Cut Off

There’s a common mantra in the outskirts of AI policy thought: driven by market pressures and overheated capital markets, AI tokens will soon be abundant—and the future belongs to those who can use them best. The further you get away from San Francisco, the louder this mantra grows. It reaches a fever pitch in the peripheries, the many middle powers of the world still caught up in a plan to navigate the AI revolution on the basis of merely good-enough models. That view requires important AI capabilities to be widely accessible: defenders have access to models before attackers do, firms in all domains compete based on access to the same AI capabilities.Recent events have thrown that view for a loop, and it now seems clear that access to frontier AI will soon be limited by economic and security constraints. In early April, Anthropic announced it had developed Mythos, a leading cybersecurity model, and that it would only make its considerable ability to patch extant vulnerabilities available to a select few companies. Cybersecurity start-ups in the Mission District, systems integrators on the Eastern Seaboard and allied capitals on the Atlantic and Pacific all had a similar experience: scrolling down the page to see the list of privileged partners only to find a limited selection of U.S.-based corporations.Perhaps you were hopeful that OpenAI was going to stick to its preferred method of rollout—that it would release gpt-5.5-cyber, a model reportedly similar to Mythos in capabilities, more broadly. And yet it did not: in their Daybreak initiative, OpenAI too committed to a limited release, dispelling hopes that this was a fluke or ‘doomer’ marketing. Even worse: while it’s not quite clear to anyone—including the U.S. government—what exactly the U.S. government will do about all this, by all reports, it’s at least planning to do something at some point. And while it’s easy to dismiss this as a confluence of current events, the Mythos moment actually reveals structural trends that have been ramping up for a while. Three trends—compute, security, and U.S. government involvement—will further constrain the availability of frontier AI1 in the future. They compound and reinforce each other, and have dramatically accelerated in recent weeks and months. Everyone outside the inner circle of U.S.-based developers needs to grapple with that fact.

The first and most obvious constraint on widespread availability is the one we’ve seen in the Mythos context: security considerations prevent developers from providing top-tier capabilities to every paying customer.The canonical story starts with misuse risks: a highly capable new model seems realistically useful for conducting some sort of dangerous activity, such as cyberattacks or biological weapons design. Instead of rolling it out to the general public right away, you might first distribute it to defenders who can use their early access to shore up vulnerabilities—like we’ve seen in the case of Mythos. You continue by rolling out some models only to customers of which you’re reasonably sure they won’t outright abuse the model for criminal purposes; and perhaps only after the model is no longer state-of-the-art, you roll out to everyone.Already now, we’re seeing the second stage: the U.S. government realises that this sort of restricted access is better both for the national interest and national security, and starts flirting with the idea of making the virtuous early example into a general rule. There are many reasons for the national security apparatus to do this—perhaps they don’t trust AI developers to keep dangerous capabilities away from just-as-dangerous criminals, non-state actors and adversaries. Or perhaps they’d rather like to know which exploits the new models are about to reveal so they can use them themselves first—as they’ve done before. Put differently: if I were the NSA and sitting on a bunch of zero-days, I’d also love to know which of them Mythos can find so I could use them to my advantage before everyone gets their patch online.Next to misuse risks, there’s another dimension that might motivate even more straightforward crackdowns on availability: risks of model theft, espionage and distillation. The former would make developers wary of where to host models—weights in an unsecured datacenter would pose a substantial vulnerability, and many countries outside the U.S. haven’t even started thinking about securing datacenters. But the latter, distillation, is the more pressing concern. Multiple reports indicate that part of the success story of so-called fast followers—model developers 6-9 months behind the frontier like China’s DeepSeek—is based on distillation practices that require more or less unfettered access to API tokens.

Distillation is not tenable for model developers in the long run: it will be very hard to capture sufficient revenue if you have to recoup all R&D investment in the six months until someone distilled your model. That point is extremely salient to politicians, and plays right into latent concerns on U.S.-China competition and industry espionage. So I’d expect distillation crackdowns, if not from the government, then from developers—more burdensome KYC, more restrictive default access, more geopolitically motivated access conditions. None of those bode well for broad-based frontier access.But the trouble does not stop with security concerns. More fundamentally, providing access to a frontier model is a zero-sum game. Veterans of the tech industry and European sovereignty hawks both like to invoke the parallel to software licenses—that yes, software innovation came with some marginal dependencies, but that the logic of consumer market size prevailed in the end: Microsoft and others face low marginal costs compensated at full market prices for rolling out their software for everyone. But not so with frontier AI.Providing access to AI models, especially those at the bleeding edge, takes massive amounts of computational resources. The marginal compute demand to service another thousand tokens is high—so high, in fact, that leading developers time and time again face compute crunches, reduce offerings, and struggle to balance subsidising their consumer subscriptions against the real constraints on the chips they have. So dire is the compute crunch for Anthropic specifically that the firm is now shopping around for ad-hoc access deals to less well-utilised datacenters, such as one with rival firm xAI. It seems likely that this situation would get worse, not better. If AI systems really do rival the output of human workers in a few months, the amount of tokens required to reproduce that much human activity would be staggering.The often-invoked hope that ‘efficiency curves’ will compress token costs quickly doesn’t save us here: efficiency curves mean that next year, Mythos-level capabilities might be very cheap; they don’t mean that Mythos 2 will be cheaper than Mythos. The opposite is the case: frontier capabilities have grown more expensive month-to-month for years now. So if you, like me, believe that competitive dynamics between economic rivals and attackers and defenders mean you not only need good enough AI, but the best AI, efficiency curves will not bail you out.

That means the marginal cost of providing access to a new user—country or firm—is high. There’s still value in expanding your coverage: inroads into new markets for when your capacity expands, more demand to increase prices, goodwill with governments, and so on. But these benefits trade off against costs: compliance costs of entering new markets, product design costs of catering to new consumers—and the costs in terms of security and relationship to the U.S. government described in this piece. The market power effect isn’t entirely inverted, but it’s strongly diminished—you cannot count on your role as ‘interested buyer’ to carry much weight in securing your access.This is complicated even further by the fact that, faced with this trend, competition around who gets access to these tokens will emerge. The U.S. will be protective of its domestic economy, and I think we might see a comeback of the same logic that motivated the GAIN Act proposal a few months back. Back then, advocates were toying with the idea of giving Americans right of first refusal to American chips; soon, perhaps American firms will be declared buyers of first resort of American-produced tokens of intelligence. Or the competition turns purely economic, margins shrink and become razor-thin, and only those who can shoulder the cost or most effectively turn API tokens into revenue are able to afford them. Who would that be? My bet is neither on governments that haven’t internalised the logic of million-dollar AI subscriptions nor on European businesses constrained in their ability to generate software revenue by many, many adverse conditions. Lastly, what starts as restrictions motivated only by genuine concerns doesn’t always stay that way. Once it has a more formal role in overseeing the flow of frontier tokens, the U.S. government might wield its access control to pursue its political and strategic interests. That starts with security concerns. Revisiting the NSA example, it’s clearly not in the interest or mission of the NSA to ensure the equitable diffusion of AI capabilities throughout the world. Instead, it’s closer to the intelligence community’s DNA to limit any potential adversary’s access even to the detriment of softer upsides like economic productivity or ally relationships.And it doesn’t stop with the security questions: the Trump administration’s signature style of international engagement is to wield American leverage as a bundle. Deadlocks in trade negotiations are broken by threatening to withhold intelligence, tech deals are stalled by reference to food safety standards.

And so I don’t know when a U.S. administration would choose to leverage its seemingly inevitable predeployment authority over frontier models to secure its broader interests, but I’m sure it would in due time. That means that even if we do everything ‘right’ on the security and economic side, frontier access is still fundamentally contingent as long as there’ll be divergences between governments’ strategic interests.In that new world, access to unlimited APIs is the exception, not the norm. A new frontier model might first make it to the U.S. national security apparatus, where embedded interests might decide to stall its deployment for security reasons, wield it first to plug defenses or attack its adversaries. The model might then be handed back to the developers, with the implicit understanding or explicit demand that it would first be rolled out to trusted defenders: U.S. firms and perhaps a few internationals, if we’re so lucky. If the risks are cybersecurity, the defenders might be quick to resolve them; if they’re thornier biological or agent-autonomy-driven risks, they might take another few weeks.Once that phase is over, the circle of unfettered access might expand again—to firms that have cleared high KYC bars and U.S. security concerns. Everyone else, enthusiastic consumers, scrappy startups and nervous governments all over the world, might never get clean API access, but draw their access through fundamentally limited product layers: maybe the chatbot and coding agent interfaces of today, maybe the few big startups that could afford to hire the lawyers and lobbyists to make the good list. A few months after development, the model will have made it into the hands of everyone—but not everyone will have enough tokens to use that capability well, and most might only get to deploy it in ways that trusted vendors have charted out for them. Only when the next generation has already entered the same pipeline would everyone have the de facto unlimited access to frontier AI that we all still enjoy today.This is not a future we should welcome. AI tokens will be strategically and economically central to all future societies, so we should do our best to enable their free flow. If we fail, we’ll bear costs, economic and geopolitical.