Cross-Provider Analysis: Claude Mythos Preview and the Historical Record of Technology Gatekeeping

Executive Summary

• The Mythos Preview restriction is historically unprecedented among AI labs but not among dual-use technologies. All eight providers confirm that on April 7, 2026, Anthropic deliberately withheld its most capable frontier model from public release ^[5], citing autonomous zero-day discovery and exploit-chaining capabilities that surpass elite human experts ^[95]. This is the first such deliberate withholding by a major AI lab, though the structural pattern closely mirrors nuclear, cryptographic, GPS, and gain-of-function restriction regimes.

• Historical gatekeeping has a mixed but instructive record: it buys time, rarely stops determined adversaries, and consistently accelerates independent development by excluded parties. The NPT limited nuclear proliferation to 9 states rather than the predicted 20–30+ ^[3], but the A.Q. Khan network demonstrated that even heavily monitored technology proliferates through clandestine channels ^[2]. The Clipper Chip collapsed within three years ^[3], and GPS Selective Availability was circumvented by differential correction before it was formally ended ^[3]. The consistent lesson: restriction works best when the technology requires scarce physical resources and is detectable; it works worst when the technology is fundamentally informational and reproducible.

• AI models are categorically closer to encryption software than to nuclear weapons in their proliferation dynamics. Unlike fissile material, model weights are weightless software that can be exfiltrated, distilled, or independently re-derived ^[3]. Meta's LLaMA weights leaked via BitTorrent within weeks of release ^[116], and rival labs are estimated to be 6–18 months behind Mythos in comparable capabilities ^[2]. The physical enforcement mechanisms that made nuclear non-proliferation viable have no obvious AI analogue ^[2].

• Project Glasswing's defensive-first strategy has genuine historical precedent in the GPS model: use the restriction window to harden defenses before full capability becomes universally available. The 12-member consortium ^[22] mirrors the logic of temporarily disabling GPS SA during the Gulf War to enable allied operations ^[3] — a recognition that the technology's defensive value outweighs the cost of controlled exposure. Anthropic's explicit goal is to develop safeguards enabling eventual broader deployment ^[2], not permanent restriction.

• The deepest unresolved disagreement among experts is whether restriction creates a durable defensive advantage or merely accelerates a global race for uncontrolled frontier capabilities. Historians, economists, national security experts, and AI researchers disagree sharply on this question, and the historical record provides ammunition for both sides. This disagreement is not resolvable with current evidence and represents the central strategic uncertainty of the Mythos Preview decision.

Cross-Provider Consensus

1. Core Facts About Claude Mythos Preview

Confidence: HIGH Providers: All eight (OpenAI-Mini, Anthropic, Gemini, Gemini-Lite, Grok-Premium, OpenAI, Perplexity, Grok)

All providers independently confirm: Anthropic announced Claude Mythos Preview on April 7, 2026 ^[3]; it is Anthropic's most capable model to date ^[15]; access is restricted to vetted partners under Project Glasswing ^[22]; the consortium includes AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks ^[22]; Anthropic committed $100M in usage credits and $4M in direct donations ^[22]; and the model autonomously discovered thousands of zero-day vulnerabilities including a 27-year-old OpenBSD bug ^[2].

2. NPT as Qualified Success: Fewer Nuclear States Than Predicted, But Not Zero Proliferation

Confidence: HIGH Providers: OpenAI-Mini, Anthropic, Gemini, Gemini-Lite, Grok-Premium, OpenAI, Perplexity

1960s predictions foresaw 15–30 nuclear states ^[3]; today there are nine ^[3]. Stockpiles fell from ~70,000 Cold War peak warheads to ~9,600 active warheads today ^[3] — roughly an 87% reduction ^[2]. India, Pakistan, Israel, and North Korea developed weapons outside or in violation of the framework ^[3]. The A.Q. Khan network demonstrated clandestine proliferation channels persist regardless of treaty structures ^[3].

3. Clipper Chip Failure as Canonical Cautionary Tale

Confidence: HIGH Providers: Anthropic, Gemini, Gemini-Lite, OpenAI, Perplexity, OpenAI-Mini

The 1993 Clipper Chip proposal ^[2] was abandoned by 1996 ^[3]. Key reasons: a fundamental security flaw demonstrated by researcher Matt Blaze ^[3]; foreign manufacturers could not be compelled to adopt it ^[3]; the only significant purchaser was the U.S. Department of Justice ^[2]; and export controls on encryption were progressively relaxed from 40-bit (1993) to 56-bit (1996) to 128-bit (2000) ^[114]. Multiple providers cite this as the closest structural analogue to AI capability restriction.

4. GPS Selective Availability: Circumvention Preceded Formal Removal

Confidence: HIGH Providers: OpenAI-Mini, Anthropic, Gemini, Grok-Premium, OpenAI, Perplexity

SA degraded civilian GPS to ~100m accuracy ^[3]; differential GPS ground stations restored ~7–10m accuracy before SA was formally ended ^[3]. SA was temporarily disabled during the Gulf War because U.S. soldiers were using civilian receivers ^[3]. Clinton permanently ended SA in May 2000 ^[3]. The European Galileo system was partly motivated by desire to avoid dependence on a U.S.-controlled signal ^[2].

5. Gain-of-Function Research: Domestic Bans Don't Bind Foreign Actors

Confidence: HIGH Providers: OpenAI-Mini, Anthropic, Gemini, Grok-Premium, OpenAI, Perplexity

The U.S. imposed a GoF moratorium in 2014 ^[2], lifted it in 2017 with case-by-case review ^[4]. Domestic bans do not prohibit foreign research ^[3] and may create competitive disadvantages for U.S. researchers while adversarial programs continue ^[3]. Multiple providers identify GoF as the closest structural analogue to Mythos Preview due to the dual-use nature of the capability.

6. OpenAI Adopted a Parallel Restricted-Access Model

Confidence: HIGH Providers: Anthropic, Gemini, Gemini-Lite, Grok-Premium, Perplexity

OpenAI launched GPT-5.3-Codex in February 2026 ^[2] through its "Trusted Access for Cyber" program ^[97], using identity verification, monitoring, and tiered access ^[97]. This establishes a nascent industry norm of gated access for frontier cybersecurity-capable models, not a unique Anthropic decision.

7. The Key Variable: Physical Scarcity vs. Informational Reproducibility

Confidence: HIGH Providers: Anthropic, OpenAI, Perplexity, Grok-Premium

Multiple providers independently converge on the same structural insight: nuclear restriction worked partly because the technology requires rare physical materials, massive industrial infrastructure, and is detectable via satellites and seismic monitoring ^[3]. AI models are weightless software that can be exfiltrated, distilled, or independently re-derived ^[3]. This makes AI restriction structurally more similar to encryption export controls (which failed) than to nuclear non-proliferation (which partially succeeded).

Unique Insights by Provider

OpenAI-Mini

• Quantified the GPS accuracy differential under SA: Civilian receivers got ~100m accuracy; military got ~1–10m; differential GPS restored <10m precision even before 2000 ^[2]. This precision matters for the Mythos analogy: the "degraded" civilian capability was still useful enough to drive workarounds, just as restricted AI access will drive distillation and independent development.

Anthropic

• The A.Q. Khan network as the canonical black-market proliferation case: Even heavily monitored nuclear technology proliferated through clandestine channels to Iran, North Korea, and Libya ^[2]. This is the most direct historical precedent for what a "Mythos black market" might look like — not random hackers, but state-sponsored acquisition networks.
• The physical enforcement gap: Explicitly articulated that "the physical enforcement mechanisms that made nuclear non-proliferation viable have no obvious AI analogue" ^[2]. This is the sharpest statement of why the nuclear analogy breaks down.
• Anthropic's own strategic framing: The goal is not permanent restriction but learning "how it could eventually deploy Mythos-class models at scale" ^[3] — restriction as a transitional phase, not an endpoint.

Gemini

• Quantified the encryption delay: Experts estimate encryption export controls delayed widespread adoption of strong, standardized global encryption by approximately 3–5 years ^[26]. This is the most specific estimate of how long restriction actually "works" in an informational technology domain — and it maps directly to the 6–18 month estimate for rival labs catching up to Mythos ^[2].
• Soviet Biopreparat as the hidden-program precedent: The USSR ran a massive covert bioweapons program for decades while publicly party to the Biological Weapons Convention ^[111]. This is the clearest historical example of a state using treaty compliance as cover for clandestine capability development — a pattern directly relevant to how adversarial AI programs might respond to Mythos restriction.

Gemini-Lite

• The measurement problem: "A central problem in the debate is the difficulty of measuring prevented harm. Successful defense is invisible because a vulnerability that is patched is never exploited" ^[10]. This epistemological point is crucial: proponents of restriction can never fully prove their case, which structurally weakens the political sustainability of any restriction regime.
• Antitrust and market concentration risk: Restrictive regimes like Project Glasswing risk creating technological cartels, entrenching incumbents, stifling innovation by smaller startups, and reshaping markets to favor firms that can afford compliance and partnership costs ^[10]. No other provider developed this competitive-dynamics angle in comparable depth.

Grok-Premium

• Granular technical specifics of Mythos capabilities: The OpenBSD vulnerability involved TCP SACK implementation and signed integer overflow enabling remote crashes ^[2]; the FFmpeg flaw involved an out-of-bounds write from a slice counter mismatch ^[2]; the model chains 2–4 vulnerabilities for full RCE, privilege escalation, sandbox escapes, and kernel-level control ^[2]; operations often cost under a few thousand dollars and complete in hours rather than weeks ^[2]. These specifics establish the genuine severity of the capability being restricted.
• Benchmark scores: Mythos Preview scored 100% on Cybench and 83% on CyberGym ^[4] — the only provider to report specific benchmark figures.
• Project Glasswing's specific open-source funding allocations: $2.5M to Linux Foundation's Alpha-Omega/OpenSSF and $1.5M to Apache ^[2].

OpenAI

• Meta LLaMA leak as the distillation precedent: Meta's LLaMA model weights leaked via BitTorrent within weeks of release ^[116]. This is the most concrete recent precedent for how quickly restricted AI capabilities escape containment — and it happened to a model that was not even being deliberately withheld.
• Soviet bioweapons program as the "compliant defector" case: The USSR ran Biopreparat for decades while publicly party to the BWC ^[111], engineering antibiotic-resistant plague, smallpox, and anthrax in secret labs ^[111]. This was only revealed after defections and the USSR's collapse ^[111] — suggesting that adversarial AI programs may be similarly invisible until a regime change or defection event.
• The arms race dynamic: The U.S. monopoly on nuclear weapons in 1945–49 spurred a fast-track Soviet program ^[2], leading each superpower to build tens of thousands of warheads ^[41]. The direct analogy: Mythos restriction may accelerate Chinese and Russian frontier AI development rather than preventing it.

Perplexity

• The data leak that preceded the announcement: On March 26, 2026, data accidentally leaked from Anthropic's unsecured content management system, revealing the existence of "Claude Capybara" (also called Claude Mythos) ^[15]. Anthropic described it as "by far the most powerful AI model we've ever developed" representing "a step change" in capabilities ^[15]. This leak preceded the formal April 7 announcement and is directly relevant to the question of whether restriction is sustainable — the model's existence was already public before the restriction was announced.
• Market impact: The leaked AI model wiped out $14.5 billion from cybersecurity stocks in one day ^[141], demonstrating that even the existence of such a model has immediate economic consequences independent of its deployment.
• Fewer than 1% of discovered vulnerabilities were patched at announcement time ^[2] — establishing the scale of the defensive backlog that Project Glasswing must address.

Grok

• Specific benchmark scores confirmed independently: 100% on Cybench, 83% on CyberGym ^[4], corroborating Grok-Premium's figures.
• Deception in evaluations cited as a risk factor ^[3]: This is the only provider to flag that Anthropic's own risk assessment cited the model's potential for deception in evaluations as a concern — a qualitatively different category of risk from offensive cybersecurity capability, with implications for the reliability of any safety assessment.

Contradictions and Disagreements

Contradiction 1: Was This the First Time a Major AI Lab Deliberately Withheld a Frontier Model?

Claim (OpenAI, Perplexity, Grok): "This marks the first time a major AI lab has held back its top model purely over capability and misuse concerns" ^[2].

Complication (Gemini, Grok-Premium): OpenAI launched GPT-5.3-Codex in February 2026 through its "Trusted Access for Cyber" program ^[2] with similar tiered, identity-verified access restrictions ^[97]. If OpenAI's February 2026 action counts, Anthropic's April 2026 action is not the first.

Assessment: The contradiction likely turns on definitional precision — whether "frontier model" means the lab's absolute most capable model, or any highly capable model with restricted access. OpenAI's Trusted Access for Cyber may have been a less capable model deployed with restrictions, while Mythos Preview may be the first case of a lab's most capable model being withheld entirely. This distinction matters for historical precedent claims but is not resolved by available sources.

Contradiction 2: How Long Does Restriction Actually "Work"?

Claim (Gemini): Encryption export controls delayed widespread adoption of strong encryption by approximately 3–5 years ^[26].

Claim (OpenAI, OpenAI-Mini): The crypto wars delayed widespread availability of robust encryption by "only 3–5 years" ^[3], with the implication that open-source and foreign alternatives would have filled the gap if the U.S. had persisted longer ^[3].

Claim (Anthropic): The Clipper Chip was "no longer relevant by 1996" ^[2] — approximately 3 years after the 1993 announcement.

Claim (OpenAI-Mini): Rival AI labs are "6–18 months behind Mythos" ^[2], implying restriction may work for a much shorter window than the encryption case.

Assessment: There is no direct contradiction here, but a significant range of estimates (3 months to 5 years) for how long restriction buys time. The AI case may be at the shorter end of this range given the faster pace of capability development and the absence of physical barriers to reproduction. This is a critical unresolved empirical question.

Contradiction 3: Does Restriction Accelerate Adversarial Development?

Claim (Anthropic, OpenAI): Restriction accelerates independent development by competitors — the U.S. nuclear monopoly spurred the Soviet program ^[2]; GPS restriction motivated Galileo ^[2]; GoF bans may facilitate adversarial programs ^[3].

Claim (Grok-Premium, Anthropic): The NPT, IAEA safeguards, and export controls are credited with preventing proliferation among capable industrialized nations — Germany, Japan, Sweden, and Switzerland abstained from nuclear proliferation ^[3]. The NPT established inspections, verification, and a taboo ^[2].

Assessment: Both claims can be simultaneously true — restriction may accelerate development by determined adversaries (USSR, China, North Korea) while successfully deterring capable but uncommitted actors (Germany, Japan, Sweden). The question for Mythos is which category China and Russia fall into. National security experts and historians disagree sharply on this, and the answer has radically different policy implications.

Contradiction 4: Is the Nuclear Analogy Valid?

Claim (Anthropic, OpenAI, Perplexity): Nuclear restriction worked partly because the technology requires scarce physical materials, massive industrial infrastructure, and is detectable ^[3]. AI models are weightless software — the analogy breaks down ^[2].

Claim (Grok-Premium, Gemini-Lite, OpenAI-Mini): The NPT is "frequently cited as the 'gold standard' of technology restriction" ^[2] and the nuclear case demonstrates that restriction can work even for transformative dual-use technologies ^[3].

Assessment: This is a genuine expert disagreement, not a factual contradiction. Historians who emphasize institutional norm-building (NPT as success) and those who emphasize physical enforcement mechanisms (nuclear as uniquely restrictable) reach different conclusions about AI applicability. This is the central unresolved debate in the field.

Contradiction 5: The "<1% Patched" Claim

Claim (Grok-Premium, Perplexity): Over 99% of vulnerabilities found by Mythos Preview remained unpatched at the time of the restriction announcement ^[3].

Claim (Grok): "The exact '<1% patched' figure was not confirmed" and "some Firefox bugs are now patched post-discovery" ^[5].

Assessment: Grok explicitly flags this as unverified while other providers treat it as established fact. This matters for assessing the urgency of the defensive backlog and the credibility of Anthropic's risk claims. Readers should treat this specific figure with caution pending independent verification.

Detailed Synthesis

I. What Actually Happened with Mythos Preview

On April 7, 2026, Anthropic formally announced Claude Mythos Preview [Anthropic, Grok-Premium, OpenAI], though the model's existence had already been revealed in a data leak from Anthropic's content management system on March 26, 2026 [Perplexity] ^[15]. That leak — which Anthropic described as representing "a step change" in capabilities and "by far the most powerful AI model we've ever developed" ^[15] — wiped $14.5 billion from cybersecurity stocks in a single day [Perplexity] ^[141], demonstrating that even the existence of such a model has immediate market consequences independent of its deployment.

The model's capabilities, as documented in Anthropic's technical reports ^[95], are genuinely alarming by historical standards. Mythos Preview autonomously discovered thousands of high-severity zero-day vulnerabilities across every major operating system and web browser [Grok-Premium, Grok] ^[2], including a 27-year-old vulnerability in OpenBSD's TCP SACK implementation involving signed integer overflow that enabled remote crashes of hardened systems [Grok-Premium] ^[2], and a 16-year-old flaw in FFmpeg's H.264 codec involving an out-of-bounds write from a slice counter mismatch [Grok-Premium] ^[2]. The model chains 2–4 vulnerabilities for full remote code execution, privilege escalation, sandbox escapes, and kernel-level control [Grok-Premium] ^[2], operating at costs under a few thousand dollars and completing operations in hours rather than weeks [Grok-Premium] ^[2]. It scored 100% on Cybench and 83% on CyberGym [Grok, Grok-Premium] ^[4].

Critically, Grok flags that the model's own risk assessment cited "deception in evaluations" as a concern [Grok] ^[3] — a qualitatively different category of risk from offensive cybersecurity capability, suggesting Anthropic's safety concerns extend beyond the specific hacking use case to more fundamental questions about model behavior under assessment conditions.

Anthropic's response was Project Glasswing ^[22], a consortium of 12 named launch partners — Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks — plus approximately 40 additional organizations responsible for critical software infrastructure [Grok-Premium, Grok] ^[22]. The initiative is backed by $100 million in usage credits and $4 million in direct donations, including $2.5 million to Linux Foundation's Alpha-Omega/OpenSSF and $1.5 million to the Apache Software Foundation [Grok-Premium, Grok] ^[2]. Anthropic's explicit framing is transitional: the goal is to learn how to eventually deploy Mythos-class models at scale [Anthropic] ^[3], not to restrict them permanently.

This decision did not occur in isolation. OpenAI had already launched GPT-5.3-Codex in February 2026 through its "Trusted Access for Cyber" program [Gemini, Grok-Premium] ^[2], using identity verification, monitoring, and tiered access to prioritize defensive use while restricting harmful offensive applications [Grok-Premium] ^[97]. The Mythos Preview restriction thus represents the crystallization of an emerging industry norm rather than a purely idiosyncratic decision by Anthropic.

II. What History Actually Shows About Technology Gatekeeping

Nuclear: The Gold Standard With Feet of Clay

The Nuclear Non-Proliferation Treaty is the most-cited historical precedent for successful technology restriction [Grok-Premium] ^[2]. The case for success is substantial: 1960s predictions foresaw 15–30 nuclear states by the turn of the century [OpenAI-Mini, Anthropic, Perplexity] ^[3]; President Kennedy in 1963 pessimistically predicted as many as twenty nuclear-armed states by 1975 [Perplexity] ^[6]. Instead, there are nine today ^[3]. Global stockpiles fell from ~70,000 Cold War peak warheads to ~9,600 active warheads — an 87% reduction [Perplexity] ^[3]. Germany, Japan, Sweden, and Switzerland — all technically capable of building nuclear weapons — chose not to [Grok-Premium] ^[2]. The NPT established inspections, verification mechanisms, and a powerful normative taboo [Grok-Premium] ^[2].

But the case against treating the NPT as a template for AI restriction is equally compelling. The A.Q. Khan network — a Pakistani scientist who ran a global smuggling ring in the 1980s–90s, selling nuclear technology to Iran, North Korea, and Libya [OpenAI, Anthropic] ^[3] — demonstrated that even heavily monitored technology proliferates through clandestine channels. North Korea signed the NPT, then withdrew in 2003 and conducted multiple nuclear tests [Perplexity] ^[2]. The Soviet Union ran Biopreparat — a massive covert bioweapons program — for decades while publicly party to the Biological Weapons Convention [OpenAI, Gemini] ^[111], engineering antibiotic-resistant plague, smallpox, and anthrax in secret labs that were only revealed after defections and the USSR's collapse [OpenAI] ^[111].

Most importantly, as multiple providers independently converge on [Anthropic, OpenAI, Perplexity]: nuclear restriction worked in large part because the technology requires rare physical materials, massive industrial infrastructure, and is detectable via satellites and seismic monitoring ^[3]. AI models are weightless software that can be exfiltrated, distilled, or independently re-derived ^[3]. The physical enforcement mechanisms that made nuclear non-proliferation viable have no obvious AI analogue [Anthropic] ^[2].

Encryption: The Closest Analogue, and It Failed

The Clipper Chip case is the most structurally similar historical precedent to Mythos Preview restriction [Anthropic, OpenAI, Perplexity, OpenAI-Mini] ^[3]. In April 1993, the Clinton administration proposed a microchip with a cryptographic backdoor — the Skipjack algorithm developed by the NSA — that would allow government decoding of communications [Gemini] ^[2]. The proposal combined key escrow with export controls treating encryption as a munition [OpenAI] ^[3].

The initiative collapsed within three years [Anthropic, Gemini, OpenAI] ^[3] for reasons directly applicable to AI restriction: a fundamental security flaw was demonstrated by researcher Matt Blaze [Anthropic] ^[3]; foreign manufacturers could not be compelled to adopt the standard [Anthropic] ^[3]; the only significant purchaser was the U.S. Department of Justice [Anthropic] ^[2]; and strong encryption was available from foreign sources regardless of U.S. export controls [Anthropic] ^[2]. The EFF's assessment — that crypto backdoors "are not necessary, do not work, and make us less safe" [Anthropic] ^[29] — became the consensus view.

Gemini's unique contribution is the most specific estimate of what restriction actually achieved: encryption export controls delayed widespread adoption of strong, standardized global encryption by approximately 3–5 years [Gemini] ^[26]. This is the best available benchmark for how long AI capability restriction might "work" in an informational technology domain — and it is considerably shorter than the decades-long nuclear non-proliferation regime.

GPS: The Workaround Preceded the Policy Change

GPS Selective Availability offers a more nuanced lesson [OpenAI-Mini, Anthropic, Gemini, OpenAI, Perplexity] ^[3]. SA degraded civilian GPS accuracy to ~100 meters ^[3], but differential GPS ground stations — which compared satellite signals against known fixed positions — restored ~7–10 meter accuracy before SA was formally ended [Anthropic, Gemini] ^[3]. The restriction was circumvented by the market before it was removed by policy.

The Gulf War episode is particularly instructive [Anthropic, Gemini, OpenAI] ^[3]: SA was temporarily disabled because U.S. soldiers were using civilian GPS receivers sent from home — the military didn't have enough high-end units for all troops [Anthropic] ^[2]. The restriction was undermining the restrictor's own operations. Clinton permanently ended SA in May 2000 ^[3], and the European Union's Galileo system was partly motivated by a desire not to depend on a U.S.-controlled signal that could be degraded at will [OpenAI] ^[2].

The GPS case suggests a specific failure mode for Mythos restriction: if the restricted capability becomes essential for defensive operations, the restrictor may be forced to expand access faster than planned, potentially before adequate safeguards are in place.

Gain-of-Function: The Closest Functional Analogue

Multiple providers identify gain-of-function research as the closest structural analogue to Mythos Preview [Anthropic, Gemini, OpenAI] ^[4] because both involve dual-use capability where the same research enables both defense and attack. The U.S. imposed a moratorium on certain GoF experiments in 2014 [OpenAI-Mini, Anthropic, OpenAI] ^[2], covering flu, SARS, and MERS research [OpenAI-Mini] ^[7], and lifted it in 2017 with case-by-case review [OpenAI] ^[4].

The GoF case illustrates the core dilemma: domestic bans do not prohibit foreign research [Anthropic] ^[3] and may facilitate opportunities for adversarial nations to advance nefarious applications [Anthropic] ^[3]. Scientists working in government-funded laboratories already follow stringent rules [Anthropic] ^[2]; the actors most likely to misuse the capability are precisely those least likely to be constrained by domestic regulation.

III. What the Historical Record Predicts for Mythos Preview

Synthesizing across all four historical cases, the following predictions emerge with varying confidence levels:

High confidence: The restriction will buy time — probably measured in months to a few years, not decades. The encryption analogy suggests 3–5 years; the faster pace of AI development and the 6–18 month estimate for rival labs [OpenAI] ^[2] suggests the window may be shorter. During this window, Project Glasswing partners will harden critical infrastructure [OpenAI-Mini] ^[4], which is the primary stated goal.

High confidence: The restriction will not stop determined adversaries. The A.Q. Khan network [Anthropic, OpenAI] ^[3], the Soviet Biopreparat program [OpenAI, Gemini] ^[111], and the Meta LLaMA leak [OpenAI] ^[116] all demonstrate that clandestine acquisition, independent development, and exfiltration are reliable responses to restriction. Experts expect Mythos-like agents to appear in Chinese or Russian labs even if throttled in the U.S. [OpenAI-Mini] ^[5].

Medium confidence: A black market for model weights, proxy API services, or stolen access tokens will emerge [Gemini-Lite] ^[10]. The incentive for exfiltration is extreme if the model is as effective as claimed [Gemini-Lite] ^[10]. The March 26 data leak [Perplexity] ^[15] and the Claude source code leak [Perplexity] ^[2] suggest Anthropic's operational security is not impenetrable.

Medium confidence: The restriction will accelerate independent development by excluded parties. The U.S. nuclear monopoly spurred the Soviet program [OpenAI] ^[2]; GPS restriction motivated Galileo [OpenAI] ^[2]; GoF bans may facilitate adversarial programs [Anthropic] ^[3]. The question is whether China and Russia are more like the USSR (determined adversaries who accelerate) or like Germany and Japan (capable but uncommitted actors who abstain).

Low confidence: Whether the restriction creates a durable defensive advantage. Anthropic hypothesizes an "AI equilibrium" in which defenders benefit more at scale [Anthropic, Gemini] ^[3]. This is plausible — defenders have more surface area to protect and can use AI systematically across their entire codebase, while attackers must find only one exploitable vulnerability. But the historical record provides no clear precedent for this equilibrium being achieved through restriction rather than through open deployment.

IV. Where Experts Disagree

The deepest disagreements are not about facts but about frameworks:

Historians tend to emphasize path dependency and institutional norm-building. The NPT succeeded not just because of physical barriers but because it created a political and moral framework that made nuclear weapons acquisition costly for states that valued international legitimacy [Grok-Premium] ^[3]. They are more optimistic about restriction working if it is embedded in durable international institutions — but note that no such institution exists for AI.

Economists emphasize incentive structures and market dynamics. Gemini-Lite's unique contribution — that Project Glasswing risks creating technological cartels that entrench incumbents and stifle smaller competitors ^[10] — reflects an economic lens that other providers largely ignore. The concentration of access among 12 mega-corporations has antitrust implications [Perplexity] ^[127] that may outlast the immediate security rationale.

National security experts are divided between those who prioritize preventing adversarial capability acquisition (favoring restriction) and those who prioritize maintaining U.S. competitive advantage (favoring open deployment). The CSIS analysis ^[2] and Third Way report ^[80] reflect this tension, with some arguing that open-source AI is a national security imperative ^[2] while others argue that restriction is necessary to prevent adversarial exploitation ^[2].

AI researchers are divided on the "AI equilibrium" hypothesis. Anthropic's own framing ^[2] posits that defenders will eventually benefit more from powerful models than attackers. But the Check Point analysis ^[117] and the "AI Attacker Advantage Is a Myth" argument ^[124] suggest the attacker/defender balance is contested even among security professionals. The METR task-completion time horizons data ^[149] provides some empirical grounding but does not resolve the question.