Every enterprise security practitioner has lived through the same cycle.

A new technology emerges, employees start using it, security panics, writes a policy banning it, and congratulates itself on risk reduction. Then six months later, the CISO discovers the entire engineering team has been using it anyway, just through personal accounts, unmonitored endpoints, and shadow channels where the security team has zero visibility.

We did it with cloud, we did it with mobile, we did it with SaaS and as I covered in Bringing Security Out of the Shadows, we are doing it again with AI, where 74% of workplace ChatGPT usage was already happening through non-corporate accounts as of early 2024. The pattern is so predictable it should qualify as a law of organizational behavior.

Restrictive security controls do not eliminate usage, they eliminate visibility.

What most practitioners have not yet reckoned with is that this same dynamic is now playing out at the geopolitical level. The United States government’s decision to suspend access to Anthropic’s Mythos model, and the broader posture of using export controls and model bans as security policy, is producing the exact same outcome that overly restrictive enterprise security policies produce. It is pushing usage into the shadows, accelerating alternative adoption, and stripping defenders of the visibility and tooling they need most.

The Ban That Missed Its Target

The alleged logic behind restricting Mythos was straightforward on the surface. The model demonstrated advanced autonomous cyber capabilities, including finding zero-day vulnerabilities and executing multi-stage attack simulations. The UK AI Safety Institute confirmed that Mythos completed a 32-step corporate network attack simulation. From a pure capability perspective, the concern was legitimate.

(Ironically their evaluations of GPT-5.5 found it was also on par, a point Anthropic made in their public blog/rebuttal regarding the Mythos ban, but I digress)

However, capability assessment without strategic context produces bad policy. Joshua Saxe laid this out in stark terms in his recent analysis, arguing that GLM-5.2, not Mythos, is the real security emergency.

(Image credit to Josh)

GLM-5.2 is an open-weights model from a Chinese lab, widely regarded as the first open model capable of long-horizon agentic tasks comparable to what frontier closed models introduced in late 2025. It can be downloaded, run locally on a rack of H200 GPUs, fine-tuned to remove all safety guardrails, and operated with zero logging, zero monitoring, and zero accountability to any provider.

The distinction between Mythos and GLM-5.2 is the distinction that matters for security strategy, and it is the one the current policy ignores entirely. Mythos ran on Anthropic’s infrastructure where it was monitored 24/7 by dedicated trust and safety teams.

When Anthropic detected a sophisticated Chinese state-sponsored espionage campaign running through Claude Code in September 2025, they were able to identify the attack, map the operation across roughly 30 global targets, ban the accounts, notify affected entities, and coordinate with authorities.

That campaign represented the first documented case of a large-scale AI-orchestrated cyberattack, and Anthropic caught it because the attackers were operating on monitored infrastructure.

That visibility disappears entirely when attackers move to self-hosted open-weights models. There is no usage log, there is no trust and safety team watching, there is no account to ban, there is no detection to trigger.

By banning Mythos, we did not remove the capability from the threat actor’s toolbox, we removed our own ability to watch them use it.

I’ve been writing about the “jagged frontier” of AI when it comes to cyber and finding zero days, using examples from Niels Provos and teams such as AISLE. That same dynamic exists across the broad range of cyber offensive capabilities, and with the introduction of open source models nearly on par with proprietary frontier models, the need for harness engineering is even less critical.

I had a full conversation with Niels on this topic and more:

Shadow Proliferation Goes Geopolitical

Enterprise security professionals understand this dynamic intuitively. When you ban a tool that people need, you do not eliminate the need. You eliminate your ability to govern how the need gets met.

The shadow economy that forms around the ban is always harder to secure than the sanctioned usage you replaced.

Josh predicts this will manifest as a dark economy around open-weights model serving, analogous to the existing underground markets for malware, zero-days, and initial access brokering. Private API providers will spin up inference endpoints for offensive-capable open models with no terms of service, no monitoring, and no cooperation with law enforcement.

The technical friction that kept many attacker groups from adopting agentic AI for the first nine months of its existence has now been removed. Not by a breakthrough in the frontier labs, but by the open-weights ecosystem catching up to where frontier was a year ago.

This pattern is not happening in isolation either. It mirrors what the United States already experienced with chip export controls, where the attempt to deny China access to advanced semiconductors accelerated domestic Chinese chip development rather than preventing it.

The same dynamic is now playing out with AI models.

Every restriction the U.S. places on its own frontier capabilities creates a stronger incentive for the rest of the world to invest in alternatives the U.S. does not control.

Nathan Lambert and Kevin Xu made this case directly in Banning Open Source AI Would Be a Mistake, arguing that regulating open source AI because of China would create a chilling effect on education, innovation, and competition while pushing the rest of the world toward adopting China’s models. The fact that Chinese labs are producing competitive open-source models should be a wake-up call that open source is under-invested and under-appreciated in the United States. The correct response is more support for domestic open source, not restrictions that cede the ground entirely.

Undermining Our Own Strategic Objectives

The contradiction at the center of current U.S. policy is difficult to overstate.

The administration’s own AI Executive Order frames American AI leadership as a core national security priority. It explicitly states that U.S. policy is to “continue to lead an America First cybersecurity effort that enhances both our national security and our global AI dominance.” The order directs CISA to facilitate access to frontier models for federal agencies, state and local authorities, rural hospitals, and critical infrastructure operators. It creates an AI cybersecurity clearinghouse and it expands federal hiring for AI-enabled defense.

The entire strategic vision depends on U.S.-built AI stacks being adopted broadly, both domestically and internationally. Then, the same government suspends access to the most capable model produced by a U.S. lab, triggering international conversations about technology sovereignty, accelerating adoption of Chinese open-source alternatives, and demonstrating to every potential international partner that relying on U.S. AI infrastructure carries political risk.

As I covered in The Regulation Pendulum and AI’s National Security Reckoning, the administration executed one of the most dramatic policy reversals in recent memory, going from heavy pro-deregulation to actively studying pre-deployment safety testing of frontier AI models in under a year. The exponential capability curve forced that reckoning, but the policy response is kneecapping American AI leaders domestically while doing nothing to constrain the open-weights ecosystem that now provides near-equivalent capabilities to anyone with the hardware to run it.

Nathan Lambert described this governance posture as “vibe governance” in his analysis of the AGI era of AI policy, where model releases are judged by political instincts and gut reactions rather than by transparent and technical rigorous security assessment. He argues that export bans on model weights are a lasting negative policy for the United States, and warned that Anthropic’s own years of comparing AI to nuclear weapons created the political conditions for exactly this kind of heavy-handed intervention.

The Defender’s Dilemma

The strategic cost of these policies extends beyond geopolitics, and there is a direct operational cost to the defender community.

Jen Easterly argued in Foreign Affairs that AI offers defenders a structural advantage because they possess more legitimate data about their own systems than attackers do, and AI is uniquely suited to pattern recognition and anomaly detection at scale.

That argument only holds if defenders actually have access to the most capable models. When you ban the best tool in the defender’s arsenal while attackers migrate to ungoverned alternatives, you are not managing risk, you are redistributing it from a place where you had some control to a place where you have none.

I discussed in The Vulnpocalypse Won’t Wait for Interagency Coordination, partners using Claude to discover over 10,000 high-and-critical-severity vulnerabilities in a single month, a 10x improvement over prior methods.

The 2026 DBIR confirmed that vulnerability exploitation is now the leading initial access vector. Defenders need every advantage they can get, and the most capable AI models are the single largest force multiplier available. Restricting access to those models on the grounds that attackers might also use them ignores the reality that attackers already have equivalent capabilities through open-weights alternatives they can run without constraint.

Josh’s piece frames this as a race that defenders are now at risk of losing. The best models need to reach the vendors building cyber defense products and the CISOs deploying them. Only the efficiency gains from frontier AI give defenders a realistic chance to pay down the security tech debt that has accumulated over decades, build the detection and response innovations needed to compete with AI-enabled attackers, and actually close the gap between vulnerability discovery and remediation that currently stretches to 43 days on average for known exploited vulnerabilities.

It Isn’t Just About Bans

To be fair, the shift toward open-source AI adoption is not driven solely by export controls and model bans. Multiple structural forces are at work simultaneously.

Token costs play a major role, and it has been discussed by Adrian Sanabria. The token costs for frontier API-based models remain high enough that many organizations, particularly those running AI at scale, find open-weights models running on their own infrastructure more economical. This includes in cybersecurity, where it is most painfully ironic as well, given the leading open source alternatives are from China, a nation with years of examples of being adversarial and damaging to U.S. interests and enterprise environments.

The desire for data sovereignty and control drives organizations and entire nations toward models they can host locally, where sensitive data never leaves their environment. This was the dominant conversation among the EU and those outside of the U.S. in my network on platforms such as LinkedIn post-Mythos ban.

Enterprises want to fine-tune models for their specific use cases without depending on a provider’s willingness to support custom deployments, and the rapid pace of open-weights model improvement, driven by massive investment from primarily Chinese labs, means the capability gap between open and closed models has narrowed significantly.

These factors would be driving open-source adoption regardless of U.S. policy decisions, but the model bans and export controls are accelerating the trend and, more importantly, they are handing China a strategic gift.

Every time the U.S. demonstrates that its frontier AI platforms can be shut down by political decision, it validates the argument that organizations and nations should not build critical dependencies on American AI infrastructure.

It pushes potential partners and allies toward self-hosted alternatives, and the open-weights models most readily available at near-frontier capability are increasingly coming from Chinese labs.

The Pattern We Keep Refusing to Learn

The through line from enterprise shadow IT to geopolitical AI policy is the same flawed theory of control. The assumption is that banning something removes it from the environment.

In practice, banning something removes it from the governed environment and pushes it into an ungoverned one.

At the enterprise level, this looks like employees using personal ChatGPT accounts to process sensitive data because the corporate AI policy says they cannot use AI at all. At the geopolitical level, this looks like attackers running fine-tuned GLM-5.2 on private infrastructure while U.S. defenders are denied access to the most capable American-built model. The scale is different but the mechanism and outcome is identical.

Anthropic’s detection of the first AI-orchestrated espionage campaign should be the proof point that settles this debate. That operation was caught because the attackers used a monitored, API-gated, commercially operated model. The AI performed 80-90% of the campaign autonomously, making thousands of requests per second at peak, across reconnaissance, vulnerability identification, exploit development, credential harvesting, and data exfiltration. Even if some of this is marketing on the part of labs such as Anthropic, the truths around visibility still remain.

If that same campaign had been run on a self-hosted open-weights model, there would have been no detection, no investigation, no notification to victims, and no public reporting. We would not even know it happened.

That is the world the current policy trajectory is creating. Not one where advanced AI cyber capabilities do not exist in the hands of adversaries, but one where those capabilities operate in complete darkness while defenders fight with one hand tied behind their back in a battle they had already been losing for decades.

What Should Change

The path forward requires the same shift in thinking that the best enterprise security teams have already made. Stop trying to prevent usage, start trying to govern it. Stop optimizing for the illusion of control, start optimizing for visibility, speed of adoption, and defender advantage.

At the policy level, that means centering the conversation on diffusion rather than denial. It means ensuring that U.S. defenders, from frontier lab security teams to the vendors building the next generation of security products to the CISOs and SOC analysts who deploy them, have unrestricted access to the most capable models available. It means recognizing that the open-weights genie is out of the bottle and that no amount of frontier model restriction will put it back.

It means learning the lesson that enterprise security has been learning the hard way for two decades.

The organizations that try to ban their way to security end up with less security, not more.

The organizations that embrace new capabilities, wrap them in governance, and use them to outpace threats are the ones that actually reduce risk.

The same is true at the national level.

We can continue pursuing policies that look tough on AI risk while strategically weakening our own frontier leadership, driving international partners toward Chinese or non-U.S. alternatives, and pushing adversaries into ungoverned shadows where we cannot see them. Or we can do what good security teams do. Meet the technology where it is, arm the defenders, and compete.

I have been in cybersecurity long enough to know which approach actually works however it remains to be seen if policymakers will actually listen to practitioners before the window closes, and if it is unfortunately already too late.