The latest reporting on China’s alleged extraction of capabilities from American frontier models sets up an easy, but wrong, argument: if open AI is risky, then lock it down.
That would be a tidy answer. It would also be a self-inflicted wound.
The real question is not whether AI should be open or closed. It is whether we can preserve the right for researchers, startups, enterprises, and regular people to use and improve intentionally released models—without letting companies covertly clone the behavior of a closed model through industrial-scale abuse of its API.
Those are not the same activity. Treating them as if they are would give us the worst of both worlds: less open innovation at home, and little protection for the capabilities frontier labs are trying to defend.
The New York Post’s latest report is a reminder that this is no longer an academic distinction. In the AI race, access itself is becoming strategic infrastructure.
Distillation is normal. Covert extraction is not.
“Distillation” has become a loaded word, which is unfortunate because it describes a very useful and ordinary technical process.
A capable, expensive model can act as a teacher for a smaller student model. The student learns to reproduce useful behaviors while requiring less compute, memory, and energy to run. That is how powerful AI gets turned into something practical for a laptop, phone, local server, or edge device. Add quantization—the compression of a model into a format that uses fewer bits—and models that once seemed to require a data center can become useful on consumer hardware.
That is not theft. That is one of the reasons open AI matters.
When a developer intentionally releases model weights under terms that permit reuse, distilling, fine-tuning, quantizing, and adapting that model is the point. It lets builders trade some capability for lower cost, greater privacy, offline operation, and control over their own stack. We have already watched the local-model ecosystem make this real, from desktop tools to models optimized for modest machines. Our guide to running powerful AI on your own laptop is basically a tour of what happens when models are available to build with rather than merely rent.
The controversy begins when a company does not have permission to use the teacher model that way.
Anthropic says it detected coordinated campaigns against Claude involving fraudulent accounts, commercial proxy services, and highly repetitive prompts aimed at extracting valuable capabilities such as reasoning, tool use, agentic coding, and orchestration. It says the goal was either to collect answers for direct training or generate the kind of task data used in reinforcement learning. Anthropic’s technical account is not a court ruling, but it is a detailed description of behavior that looks very different from a researcher downloading an intentionally released model.
OpenAI has made related allegations, saying it observed accounts associated with DeepSeek employees using obfuscated third-party routing and programmatic methods to bypass access restrictions and collect outputs. Its February memo to the House China committee frames this as an effort to free-ride on work done by U.S. frontier labs.
That distinction should anchor the whole debate:
- Authorized distillation makes intentionally open or licensed models efficient and runnable.
- Unauthorized extraction uses deception, evasion, or fraud to recreate a closed model’s most valuable behavior.
Same broad technique. Completely different social contract.
Don’t call every downloadable model “open source”
The language needs cleaning up, too.
A downloadable model is not automatically open source. The Open Source Initiative’s definition of open-source AI ties meaningful openness to the ability to use, study, modify, and share a system, with information about the data and code needed to derive its parameters. Many widely available “open” models are more accurately called open weight: people can download and run the weights, but cannot necessarily reproduce the entire training process or use the model under unrestricted terms.
That is not a pedantic footnote. It tells us where control is even possible.
A company that operates a closed API can set terms, authenticate customers, rate-limit suspicious activity, monitor coordinated abuse, and cut off fraudulent accounts. It is selling controlled access to a service.
A project that truly releases an open-source model has made a different bargain. It cannot promise that every downstream user will seek permission before compressing, fine-tuning, or adapting the model. Nor should it. That permissionless reuse is what allows smaller teams to compete, lets companies keep sensitive data on-premises, and gives users an alternative to renting every unit of intelligence from a handful of cloud vendors.
The goal should not be to pull that ladder up behind the frontier labs.
The danger is the cascade
There is, however, a hard problem hiding beneath the easy slogans.
If a company covertly extracts capabilities from a closed model, then releases a model, technical report, or training recipe based partly on those gains, the benefit can spread. Other researchers and companies may build on the release without ever touching the original API or knowing where the capability originated.
A DSET analysis describes this as a “distillation cascade”: first, a frontier model is allegedly queried at scale through unauthorized access; next, the resulting capabilities or methods enter the wider ecosystem; then, downstream developers build on them in ways that may look entirely legitimate on their face.
That is why frontier labs are worried. It is not only about someone copying a chatbot’s tone. The valuable material can include expensive post-training work: reasoning traces, tool-use patterns, evaluations, reinforcement-learning signals, and safety behavior that took years and vast compute budgets to produce.
And once those gains are out, they do not politely return to the bottle.
But that is precisely why policy should focus on the earliest, most provable link in the chain: illicit access to the closed system. Trying to control every subsequent reuse of an open model would be both technically futile and broadly damaging.
A better answer lives at the access layer
The anti-distillation playbook should look more like cybersecurity than a blanket war on openness.
Anthropic says it is using behavioral fingerprinting, classifiers, account-verification improvements, and coordination with other labs, cloud providers, and authorities. Google’s threat-intelligence team has also reported rising model-extraction attempts against proprietary systems around the world. It importantly noted that it had not observed state-backed attackers achieve a fundamental breakthrough in AI capability—an important reminder to keep the rhetoric proportional to the evidence.
A sensible response would combine:
- Detection of suspicious high-volume, coordinated, and highly targeted API behavior.
- Stronger controls on fraudulent resellers, proxy infrastructure, and compromised accounts.
- Shared technical indicators among frontier labs and cloud providers, with enough transparency and appeal rights that legitimate researchers and startups are not treated as collateral damage.
- Clear disclosure and provenance expectations for frontier-model developers, so serious allegations can be investigated with evidence rather than vibes.
- Narrow consequences for proven repeat offenders and the infrastructure that enables them.
- Continued public investment in genuinely open models, datasets, evaluation tools, and local deployment.
That last point is not charity. It is strategy.
A country that wants durable AI leadership should want its researchers to inspect models, its startups to adapt them, its enterprises to run them securely, and its citizens to benefit without sending every prompt to a foreign-controlled cloud. Open models are already proving they can work across devices and budgets. Constricting that ecosystem would make the U.S. more dependent on its own small group of proprietary vendors—not more resilient.
Keep the door open. Lock the back entrance.
There is no contradiction in saying both of these things at once:
People should be allowed to intentionally open, distill, quantize, and adapt models so they can run useful AI wherever they need it.
Companies should not be allowed to evade a closed model’s access controls, harvest its capabilities through thousands of fraudulent accounts, and call the result independent innovation.
One is distributed progress. The other is industrial-scale free-riding.
The policy challenge is delicate because the wrong response can turn a real security problem into a permission slip for permanent AI gatekeeping. America does not need to choose between protecting frontier innovation and protecting open AI. It needs to get much better at recognizing the difference between a front door that was intentionally opened and a back door someone tried to pick.