Gatekeeping the Frontier: When AI Access Becomes a National Security Concern

On 12 June, US Commerce Secretary Howard Lutnick sent a letter to Anthropic issuing an export control directive to ‘suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside of the United States, including foreign national Anthropic employees’. The company ended up suspending access to all customers to avoid conundrums in complying with the directive.

The justification for such a measure? Concerns over ‘emerging and foundational technologies that are essential to the national security of the United States’ and a disagreement over a perceived security flaw (jailbreak) that could be potentially exploited by adversaries.

The directive was issued three days after Anthropic launched their Fable 5 model (‘Mythos -class’ model for general use) and ten days since the White House’s publication of the Executive Order on 'Promoting Advanced Artificial Intelligence Innovation and Security'. The EO foresees a ‘voluntary’ exclusive US-government preview of ‘covered models’, a pre-release granted before any other ‘trusted partner’, set by a classified threshold and ahead of anyone else.

Taken together these are the clearest and latest signs yet of a broader shift propelling us further into the securitisation of frontier AI, and with it the quiet relocation of the question of who may access these models from open politics into the narrower register of national security. If the EO hinted at that with the ‘voluntary’ USG exclusive access to the preview of the model before everyone else, the export control directive is the direct expression of the grip the US can exert on any AI lab (or tech company, more broadly) that gets too deep into ‘opening up capabilities to general public.’

At the moment, standards concerning access to frontier AI models are fragmented and determined in an ad hoc fashion by the AI labs for different stakeholders, and governments are, in their own way, attempting to reclaim agency, oversight and some level of control over these models.

To have a proper conversation about access to frontier models that sees through that securitisation, we need to talk about who, how, and when access matters, and develop shared benchmarks and processes for a more accountable and standardised approach to it across industry.

The Securitisation of Frontier AI

Securitisation, a term drawn from security studies, describes the process by which an issue is recast as an existential threat, one urgent enough to justify exceptional measures and a narrower circle of decision-making that sits outside ‘ordinary politics’ and its usual expectations of debate, disclosure and oversight. The signs are, in some ways, familiar and are not exclusive to the US government moves to control access. AI models are routinely referred to as 'capabilities'; they have been said to have been used to support miliary operations such as the one to extract Maduro from Venezuela; their release is said to require not merely phasing but 'control', lest it generate catastrophic or cybersecurity risks; and the organisations built to scrutinise these systems have edged from 'safety' towards 'security’ – that is the case of the UK's rebranding of its AI Security Institute and the US's reconstituted Center for AI Standards and Innovation (CAISI), whose mandate reoriented around national security. Even third-party evaluators of these models have begun leaning their work towards national-security ecosystems in order to develop their methods in tandem with the work of national AI security institutes.

Even though tensions between Anthropic and the USG might have temporarily (or perhaps aesthetically) subsided with Trump stating that the company is no longer a national security threat following a G7 meeting with corporate giants, the volatile Washington politics is anything but reassuring to AI labs.

The sequence of events in the past month reflect both this securitisation of access to frontier AI and, more specifically, the singling out of Anthropic as the public example of the USG’s display of what it can do. Since the release of Mythos and the promotion around Project Glasswing, we have seen a more widely publicised expression of a growing pattern in the AI industry, that is, the gatekeeping of model releases under the premise of security concerns. The Anthropic–DoD dispute over the use of frontier models for domestic surveillance and autonomous weapons, the subsequent designation of the company as a ‘supply chain risk’, and Anthropic’s lawsuit is but one illustration of the growing attempts from Washington to show its capacity to reclaim control of its frontier AI capabilities with little mention of regulation and lots of demonstrations of how it is willing to use economic coercion domestically to achieve that control.

The cumulative effects of this securitisation of frontier AI, and more precisely the question of access to it explored in this piece include but are not restricted to: (i) it leaves most of those outside Silicon Valley and a very small section of the DC area with little agency over, or public debate about, the consequences of doing so; (ii) it focuses our attention on closed weights models when we should be calibrating it with tackling head on questions about human capacity, scaffolding, harness, access to infrastructure; and (iii) when it comes to cybersecurity risks, it might capture too much attention to the ‘frontier’ leaving the actual structural (and basic) cybersecurity measures that might have been left unaddressed (e.g.: basic authentication and system controls; resilience against phishing; and more thorough assessment of software supply chain vulnerabilities).

To be clear, the concern is not that frontier AI attracts security attention per se – as in some respects it warrants that – but that the question of access, who may use these models, when, and on what terms, is increasingly being settled in the register of national security, by a narrow few, and on terms that are (as set in the EO, for example) unseen.

These effects play out as three consequences traced below: fragmentation, exclusion and capture.

Whose Access, and of What Kind

The balance between innovation and the risk of frontier models being weaponised is a genuinely hard one to strike, and different governments are testing out different approaches to it.

It helps to separate, at the outset, the kinds of access at issue by communities, since they have been addressed differently by AI labs but remain nonetheless entangled in the securitisation narrative, with three worth mentioning. The first is access by governments, which is what the EO touches upon and reinforces a state claim to ‘see’ and assess a model, and in this case, before anyone else. The second is access by independent third-party evaluators, whose purpose is assurance, testing a model's safety and security. The third is access by cybersecurity researchers and industry, the defenders who use models to find and fix vulnerabilities in their own systems, of which Anthropic's Project Glasswing is the most recent and visible example.

Tiered Access Politics: Not a Rupture But a Consolidation

While Mythos's release was seen by some as a major publicity stunt, the disclosure of models, and the question of who gets to access them, has always been a sensitive topic for the AI labs. Whether as mere rhetoric to raise expectations from the market, and from the investors backing the labs' scaling ambitions, or as genuine concern about the potential for catastrophic risks such as disinformation and cyber attacks, both narratives, and communities of 'believers' in each, have long co-existed within these companies. Back in 2019, when we were still in GPT-2 times, OpenAI's then policy director Jack Clark noted that it was 'very clear' that if the technology matured, which he expected within a year or two, 'it could be used for disinformation or propaganda', adding that the company was 'trying to get ahead of this'. Back then, OpenAI introduced what it called a 'staged release' and 'partnership-based model sharing', setting a precedent for the phased publication of versions of the same model with the aim, in its words, of giving 'people time to assess the properties of these models, discuss their societal implications, and evaluate the impacts of release after each stage'.

So, the kerfuffle over Mythos's gatekeeping of access – now arguably more of a 'phased' release given the expansion of the group with access to it – is less of a step-change and more of the consolidation of a business model that has come to accept two things: That frontier model releases should be even more carefully controlled and that staged releases are good for security, as they allow post-deployment evaluations to assess harms and vulnerabilities incrementally.

The difference between the 2019 and the 2026 conversation is that, instead of having a discussion about shared standards for controlled, secure access across industry and including governments, the commercial ad hoc approaches to access continue to be a field of experimentation and on the governmental side, the EO sets a precedent for a governmental access request, a 'preview before the preview'.

There are reasonable arguments for thinking about a graded release and tiered access to the most capable models. These include but are not restricted to vetting of experts depending on the access; providing more advanced versions of models with and without guardrails to these vetted experts; control over the environment of access; management of potential liabilities; shielding against potential government concerns with weaponisation of models; among others.

However, an excessive focus from both the commercial and governmental side on phasing, gatekeeping and tiering, risks fragmenting the landscape of access in several ways.

Fragmentation of Tiered Access

The first consequence is fragmentation. The difficulty is not as much about the tiering itself but its calibration with accountability. Who sets the tiers, on what published criteria, and with what recourse for those placed on the wrong side of the line?

From a commercial standpoint, Anthropic, OpenAI and other labs have established their own tiering models (e.g. GPT 5.5 Trusted Access for Cyber and GPT 5.5 Cyber) for secure access to cybersecurity researchers, experts and industry players in this field. However, as noted by some security researchers, there is a lack of understanding concerning the type of access that has been provided to them and what kind of visibility, room for manoeuvring they have in red-teaming or assessing the capabilities of a specific model.

From a governmental standpoint, states are grappling with when, how, and for which purpose to request access to model developers. The EO is not the only model of state access on offer. The EU's AI Office, under the EU AI Act, may evaluate general-purpose AI models (GPAI) and require access to them, but it does so on a published statutory basis, with its powers to request information and documentation, as well as to conduct evaluations (Art. 91 and 92) and involve independent experts to carry out evaluations on their behalf. The contrast is arguably the heart of the matter. Governmental access is neither novel nor necessarily illegitimate. What the EO adds is the precedent of access being defined by a classified threshold, taken before release and ahead of any other organisation or country, on criteria that no one outside can see.

Moreover, independent third-party evaluators are increasingly relied upon access to test the safety and security of frontier models, yet there is still no shared understanding of what 'sufficient' or 'adequate' access means. The EU's Code of Practice asks for 'appropriate access' without defining it. The EU AI Office might request access, but labs are reluctant because it is a regulator. A regime that fragments access without resolving this leaves the very people meant to provide assurance least able to give it. What is more, and as found in our research, the more sophisticated models become, the more access third-party evaluators of these models will need in order to support developers in identifying security issues such as jailbreaks.

Gatekeeping and Exclusion

The second consequence of securitisation of model access follows from the previous one. To gatekeep is to leave someone outside, and that someone is all countries other than the US, with consequences that could be severe for labs and the transatlantic relationship over the medium to long term.

The first risk is that the EO’s ‘preview of the preview’ and the export control directive on Fable 5 and Mythos 5 encourages an even greater push for 'AI sovereignty' at the level of model development. Whether that translates into genuine independence is another matter, but in Europe, the Commission just announced the European Technological Sovereignty Package, which includes the development of AI ‘EU-grown tools’ in its Open Source Strategy and the Cloud and AI Development Act proposal to boost the EU’s capacity to develop the infrastructure supporting frontier AI. In the UK, a coalition of industry partners have just announced that they will be co-designing Britain’s first ‘fully sovereign frontier AI model’ with heavyweights such as BAE Systems, Babcock, Thales UK and others. The Fable 5 and Mythos 5 cut-off fuelled that risk, showing that allied and non-US users can lose access to a frontier model overnight if the US wishes to do so.

Restrictions and US privileges in working with AI labs such as the ones foreseen in the directive and hinted at by the EO respectively, fuel the feeling of Europe being ‘left out’ and overly reliant on the ebbs and flows of companies headquartered in the US being played by Washington politics. Trump – and other government representatives – have been favourable of USG acquiring equity stakes in these companies after its 10% stake deal with chipmaker Intel mid last year – which should only ring more alarming bells from across the Atlantic. While European leaders met with Trump Dario Amodei and other AI labs during the G7 summit to hopefully discuss the export control directive and the suspension of Fable 5, it was but an attempt to join the bilateral conversation between the White House and the company. They did not discuss the directive and nothing conclusive came out of the meeting other than remarks from companies on collaboration and regulation, and the news of the White House and Anthropic working on a framework to assess the severity of flaws in AI models.

Despite the lack of concrete points following the G7 meeting, it still makes clear that the context of securitisation of frontier AI access and public-private arm wrestling makes it nearly impossible to expect some consistency from companies in commitments to others – and especially Europe. For example, the Executive Order foreseeing the preview of the preview arrived on the exact day that Anthropic announced it was widening access to Mythos – one seeking to make amends with European organisations and another casting the shadow of potential privileged (‘voluntary’) access by the USG.

The second, and directly related to the first, is that it may incentivise other countries to rely even more heavily on open weights models, accepting (the widely cited but proof-challenged data asserting) the lag of months behind the frontier, and investing instead in skills development, national LLMs and the protection of their own databases. That is the case of Latam-GPT in Latin America which was announced by Chilean President Gabriel Boric in February this year and is also linked to the region’s first supercomputing centre. Others include SEA-LION in Southeast Asia; UlizaLlama in Africa, Sarvam in South Asia, HUMAIN, Arabic ALLaM and Falcon throughout the Middle East, and so it goes. While we know that there are clear limits to the sovereignty narrative, or at least to operationalising it with ‘full independence’, these are also political moves that matter, and restricting or prioritising access to commercial closed weights models in the name of national security will only amplify the reluctance from economies in the Global South to rely or use them.

Even if these US-based companies or the USG are not moved by diminishing prospects of customers across the South using closed weights models (although the global customer database is not publicly disclosed), the popularity of Chinese models (e.g. Alibaba’s Qwen being the most downloaded model family on Hugging Face) and the catching up of Chinese companies in developing their own chips should. It may well be an opportunity for China's soft power, with their open models that fill the gap, with Singapore's national programme building on Qwen and Huawei marketing DeepSeek to African and Latin American customers. The structure of incentives, both commercial and governmental, regarding access to preview versions of models or flexing export control muscle over distribution of the same is an additional factor on the widening gap between the AI haves and have-nots. Developing economies will look elsewhere for support and innovation if access continues to become increasingly securitised.

Closed Model Myopia

The securitisation of GPAI is happening most visibly in the context of a public debate that has largely revolved around closed-weights models, which gives a myopic view of where capability and risk actually reside. Not all models are closed models, and that matters.

The most capable closed models have at times been decisively better at offensive tasks, and capability has risen steeply with each generation. But scaffolding, tooling and operator skill are crucial, and the open-weights gap has narrowed sharply, with some open releases now closing in on frontier systems on cyber benchmarks despite the deepest exploitation-reasoning capabilities remaining, for now, a closed-source advantage. By Anthropic’s own account, one illustration is the late-2025 case of a Chinese state-sponsored group that automated the bulk of an operation against approximately thirty targets using a commercially available model with custom scaffolding.

Moreover there is a risk that pre-release access comes to be seen as inherently 'better' and/or as a mark of exclusivity. Yet assessments of a model's performance in the pre-deployment phase are limited, and, on their own, insufficient to establish its added value in a particular task or operation. The labs themselves concede as much, acknowledging that many of their evaluations are benign proxies, sensitive to scaffolding and to noise, and that performance on a benchmark is not the same thing as value in a deployed operation.

Bad for Shareholders, Though Capture is the Sharper Risk

The third consequence concerns shareholders, and Anthropic and OpenAI both face the predicament. Labs encounter the corporate pressures for showcasing quarterly value to shareholders in a business that has become increasingly challenged by speculation, peak energy consumption and incremental developments in model releases. However, labs are faced with balancing these interests with the fact that early-access status to the US government can act as a moat and a procurement advantage, and being named a trusted partner may be worth more, commercially, than not. While Anthropic has taken the public hits following the start of its tensions with the Pentagon, OpenAI, Google and others have been largely quiet and seeking to strike their own deals with the US national security establishment.

Yes, despite commercial pressures, the ‘preview of the preview’ foreseen in the EO is voluntary — though the directive is a reminder that what is offered voluntarily can also be commanded. Let us remember that commercial access to, as well as consolidation and expansion of contractual ties to the US national security establishment is appealing and potentially lucrative for labs. So even though labs might not want a mandatory framework or ‘preview of the preview’, the chessboard is bigger and more complex, which in plain terms means that providing access to government and national security institutions as part of maintaining their close relationship with DC is an incentive to provide that access anyway, although the domestic and international repercussions of the EO are yet to be seen albeit reflected in the previous section.

The more serious risk lies in capture. The fact that there are no shared standards governing access to or disclosure of general-purpose models as well as security risk assessments, leaves the labs in a more exposed position. One where their commercial offer can be more easily shaped by governments. Absent a common standard, each lab faces the risk of negotiating its terms bilaterally and in isolation, so that the friction of a national-security push is experienced unevenly, firm by firm, rather than as a single shake-up of an agreed standard. A company that has just been designated a supply-chain risk has little leverage to refuse unless it was willing to face potential secondary consequences of not providing voluntary access. A shared standard would not remove the pressure, but it would make it something the labs could have more political gravitas to resist it.

This messy relationship between the White House and Anthropic is also a liability and provides no reassurance to European capitals and other countries despite the former being an appealing market. Other companies are watching but might be more experienced at anticipating the USG’s moves. Following Liberation Day, Microsoft sought to reassure Brussels by publishing their European Digital Commitments, plainly stating that the company would pursue litigation in court ‘in the unlikely event that [they were] ever ordered by any government anywhere in the world to suspend or cease cloud operations in Europe’.

How to Secure Access, and Why

This leads to a final point. If the worry is that securitisation is outrunning the standards that ought to accompany it, then the response is not to deny the security dimension but to bring the access question back into accountable, standardised politics.

The means for doing so largely exist. This is also where the who, the how and when of access, raised at the outset, have to be answered in concrete terms rather than left to a classified threshold and an undisclosed list of partners – and even when classified, because we acknowledge that national security matters for all countries, models on doing so could be somewhat standardised or co-developed.

The first task is definitional. The EO introduces the most significant new access arrangement yet, one that is governmental, pre-release and gated by a classified threshold, without any public account of what that access actually involves, and it does so in a field that cannot yet agree on what access means for different stakeholders.

A shared vocabulary is the precondition for any accountable conversation about it. Many researchers have been exploring ways of establishing standard access levels for third-party access, for example. That is the case of the work we at the RUSI have done through the Secure Access to Frontier AI Taskforce and the development of an Access-Risk matrix and security risk controls to ensure access is provided in a safe and accountable manner, that labs take on their responsibility to do so with consistency and work together with the community of evaluators, AI security institutes and other governments in pushing this conversation forward. Whichever taxonomy prevails, the point is that 'trusted partner' and 'preview access' are not, in themselves, access levels in the government access case posed by the EO. They securitise access and can be interpreted as political designations standing in for technical ones. But there is a risk that this ‘shared vocabulary’ and framework is shaped in a narrow and bilateral conversation between the White House and the AI labs. And rather than creating an integrated framework for access that provides a gradient of classification ranging from national security access to third-party access that can be considered and adapted across stakeholder groups and regions, we end up in a securitised structural tailoring – USG show of force with the directive; dialogue with labs on government stake in their business; EO calling for a voluntary ‘but not really voluntary’ access – of privileged access by the USG to these companies capabilities.

The second task is to establish clearer and shared standards for governmental and commercial cybersecurity risk assessments of access and model release to avoid unilateral and opaque decision-making from both sides in restricting access to frontier models. A group of tech and security executives and leaders within and outside the US have signed a letter to be sent to Secretary Howard Lutnick and National Cyber Director Sean Cairncross requesting that the export controls on Fable and Mythos be lifted and that they ‘commit to an open, scientific and transparent process of handling AI risk assessments in the future’. Whether conversations between Anthropic and the White House regarding a framework to assess security flaws in AI models will expand to a wider discussions with other labs included or another way of discussing the terms and feasibility of USG privileged access foreseen in the EO is yet to be seen.

Third is to operationalise access against established principles, which are far from new. Least privilege, need-to-know, data minimisation, time-bound access and proportionality are drawn from decades of cyber and information security, and applied to the EO they generate questions that are, as yet, unanswered. Is thirty days of pre-release access (Sec 3 (ii)) the minimum necessary for a cyber review, or simply the period that proved negotiable? Is the access scoped to the capability being assessed, or open-ended? Is it time-bound and revocable?

If trusted access were defined by an agreed, published, shared frameworks rather than by per-lab fiat, the pressure to shape a company’s offering would meet a common baseline rather than a series of separately capturable companies. The venues to carry this work exist, even if none yet owns the government-access question, among them the Frontier Model Forum, the Secure Access to Frontier AI Taskforce, the newer AI Evaluator Forum, the network of safety and security institutes, and so many others.

The honest objection is that standards bodies or processes often move at a slower pace than that of securitisation. The answer is to phase the work, agreeing minimum viable disclosure norms now, a shared vocabulary of access and published criteria for what triggers a review and what a trusted designation requires, with formal standardisation to follow. There might be a distinct process for different kinds of access, but these frameworks and guidelines should be shared and, even if partially, made publicly available so other governments can adapt, use and share similar templates for frontier AI access in national security settings.

And because the risks of access do not stop at any border, these frameworks should be built (ideally) for interoperability from the outset, so that a unilateral and opaque trusted-partner determination that is primarily originated in the US does not become the very wall that drives the sovereignty backlash and the open-weights hedging set out above.

Bringing the Decision Back into View

The context is arguably one of complexity and unease, and the point is not to minimise it, rather to raise the consequences of not foreseeing and addressing the outcomes of a race to push the frontier of AI that is increasingly at the heart of national and international security. Companies are learning – either through setting their own standards or being compelled to comply – but every step sets a precedent whose repercussions are worth considering now rather than later. Most of the companies leading the conversation (Anthropic and OpenAI) are relatively young, standards regarding access and security are ad hoc, and frameworks are fragmented. The landscape of AI access governance is overwhelming as regulation seeks to step up, but regulators are still learning, as the EU AI Act and its Omnibus revisions show.

The question is not whether these models matter to national security. It is whether the decisions about who may use them, and who is shut out, are taken through processes that are shared, accountable and open to challenge and debate. If the US continues to neglect the consequences of a heavy-handed approach to controlling frontier AI access, it might see itself seeking to protect an advanced capability through force while amplifying mistrust of other governments over the reliability of US AI labs, further fuelling a desire for AI sovereignty, and pave the way for Chinese soft power with more commercially and technically accessible models becoming embedded in systems and infrastructures across the globe. To desecuritise or at least bring the access discussion back into ‘ordinary politics’ we need shared standards for frontier AI access. This involves a coalition of initiatives coming together to make sure that we can develop blueprints for access that can balance national security concerns with other legitimate forms of access (from cyber defenders, evaluators and researchers) and that can be adequately tweaked and tailored to serve other regions’ realities and needs.

© RUSI, 2026.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.