AI News HubLIVE
In-site rewrite6 min read

America Talked Itself into Chinese Open Source AI

The debate over open vs. closed AI has shifted from academic to urgent for security teams. U.S. policy contradictions, cost pressures, and the rise of competitive open-weight models like GLM-5.2 are driving enterprises toward Chinese open-source AI, with significant security implications.

SourceHacker News AIAuthor: smurda

Chris Hughes

Jul 08, 2026

For most of the last two years, the debate about open versus closed AI was mostly an economic and ideological one.

Closed labs argued that frontier capabilities were too dangerous to hand out freely. Open advocates argued that transparency, cost, and control were worth more than a marginal capability lead. Practitioners could mostly watch that argument from the sidelines, because in day-to-day security work the closed frontier models were simply better and the open models were a step or two behind.

That gap has closed, and the debate has stopped being academic. It is now a live architectural decision that CISOs, security engineers, and platform teams are making right now, often without a clear framework for reasoning about the security implications on either side.

I want to walk through how we got here in the middle of 2026, and then spend most of my time on the part I think we are collectively underweighting, which is what the open versus closed choice actually means for defenders and for the software supply chain we all depend on.

How U.S. policy talked itself into a corner

Start with the strategic goal, because the goal and the actions have drifted apart in a way that matters. In July 2025 the administration issued Executive Order 14320, Promoting the Export of the American AI Technology Stack.

The explicit ambition was that American AI hardware, models, standards, and governance would become the default stack for allies and partners around the world. If you wanted the U.S. to win the AI competition with China, exporting the American stack and getting the world to build on it was a coherent way to do it.

Then came the whiplash.

In June 2026 Anthropic launched Fable 5 and Mythos 5, and roughly three days later the U.S. government ordered the company to cut off foreign access to both, citing national security and export-control authority. Reporting from various leading media outlets tied the order to a jailbreak report from a trusted partner, with reporting pointing to Amazon, that suggested the models could be turned into unrestricted cyber tools.

Anthropic disputed how severe the jailbreak actually was and criticized the opaque process. About eighteen days later the restrictions were lifted and the models came back online.

I already worked through the ban itself in Cybersecurity’s Friendly Fire Problem, so I will not relitigate the whole thing here. The short version is that gating and banning a U.S. frontier model did not remove the underlying capability from the threat landscape.

It removed the U.S. ability to watch that capability being used, and it handed every ally in Europe and beyond a concrete reason to question whether building on an American AI stack carries political risk. That is the opposite of what Executive Order 14320 set out to accomplish.

When France and the Netherlands start amplifying calls for AI sovereignty within days of your export action, the export strategy is working against itself.

The quieter forces pushing people toward open weights

The ban gets the headlines, but it is not the only thing reviving interest in open source AI, and I want to be careful not to overstate its role. Several structural forces are converging at once, and most of them have nothing to do with geopolitics.

The first is cost, and it is the one practitioners feel most directly. For a brief window in early 2026 the loudest signal of AI adoption inside big companies was token consumption going up.

That has reversed hard. Coverage from TechCrunch and others documented finance teams now trying to drive that same number down. Amazon reportedly shut down an internal leaderboard that ranked developers by token consumption in late May 2026, with the internal line being that you should not use AI just to use AI. Uber said it burned through its entire 2026 AI coding-tools budget in four months and capped spend at $1,500 per employee per month per tool.

Agentic workflows consume something like 5x-30x the tokens of a standard chatbot interaction, so the economics of running everything through a metered frontier API stopped making sense for organizations operating at scale.

Adrian Sanabria has been making this point for a while, and it lands especially hard in security, where you are often running high-volume automated analysis and per-token costs compound quickly. When Gary Marcus says tokenmaxxing is giving way to tokenminimizing, that is not a vibe, it is a budget line. It also pours some cold water on the theme that the answer to every security problem AI introduces is to use AI to fight it.

The second force is the frontier labs themselves adding friction to their own products in the name of safety. When Anthropic redeployed Fable 5 in July 2026, it did so with a new classifier layer.

Per Anthropic’s own Redeploying Claude Fable 5 post, a Fable 5 request that trips the new cyber classifier is rerouted to Claude Opus 4.8, with the user notified, so the work still completes on a more conservative model. Anthropic was honest about the tradeoff, which I respect, noting that the classifier flags benign requests more often during routine coding and debugging.

If you are a security engineer doing legitimate vulnerability research or debugging exploit-adjacent code, you now have a real chance of being downshifted to a different model mid-task because a safety-margin classifier decided your benign work looked risky. That is a rational safety decision on Anthropic’s part and a genuine capability tax on the practitioner. It is exactly the kind of friction that makes a self-hosted model you fully control look attractive.

I’m in various private group chats with security researchers and leaders and it is full of folks frustrated with the classifiers downgrading their legitimate security work.

The third force is the one that changes everything, which is that open weights have caught up. In June 2026, Z.ai released GLM-5.2, a roughly 744-billion-parameter mixture-of-experts model with around 40 billion active parameters, a one-million-token context window, and an MIT license.

It ranks first among open-weights models on the Artificial Analysis Intelligence Index and fourth overall. On coding benchmarks it beats GPT-5.5 on SWE-bench Pro and lands within a point of Claude Opus 4.8 on FrontierSWE, and it does it at roughly one-sixth the cost. For mainstream coding and engineering work, GLM-5.2 is effectively at parity with the closed frontier.

The gap only opens meaningfully on the hardest ultra-long-horizon tasks. When the open option is at parity, six times cheaper, self-hostable, and cannot be turned off by a government order, the pull is obvious.

Folks such as Joshua Saxe have used GLM-5.2 as an example of how counterproductive the U.S. ban on closed source frontier models are, and how it hurts defenders more than attackers in his piece “GLM-5.2 not Mythos, is the real security emergency”.

The industry signals are stacking up as well. Alex Karp at Palantir went on CNBC on July 1, 2026 and called the token-based pricing model of the frontier labs “completely wrong,” framing open-weight models as the answer for customers who want control over their compute, their models, their data, and their alpha.

He also asked whether the country really wants to outsource its national security posture to the consensus view of Silicon Valley, and he warned against underestimating how fast China is moving. Say what you want about Palantir’s true motives, but many of his points are ones a lot of folks do share when it comes to AI. The below video has now gone viral:

Separately, Axios reported that Microsoft is exploring a fine-tuned, Azure-hosted version of DeepSeek V4, or another open model, as a lower-cost option inside Copilot.

I want to flag both of these carefully. Karp’s comments are on the record and his framing is his own. The Microsoft reporting describes an exploration that Microsoft says is not final, with the model that would be optional and hosted inside Azure with added safeguards. Neither is a settled decision to standardize on Chinese open weights, and I would not treat them as such. Microsoft isn’t along either though, as it is reported many other Western companies are adopting Chinese AI models as well:

What they do show is that the “open weights are for hobbyists” framing is dead, and serious enterprises and serious buyers are actively pricing the switch. It is also interesting that one of the largest software suppliers to the U.S. Government in MSFT is looking at potentially using DeepSeek, albeit they likely wouldn’t use it for their Government approved offerings.

The political signal is arguably more striking. Former U.S. AI Czar David Sacks used a recent episode of the All-In podcast that I listened to over the weekend to make the case for open source AI directly, arguing that open source is one of America’s strongest cards in the competition with China rather than a liability.

He echoed Karp’s point that what enterprises actually want is control over their compute, models, and data, and he raised the concern that feeding proprietary knowledge to frontier labs is risky when those same labs are launching vertical applications that compete with their own customers.

You can debate how much of that is a fair characterization of the labs, and Anthropic and OpenAI would push back hard. What matters for this discussion is that a figure who sat at the center of U.S. AI policy is now publicly framing open source as a strategic asset, not the thing to be restricted. That is a meaningful shift in where the political center of gravity sits.

Several others have had great pieces on this shift too, such as Michael Spencer’s blog titled “The Token Apocalypse”, or This Week in AI HSM @ This Week in AI blog “The State of AI: The US is Losing its AI Monopoly”.

The security argument that flips the usual intuition

Here is where security practitioners have to update their intuition. The reflexive take is that closed, gated models are safer because access is controlled. Joshua Saxe made the sharper argument in his piece that GLM-5.2, not Mythos, is the real security emergency, and I think he is right about the mechanism.

When an attacker uses a closed model, they are operating on the provider’s infrastructure, under monitoring, with trust and safety teams watching for abuse. That is not a hypothetical benefit, it is exactly how Anthropic caught the first documented large-scale AI-orchestrated cyber espionage campaign, which it disclosed in November 2025 and attributed with high confidence to a Chinese state-sponsored group.

The attackers jailbroke Claude Code, ran roughly thirty targets, and let the model handle an estimated 80 to 90 percent of the campaign autonomously, with humans stepping in at only a handful of decision points. Anthropic caught it, mapped it, banned the accounts, and notified victims, because the operation ran on monitored, API-gated infrastructure. Even if you discount some of the lab’s framing as marketing, the visibility point holds, you cannot ban an account you cannot see. This is something enterprise security leaders already know intuitively after years of wrestling with shadow IT/SaaS and now AI.

Now run the same campaign on a self-hosted open-weights model.

There is no usage log, no trust and safety team, no account to ban, no detection to trigger. The capability does not go away when you restrict the closed model.

It relocates into the dark, onto a rack of H200s in an environment nobody is watching. So the current restrictions harm defenders more than attackers, because defenders lose their best monitored tooling while attackers simply migrate to the ungoverned option. Joshua Saxe’s conclusion, which I share, is that the priority should be accelerating AI adoption among defenders and security vendors rather than restricting frontier access, because the open-weights genie is alread

[truncated for AI cost control]