At some point over the last 18 months, the term “open-source artificial intelligence (AI)” began to make policymakers nervous. This reaction is understandable—the release of DeepSeek’s R1 model in January 2025 was a strategic shock, and every Chinese open-weight model released since then has reinforced a particular way of understanding AI’s broader competitive landscape: Openness is how adversaries can advance their capabilities on the cheap. That reading has only intensified after the release of Zhipu’s GLM 5.2 model, developed using MIT-licensed weights and able to perform within one percentage point of leading American frontier models at a price point roughly one-fifth of the cost. GLM 5.2 was released on June 13, one day after the Commerce Department shut down access to Anthropic’s Fable 5 and Mythos 5 models across the globe over concerns about cyber risk. Zhipu’s founder capitalized on the opportunity, publicly lamenting the “sudden restriction of certain frontier models” on X. A throughline across these developments is the instinct to view open-source development as inherently risky and restricting access to the United States’ most capable models the responsible choice.

But that instinct is completely backwards. Open source is not a Chinese approach to software development any more than closed source is a democratic one. These approaches are choices made in engineering and distribution, not national allegiances. The risk of framing them as such is producing policy solutions that are conceptually flawed and strategically self-defeating.

We Built All This on Open Source

America’s position as the global innovator in software development was not built on a foundation of government control and proprietary gatekeeping; rather, it was built on Linux, Apache, OpenSSL and TCP/IP—an open infrastructure layer available for anyone to inspect, improve, and deploy. The Linux operating system alone should be enough to prove the power and importance of open source: It runs over 96 percent of the world’s top 1 million servers and powers 100 percent of the world’s top 500 supercomputers. The foundation of the web stack used across the globe exists because the default position was to publish the code, let communities find the bugs, and allow anyone to build on top. The success of this open approach was a result of distribution at scale, not misty-eyed idealism. This level of scrutiny reliably produces more resilient, more trusted, and more widely adopted software solutions than any single institution can produce behind closed doors.

In the current policy conversation, openness in AI development is treated as a novel risk requiring equally novel restrictions when it should be viewed as a continuation of the development model that created America’s technological dominance in the first place. When evaluating open-weight AI models, policymakers should not question whether these models carry risks, because they do—just like open-source cryptographic models and operating systems as well as their closed-source counterparts. The real policy question should be whether gating access to a specific capability provider actually controls the capability, or if it only controls who can use it easily and who must seek alternative means to achieve the same outcome.

The Perimeter Didn’t Hold Long

This question was put to the test with the announcement of Claude Mythos in April 2026. Mythos’ ability to discover hundreds of vulnerabilities in Firefox, surface decades-old flaws in OpenBSD and FFmpeg, and chain multi-step exploits autonomously showed tremendous technological progress. Anthropic’s response—gating access to a small number of organizations through Project Glasswing—seemed the responsible approach: Place a perimeter around the dangerous capability and give a hand-picked cadre of defenders a head start.

Within weeks, it turned out that the perimeter only controlled access to a specific model while the capability spread outside Glasswing’s boundary. Security firms Vidoc and Aisle were able to achieve comparable results by leveraging older, publicly available open-weight models against the same codebases. This performance wasn’t achieved by breaking Mythos out of Glasswing or by leveraging a Chinese frontier model; instead, it was achieved by orchestrating multiple freely available models to work in parallel. Aisle described these American-built open-source models as “a thousand adequate detectives searching everywhere” rather than “one brilliant detective who has to guess where to look.” Using a similar orchestration approach, Japanese developer Sakana AI reported that their system, Fugu, was able to match the performance of Mythos and Fable and was designed specifically to work around access restrictions.

This development does nothing to suggest that Mythos is somehow overhyped or less powerful than advertised. The lesson is that while models and specific tools are able to be gated or controlled, capabilities can flow more freely. In this case, the basic computer science principle of coordinating multiple agents on a shared task replicated the capability of the restricted frontier model. This doesn’t point to an inherent flaw or enhanced risk in open-source development because the approach has always worked by leveraging capability diffusion. The relevant policy question then becomes who can leverage this strength most effectively rather than who we should prevent from using a specific capability.

The Stakes of Making the Wrong Choice

Despite the fact that the restriction of a specific model fails to contain a capability in general, the practice will indeed yield an outcome. Restrictive approaches will shape consumer adoption in a negative way. When the Commerce Department issued its export control takedown of Mythos 5 and Fable 5 on June 12, both models went down worldwide for 18 days. This had two effects unrelated to security. First, it gave a boost to Chinese developers working on open-weight alternatives that are close in capability, yet much cheaper to use. Second, it showed that the U.S. government had effectively found a kill switch for the technology, thereby undermining the broader goal for global adoption of an American AI stack.

We often overlook the risk presented by these outcomes due to the primacy of fear around cybersecurity and national security. However, every time the United States makes its own models more difficult to access or less reliable—whether through tiered access regimes, export controls, regimes that favor incumbent companies, or even a general rhetorical climate that treats openness as suspicious—users are merely redirected to other options. GLM 5.2 is an example of this redirection. Within weeks of release, security researchers found it was able to perform on a similar level to leading U.S. models regarding vulnerability discovery benchmarks, while hackers on Russian-language platforms discussed how to strip its safety controls. MIT-licensed and free to download, users can fine-tune and run the model locally without persistent connection to any provider or defender. Developers in Jakarta, São Paulo, or Nairobi who want to use AI today won’t wait for Washington to sort out its access policies, and they certainly won’t go all in on a technology that can be turned off through bureaucratic creativity. They’re going to use what’s available—which, at the moment, is increasingly of Chinese origin.

But the availability of Chinese models might not last forever. Beijing appears to be looking at restricting overseas access to China’s most advanced models, suggesting that the window of freely available Chinese open-weight AI could narrow considerably. If it does, China will be subject to all the harms that the U.S. approach to restriction will bear. This makes the case for a competitive American open ecosystem—which could become the only option not gated by either government—even more pressing.

Restraint Isn’t Inaction

Of course, open-source AI development is not devoid of risk. R Street has written extensively about the clear and present cybersecurity challenges created by open ecosystems. Defenders must consider supply-chain vulnerabilities, model tampering, provenance tracking, and anomaly detection. We can address those risks through investment in validation infrastructure, clear voluntary federal guidelines, and continued research into how open and closed approaches can complement each other. Treating openness itself as the threat does nothing to address any risk and disincentivizes domestic open-source development as a whole. Furthermore, there is no feasible way to shut down open-source development (and no reason to want to).

The United States built its technology leadership on a diverse, largely open ecosystem fueled by competition. Not because there were no risks associated with openness, but because a system in which the broadest possible base of developers can inspect, test, and improve codebases reliably outperforms a system in which access is heavily controlled. Technological progress does not invalidate that lesson. If there’s a takeaway from the Mythos episode, it’s that curious independent researchers were able to use open models to reproduce results and fully share their findings. That’s not a threat to American AI leadership—it’s a fundamental building block for maintaining it.

Follow our artificial intelligence policy work.