American big models are becoming closed—in the name of safety.

Author: Xiaojing; Source: Tencent Technology

On the morning of June 27, Anthropic announced that the U.S. government had approved the redeployment of its strongest cybersecurity model, Mythos 5, to more than 100 U.S. institutions, including large enterprises and government agencies. The public-facing version, Fable 5, is "poised for restoration."

According to a letter obtained by foreign media from Commerce Secretary Lutnick to Anthropic co-founder Tom Brown, Lutnick informed Anthropic that he had "determined that appropriate safeguards are in place."

However, in the same letter, Lutnick noted that all other requirements of the initial directive from June 12 remain in effect, and made no mention of when Fable 5 would be restored to the public.

Almost simultaneously, in the early hours of June 27, OpenAI officially released three models from the GPT-5.6 series: Sol, Terra, and Luna. Also at the White House's request, GPT-5.6 only provides API access to "partners approved on a case-by-case basis by the government," with the ChatGPT side not yet available.

Looking back at the timeline: On June 2, Trump signed an AI executive order. On June 9, Anthropic released Fable 5 and Mythos 5. On June 12, the Department of Commerce ordered a full takedown. On June 26, OpenAI released GPT-5.6 but with restrictions. On June 27, Mythos 5 was approved for limited restoration.

In less than a month, the U.S. government's control over frontier AI models went through a complete "halt—negotiate—conditional release" cycle.

OpenAI's strategic team leader, Dean W. Ball (former White House AI advisor), summarized the industry impact in a blog post on June 16: "Frontier AI model developers now need a clear 'green light' from the government before they can release."

In his June 26 long article "What Should Be Done," Dean W. Ball commented: "No one knows exactly what the requirements for approval are. When I say 'no one,' I mean it literally: it seems even the government departments themselves don't know."

01 Is It Really Too Powerful to Be Safe?

This is the core issue of the whole matter. The government's actions are based on an implicit assumption: these models are so capable that they pose an unacceptable security risk. But the official assessments from the companies themselves reached the exact opposite conclusion.

OpenAI disclosed its complete safety evaluation results in the GPT-5.6 release blog. According to OpenAI's own established and publicly released Preparedness Framework, Sol did not cross the line. The red line in this framework is defined as: whether the model can, without human assistance, autonomously discover and exploit unknown vulnerabilities in high-value targets.

The specific test results: Sol could identify vulnerabilities and exploitation primitives on Chromium and Firefox, but "did not autonomously generate a complete, usable end-to-end attack chain under test conditions." OpenAI's own judgment was: Sol is better at helping people find vulnerabilities and patch them, not at reliably executing full attacks end-to-end.

But OpenAI then added a "very diplomatic" sentence: "Benchmark thresholds cannot capture every way a model may be used or combined with other tools." In other words, who knows how it will be used in the real world? It deliberately created an ambiguous gray area.

Anthropic was not so "diplomatic." In a June 13 statement, Anthropic refuted the government's reasons point by point. The government claimed it had found jailbreak methods for Fable 5. Anthropic responded: First, it was just a "narrow, non-general jailbreak," essentially making the model read a piece of code and point out flaws; second, "other publicly available models, including OpenAI's GPT-5.5, can do the same"; third, Anthropic invested thousands of hours of red-teaming, "and no tester found a general jailbreak."

Anthropic CEO Dario Amodei had already predicted this situation in his June 11 long article "Policy on the AI Exponential." The statement explicitly said: "The government can prevent unsafe deployments, but the process must be transparent, fair, clear, and based on technical facts. This action does not meet these principles."

The two fiercest competitors, in the same month, reached the same conclusion using their own independent evaluation systems: according to the industry's self-built safety frameworks, these models do not pose an undeplyable risk.

So the question becomes: if the models haven't crossed the industry red line, what justifies government intervention? Dean Ball further revealed: The government previously hired the only official with frontier AI experience to lead the Center for AI Standards and Innovation (CAISI). This person had worked at OpenAI and Anthropic but was fired by senior leadership within days of starting. The remaining CAISI team was under a work stoppage order throughout the "post-Mythos crisis period" and wasn't even allowed to communicate with other government agencies. "Among the Trump administration officials I know, no one has frontier AI experience."

Ball's point is that those making regulatory decisions had neither a clear definition of safety standards nor the technical capability to evaluate these models.

A further natural question: Did Fable 5 and GPT-5.6 Sol actually cross some kind of "human threat singularity"? Is there an objective capability red line that, once crossed, mandates regulation?

Multiple AI experts say such a line does not exist technically. Model capability grows on a continuous curve. Each generation is "the strongest ever" upon release, but only this time triggered direct government intervention.

There are three implicit conditions behind this:

First, the capability became "demonstrable." Anthropic itself promoted Mythos 5 as the "world's strongest cybersecurity model," and the case of Stripe migrating 50 million lines of code in a day was widely shared. These stories allowed non-technical politicians to imagine "what if the bad guys use it."

Meta's former Chief AI Scientist and Turing Award winner Yann LeCun pointed out this logic as early as November 2025. When Anthropic released its first AI cyberattack threat report, LeCun directly called it "regulatory theater," accusing Anthropic of using AI safety fears to "manipulate legislators" for "regulatory capture."

LeCun's judgment at the time was that closed-source companies systematically exaggerate AI safety threats to create compliance barriers that only large companies can pass, squeezing out open-source competitors. What Anthropic didn't expect was that the stone would hit them first.

Second, someone handed over a knife. Amazon CEO Andy Jassy submitted a report to the government about safety risks in Anthropic's models. Amazon is Anthropic's largest investor and cloud service partner, while also having its own competing models (Nova series) that compete with Anthropic. Thus, the government gained a source of legitimacy for action.

Third, Trump had just signed an AI executive order earlier this month, giving the government 60 days to formulate "voluntary submission rules" for frontier models. The executive order needed its first enforcement case to prove it wasn't just a piece of paper. Fable 5 got caught in the crosshairs.

This leads to a deeper question: if "too powerful means it must be regulated," and "how powerful is too powerful" is determined by regulators—with no publicly known standards, no clear thresholds, and no appeals process—then every future frontier model release will face the same uncertainty. Companies won't know when their models will trigger regulation.

02 Historical Parallels: The Crypto Wars of 30 Years Ago

The U.S. government's attempt to curb the so-called proliferation of dangerous technology through export controls recalls a very similar historical precedent: the "Crypto Wars" of the 1990s.

After the Cold War ended and the internet began to commercialize, computer scientists were developing encryption technologies to protect data transmission security. The U.S. government classified strong encryption algorithms as "munitions," placing them on the same export control list (ITAR/EAR) as missiles and tanks. The logic was very similar to today: if adversaries get strong encryption, the NSA would be unable to intercept their communications, threatening national security.

This meant U.S. software companies could only export weak encryption versions (with 40-bit keys) to overseas customers—versions that the NSA could easily break—while domestic versions could use 128-bit strong encryption. Foreign users knew they were getting "neutered" versions and began turning to European and Israeli alternatives.

In 1991, a cryptography enthusiast named Phil Zimmermann wrote PGP (Pretty Good Privacy), software that allowed ordinary people to use strong encryption to protect their email. He uploaded PGP to the internet. The U.S. Customs Service then launched a criminal investigation against him—on charges of "illegally exporting munitions."

Zimmermann's counterattack was extremely clever: He printed the complete source code of PGP as a book. Books are protected by the First Amendment, and freedom of publication is a constitutional right. You could regulate software, but you cannot prohibit a book from being exported. The investigation lasted three years and was closed in 1996 without the government filing a lawsuit.

Around the same time, the NSA proposed a more aggressive scheme: the Clipper chip. The idea was that all communication devices must install this chip, which would encrypt communications and include a key escrow mechanism. Under lawful authorization, the government could decrypt communications through the escrowed keys. Communications between users were encrypted to third parties, but the government could decrypt them at any time. The Clinton administration pushed this scheme hard. However, academics discovered design flaws in the chip, the tech industry collectively resisted, and the public strongly opposed it. It died completely in 1996.

In 1995, mathematician Daniel Bernstein wanted to publish the source code of his encryption algorithm online but was banned by the government under export control rules. He sued the Department of Justice. The Ninth Circuit Court of Appeals made a landmark ruling: software source code is "speech" protected by the First Amendment, and government export controls on encryption code are unconstitutional. This ruling directly undermined the legal foundation of the entire control system.

In January 2000, the Clinton administration significantly relaxed encryption export controls. The reason was that they could no longer enforce them. PGP had already spread worldwide, open-source encryption algorithms were globally prevalent, and controls were only hindering the competitiveness of U.S. companies—foreign customers had already turned to other suppliers.

After the relaxation, we got Signal and WhatsApp's end-to-end encryption. If the 1990s controls had persisted, these products would not exist.

In the 1990s, what was controlled was strong encryption algorithms, the rationale was national security, the tool was ITAR munitions export controls, the injured parties were U.S. software companies (forced to export weak versions), and foreign developers (who wrote their own encryption algorithms) were unaffected.

In 2026, what is controlled is frontier AI model capabilities, the rationale is still national security, and the tool is export control directives.

Who will really get hurt this time?

Foreign media commentary notes: "No one spends $100 billion building data centers just to serve 100 government-approved companies."

The training costs for frontier models are in the billions of dollars, and the window to recoup those costs is only a few months after release, after which the model becomes less advanced, competition intensifies, and profit margins shrink. Every week of approval delay eats into that limited profit window. Brandon's conclusion: "If this continues, the entire industry's underlying investment logic will be shaken."

Professor Jeffrey Ding at George Washington University's Political Science Department argues a core point: In major-power technology competition, the winner is not the one who first invents a technology, but the one who can diffuse it faster throughout the entire economy. This is especially true for general-purpose technologies—they require widespread social diffusion, new organizations built around them, and large-scale real-world usage data to discover their application boundaries. Dean Ball, citing Ding, wrote: "The uses of general-purpose technologies are discovered, not known in advance."

Meanwhile, on the other side of the ocean, Chinese large models are reaching global developers with an open-source and open attitude.

Encryption algorithms are pure mathematics—once published, they cannot be taken back. AI model weights have similar properties, but the reasoning capabilities of closed-source frontier models are indeed concentrated behind a few companies' APIs.

However, open-source models are catching up generation by generation. Controls can slow diffusion but cannot stop it. In the 1990s, it took nearly 10 years to reach the point of "admitting defeat and relaxing controls." Will AI controls require a similar time cycle?

03 U.S. Large Models Enter the Age of Censorship?

June 2026 may mark a turning point in the history of the AI industry: the government successfully inserted itself as an approver between commercial AI models and their users for the first time.

In "What Should Be Done," Dean Ball warned that if the market panics over this, the effects will far exceed the AI industry itself: "Much of America's reindustrialization investment—from nuclear energy to natural gas to power electronics—is explicitly or implicitly predicated on future AI industry demand. If this demand cannot materialize due to government regulation, the chain reaction will be far greater than people imagine."

But Ball also acknowledged that the direction is not wholly wrong: "The possibility of catastrophic risks from frontier AI is real; this concern is not fabricated. The problem is the execution. An approval process with no technical experts, no clear standards, and no timeline is not the answer."

OpenAI says the restrictions on GPT-5.6 are "short-term measures," possibly opening to the public within a few weeks. But the "limited restoration" of Mythos 5 on June 27 has already set a template: not a full release, but only to certain U.S. institutions, with other restrictions still in place. Every long-term system was initially called a "short-term measure."

Dean Ball ended with a sentence worth everyone's serious consideration: "If only a very few people can use frontier AI, the bad future is more likely to happen. Because those few people are often already those with enormous economic and political power."

The global developer community probably misses the era when they would stay up regardless of time zones for OpenAI's releases, marvel at the new model's progress, and stay up all night testing various new scenarios.

But for now, we can still eagerly anticipate the release of China's latest large models.