The large models in the United States are moving towards closure in the name of security

Author: Xiao Jing

Editor: Xu Qingyang

On the morning of June 27, Anthropic announced that the U.S. government has approved the redeployment of its strongest cybersecurity model, Mythos 5, to over 100 U.S. agencies, including large enterprises and government departments. The public version, Fable 5, is "about to resume."

According to a letter from Secretary of Commerce Gina Raimondo to Anthropic co-founder Tom Brown, Raimondo informed Anthropic that she has "determined that appropriate security safeguards are in place."

However, in the same letter, Raimondo pointed out that all other requirements from the initial directive on June 12 remain in effect, and there was no mention of when Fable 5 would resume for the public.

Almost simultaneously, in the early hours of June 27, OpenAI officially released three models in the GPT-5.6 series: Sol, Terra, and Luna. Also at the request of the White House, GPT-5.6 API access is only available to "government-approved partners on a case-by-case basis," and the ChatGPT version has not yet gone live.

Looking back at the entire timeline: On June 2, Trump signed the AI executive order; on June 9, Anthropic released Fable 5 and Mythos 5; on June 12, the Department of Commerce ordered a complete withdrawal; on June 26, OpenAI released GPT-5.6 but with restricted distribution; on June 27, Mythos 5 was granted limited restoration.

In less than a month, the U.S. government's control over cutting-edge AI models has gone through a complete cycle of "halt—negotiation—conditional release."

Dean W. Ball, head of OpenAI's strategic team (former White House AI advisor), summarized the impact of this situation on the industry in a blog post on June 16: "Cutting-edge AI model developers now need a clear 'green light' from the government to release."

In a lengthy article titled "What Should Be Done" on June 26, Dean W. Ball commented: "No one knows what the requirements for obtaining permission actually are. When I say 'no one,' I mean it literally: it seems that even the government departments themselves do not know."

01 Is it really powerful enough to be unsafe?

This is the core question of the entire matter. The government's actions are based on an implicit premise: that the capabilities of these models have become strong enough to pose unacceptable security risks. However, the official assessment from the companies themselves provides a completely opposite conclusion.

OpenAI disclosed the complete safety assessment results in the blog post announcing GPT-5.6, stating that according to the preparation framework established and publicly released by OpenAI, Sol did not cross that line. The red line defined by this framework is whether the model can autonomously discover and exploit unknown vulnerabilities of high-value targets without human assistance.

The specific test results are: Sol can identify vulnerabilities and exploitation primitives on Chromium and Firefox, but "did not autonomously generate a complete usable end-to-end attack chain under test conditions." OpenAI's own judgment is that Sol is better at helping people find vulnerabilities and patch them, rather than reliably executing complete attacks end-to-end.

However, OpenAI immediately followed up with a "very emotionally intelligent" statement: "benchmark thresholds cannot capture every way a model may be used or combined with other tools." Although it did not cross the line by our standards, who knows how it will be used in the real world? This deliberately created an ambiguous gray area.

Anthropic was not so "emotionally intelligent." In a statement on June 13, Anthropic rebutted the government's reasons point by point. The government claimed to have discovered a jailbreak method for Fable 5, to which Anthropic responded: First, this is merely a "narrow, non-general jailbreak," essentially allowing the model to read a piece of code and then point out defects; second, "other publicly available models, including OpenAI's GPT-5.5, can also do this"; third, Anthropic has invested thousands of hours in red team testing, "and no tester found a general jailbreak."

Anthropic CEO Dario Amodei had already anticipated this situation in a lengthy article titled "Policy on the AI Exponential" published on June 11, clearly stating: "The government can stop unsafe deployments, but the process must be transparent, fair, clear, and based on technical facts. This action does not conform to these principles."

The two fiercest competitors reached the same conclusion using their independent assessment systems within the same month: according to the safety framework built by the industry itself, these models do not pose an undeployable risk.

So the question arises, if the models have not crossed the industry's red line, on what basis does the government intervene? Dean Ball further disclosed that the government previously hired the only official with cutting-edge AI experience to head the AI Standards and Innovation Center (CAISI), who had worked at OpenAI and Anthropic, but was fired by senior management just days after taking office. The remaining CAISI team has been in a state of work stoppage throughout the "post-Mythos crisis period," and is even not allowed to communicate with other government agencies. "None of the Trump administration officials I know have cutting-edge AI experience."

Ball's point is that those making regulatory decisions have neither defined clear safety standards nor assessed the technical capabilities of these models.

A further natural question is: Have Fable 5 and GPT-5.6 Sol truly crossed some "human threat singularity"? Is there an objective capability red line that, once crossed, necessitates regulation?

Several experts in the AI field have stated that there is technically no such line. The capabilities of models are a continuously growing curve. Each generation of models released is the "strongest ever," but only this time triggered direct government intervention.

There are three implicit conditions behind this:

First, the capabilities have become "demonstrable." Anthropic itself promoted Mythos 5 as "the world's strongest cybersecurity model," and the case of Stripe migrating 50 million lines of code in a day has been widely circulated. These stories allow politicians who do not understand technology to imagine "what if bad actors use it."

Yann LeCun, former chief AI scientist at Meta and Turing Award winner, pointed out this logic back in November 2025: when Anthropic released its first AI cyber attack threat report, LeCun directly referred to it as "regulatory theater," accusing Anthropic of using AI security fears to "manipulate legislators" for "regulatory capture."

LeCun's judgment at the time was that closed-source companies systematically exaggerate AI security threats to establish compliance barriers that only large companies can pass, excluding open-source competitors. What Anthropic did not expect was that the stone was thrown back at itself.

Second, someone handed over a knife. Amazon CEO Andy Jassy submitted a report to the government detailing the security risks of Anthropic's models. Amazon is Anthropic's largest investor and cloud service partner, and also has its own model (Nova series) that competes with Anthropic. Thus, the government gained a legitimate basis for action.

Third, Trump had just signed the AI executive order earlier this month, giving the government 60 days to formulate "voluntary submission rules" for cutting-edge models. The executive order needed its first enforcement case to prove it was not just a piece of paper. Fable 5 ended up in the crosshairs.

This raises a deeper question: if "being too strong requires regulation," and "how strong counts as too strong" is determined by regulatory agencies, with no public standards, no clear thresholds, and no appeal process, then every future release of cutting-edge models will face the same uncertainty. Companies will not know when their models will trigger regulation.

02 Historical Reflection: The Crypto Wars 30 Years Ago

The U.S. government's attempt to use export controls to curb the spread of so-called dangerous technologies brings to mind a similar historical precedent: the "Crypto Wars" of the 1990s.

After the Cold War ended, the internet began to commercialize, and computer scientists were developing encryption technologies to protect data transmission security. The U.S. government classified strong encryption algorithms as "munitions," placing them on the same export control list as missiles and tanks (ITAR/EAR). The logic is very similar to today: if the enemy obtains strong encryption, the NSA (National Security Agency) cannot eavesdrop on their communications, threatening national security.

This meant that U.S. software companies could only export weak encryption versions with 40-bit keys to overseas customers, versions that the NSA could easily crack, while domestic versions could use 128-bit strong encryption. Foreign users knew they were getting a "watered-down version" and began to turn to alternatives from Europe and Israel.

In 1991, a cryptography enthusiast named Phil Zimmermann wrote PGP (Pretty Good Privacy), software that allowed ordinary people to use strong encryption to protect emails. He uploaded PGP to the internet. The U.S. Customs Service immediately launched a criminal investigation against him—charging him with "illegal export of munitions."

Zimmermann's counterattack was extremely clever: he published the complete source code of PGP in a book. Books are protected by the First Amendment, and the freedom to publish is a constitutional right. You can regulate software, but you cannot prohibit the export of a book. The investigation lasted three years and was ultimately closed in 1996, with the government not filing any charges.

Almost simultaneously, the NSA launched a more radical plan: the Clipper chip. The design idea was that all communication devices must install this chip, which would handle encryption. The chip had a built-in key escrow mechanism, allowing the government to decrypt communications with authorized law enforcement access. Communications between users would be encrypted from third parties, but the government could decrypt them at any time. The Clinton administration strongly pushed this plan. As a result, the academic community discovered design flaws in the chip, the tech industry collectively resisted, and the public strongly opposed it, leading to its complete demise in 1996.

In 1995, mathematician Daniel Bernstein wanted to publish the source code of his encryption algorithm online but was prohibited by the government under export control. He sued the Department of Justice. The Ninth Circuit Court of Appeals made a far-reaching ruling: software source code is protected as "speech" under the First Amendment, and the government's export control of encryption code is unconstitutional. This ruling directly undermined the legal foundation of the entire regulatory system.

In January 2000, the Clinton administration significantly relaxed encryption export controls. The reason was that they could no longer be enforced. PGP had already spread worldwide, and open-source encryption algorithms had become widespread; regulation was only hindering the competitiveness of U.S. companies, as foreign customers had already turned to other suppliers.

After the relaxation of controls, we saw the emergence of end-to-end encryption in products like Signal and WhatsApp. If the regulations of the 1990s had continued to this day, these products would not exist.

In the 1990s, what was controlled was strong encryption algorithms, justified by national security, using ITAR munitions export controls as the tool, harming U.S. software companies (forced to export weak versions), while foreign developers (who wrote their own encryption algorithms) were unaffected.

In 2026, what is being controlled is the capabilities of cutting-edge AI models, again justified by national security, with export control directives as the tool.

Who will be truly harmed this time?

Foreign media have commented: "No one spends $100 billion building data centers just to serve 100 companies approved by the government."

The training costs of cutting-edge models are measured in billions of dollars, while the window for recovering costs is only a few months after release; afterward, the model becomes second-tier, competition intensifies, and profit margins shrink. Every week of approval delays eats into this limited profit window. Brandom's conclusion is: "If this continues, the entire foundational investment logic of the industry will be shaken."

Jeffrey Ding, an assistant professor of political science at George Washington University, argues that in great power technological competition, what determines victory is not who invents a technology first, but who can diffuse that technology throughout the economy more quickly. This is especially true for general-purpose technologies—they require widespread social diffusion, the creation of new organizations around them, and large-scale real-world usage data to discover their application boundaries. Dean Ball, quoting Ding, wrote: "The uses of general-purpose technology are discovered, not known in advance."

But on the other side of the ocean, Chinese large models are moving towards global developers with an open-source approach.

Encryption algorithms are pure mathematics; once published, they cannot be retracted. AI model weights have similar properties, but the reasoning capabilities of closed-source cutting-edge models are indeed concentrated behind the APIs of a few companies.

However, the capabilities of open-source models are catching up generation by generation; regulation can delay diffusion but cannot stop it. It took nearly a decade in the 1990s to reach the point of "admitting defeat and relaxing controls." Does AI regulation also require a similar time cycle?

03 Are U.S. Large Models Entering an Era of Scrutiny?

June 2026 may mark a turning point in the history of the AI industry: for the first time, the government has successfully inserted itself as an approver between commercial AI models and their users.

In "What Should Be Done," Dean Ball warns that if the market panics about this, the effects will far exceed the AI industry itself: "A significant amount of investment in the reindustrialization of America, from nuclear energy to natural gas to power electronics, is explicitly or implicitly predicated on the future demand of the AI industry. If this demand cannot be realized due to government regulation, the chain reaction will exceed people's imagination."

However, Ball also acknowledges that the direction is not entirely wrong: "There is indeed a possibility of catastrophic risks with cutting-edge AI, and this concern is not fabricated. The problem lies in the execution method; an approval process without technical experts, clear standards, or timelines is not the answer."

OpenAI states that the limitations of GPT-5.6 are "short-term measures" and may open to the public in a few weeks. However, the "limited restoration" of Mythos 5 on June 27 has already provided a template—not a complete release, but still limited to certain U.S. agencies, with other restrictions remaining in effect. Every long-term system was initially referred to as a "short-term measure."

Dean Ball concludes with a statement that deserves serious consideration from everyone: "If only a very small number of people can use cutting-edge AI, a bad future is more likely to occur. Because those few people are often groups that already possess significant economic and political power."

It is likely that the global developer community is reminiscing about the days of eagerly waiting for OpenAI's release events, excited by the advancements of new models, and staying up late testing various new scenarios.

However, for now, we can still look forward to the release of China's latest large model.