began commercializing, computer scientists were developing encryption technologies to protect data transmission security. The U.S. government classified strong encryption algorithms as "munitions," placing them on the same export control list (ITAR/EAR) as missiles and tanks. The logic was very similar to today: if enemies obtained strong encryption, the NSA (National Security Agency) couldn't monitor their communications, threatening national security.

This meant American software companies could only export weak 40-bit key versions to overseas customers—versions the NSA could easily crack—while domestic versions could use 128-bit strong encryption. Foreign users knew they were getting a "crippled version" and began turning to alternatives from Europe and Israel.

In 1991, a cryptography enthusiast named Phil Zimmermann wrote PGP (Pretty Good Privacy), software allowing ordinary people to use strong encryption to protect emails. He uploaded PGP to the internet. U.S. Customs immediately launched a criminal investigation against him—the charge: "illegal export of munitions."

Zimmermann's counterattack was extremely clever: he printed the complete PGP source code as a book and published it. Books are protected by the First Amendment; publishing freedom is a constitutional right. You can regulate software, but you can't ban a book from export. The investigation lasted three years, ultimately closing in 1996 without the government filing charges.

Almost simultaneously, the NSA proposed a more radical solution: the Clipper chip. The idea was that all communication devices must install this chip. The chip would encrypt communications, but with a built-in key escrow mechanism, allowing the government to decrypt communications under law enforcement authorization via the escrowed keys. Communication between users would be encrypted to third parties, but the government could decrypt at any time. The Clinton administration pushed this plan hard. Academics discovered design flaws in the chip, the tech industry collectively resisted, the public strongly opposed, and it died completely in 1996.

In 1995, mathematician Daniel Bernstein wanted to publish the source code of his own encryption algorithm online but was prohibited by the government citing export controls. He sued the Department of Justice. The Ninth Circuit Court of Appeals made a landmark ruling: software source code is "speech" protected by the First Amendment; the government's export control on encryption code is unconstitutional. This ruling directly shook the legal foundation of the entire control system.

In January 2000, the Clinton administration significantly relaxed encryption export controls. The reason: they couldn't control it anymore. PGP had already spread worldwide, open-source encryption algorithms were globally pervasive, and controls were only hindering the competitiveness of American companies as foreign clients had already turned to other suppliers.

The relaxation of controls paved the way for today's end-to-end encryption in Signal and WhatsApp. If the 1990s controls had continued, these products couldn't exist.

In the 1990s, what was controlled was strong encryption algorithms; the reason was national security; the tool was ITAR munitions export controls; those hurt were U.S. software companies (forced to export weak versions); those unaffected were foreign developers (writing their own encryption algorithms).

In 2026, what's controlled is cutting-edge AI model capabilities; the reason is still national security; the tool is export control directives.

Who will truly be hurt this time?

Foreign media commentary noted: "Nobody spends $100 billion building data centers just to serve 100 government-approved companies."

Training costs for frontier models are measured in billions of dollars, and the window to recoup costs is only a few months post-release, after which models become sub-frontier, competition intensifies, and profit margins compress. Every week of approval delay eats into this limited profitability window. Brandon's conclusion: "If this continues, the fundamental investment logic of the entire industry will be shaken."

The core argument of George Washington University political science assistant professor Jeffrey Ding is: In great power technological competition, victory isn't determined by who invents a technology first, but by who can diffuse the technology faster throughout the entire economy. This is especially true for general-purpose technologies—they need widespread social diffusion, new organizations to be created around them, and large-scale real-world usage data to discover their application boundaries. Dean Ball, quoting Ding, wrote: "The uses of general-purpose technologies are discovered, not known in advance."

But on the other side of the ocean, China's large models are moving towards global developers with an open-source, open attitude.

Encryption algorithms are pure mathematics; once published, they cannot be taken back. AI model weights have similar properties, but the inference capabilities of closed-source frontier models are indeed concentrated behind the APIs of a few companies.

But open-source model capabilities are catching up generation by generation. Controls can slow diffusion but cannot stop it. The 1990s took nearly 10 years to reach the "admit defeat and relax controls" stage. Will AI controls need a similar time cycle?

03 US Large Models Entering an Era of Censorship?

June 2026 may mark a turning point in the history of the AI industry: the government, for the first time, successfully inserted itself as an approver between commercial AI models and their users.

In "What Should Be Done," Ball warns that if the market panics over this, the effect will extend far beyond the AI industry itself: "From nuclear to natural gas to power electronics, much of the massive reinvestment in American reindustrialization explicitly or implicitly assumes future demand from the AI industry. If that demand fails to materialize due to government controls, the ripple effects will be far beyond what people imagine."

But Ball also acknowledges the direction isn't entirely wrong: "Cutting-edge AI does have the potential for catastrophic risks; this concern isn't fabricated. The problem lies in the implementation: an approval process without technical experts, without clear standards, without a timeline, is not the answer."

OpenAI says GPT-5.6 restrictions are a "short-term measure," possibly opening to the public in a few weeks. But the June 27 "limited restoration" of Mythos 5 already provides a template: not a full release, still limited to select U.S. institutions, with other restrictions still in effect. Every long-term system was initially called a "short-term measure."

Dean Ball ends with a sentence worth everyone's serious consideration: "If only a tiny number of people can use frontier AI, a bad future becomes more likely. Because that tiny number are often those who already have enormous economic and political power."

The global developer community probably misses the era when they would stay up regardless of time zones, waiting for OpenAI releases, surprised by the progress of new models, and staying up all night testing various new scenarios.

But for now, we can still eagerly "wait" for the release of China's latest large models.