Frontier AI model release restrictions aren’t a fluke anymore. June 26th, the government had OpenAI lock its new GPT-5.6 model to about 20 companies it picked by hand, one approval at a time, two weeks after it forced Anthropic’s Fable and Mythos to go dark. That is two model blackouts in 14 days on the same cyber excuse. You now run your AI stack on a permission slip that government bureaucrats who can barely spell “AI” can pull without telling you why. This issue shows you what that costs and what to do about it.

Share

The Move, And Why It’s A Pattern

Last week, I told you a single letter swung a wrecking ball at a thumbtack and knocked two of the best models on earth offline before most of us finished happy hour. I called it “the move.” I had it wrong. It was the opening rep because on June 26, the same wrecking ball came around again and caught OpenAI flush.

GPT-5.6 went out to roughly 20 companies the government hand-picked, through the API and the Codex tool, never ChatGPT. The administration cleared access for one customer at a time, like a bouncer working a velvet rope nobody elected him to run. Axios called it the first time the US government preemptively restricted a domestic AI model before release. Sam Altman had walked it through with Commerce Secretary Howard Lutnick two days earlier, after the White House Office of the National Cyber Director and the Office of Science and Technology Policy asked for the TL;DR.

OpenAI complied and objected in the same breath, in writing. The company said it doesn’t believe “this kind of government access process should become the long-term default.” Read that again. The lab building the model and the lab the government blacked out two weeks earlier now stand on the same square, saying the same thing, and the government still has a hand on the switch.

One blackout is an accident. Two of them, 14 days apart, on the same cyber rationale, are policies nobody passed. The executive order signed on June 2 promised, on paper, that this would remain voluntary. Twenty-four days later, the voluntary program was rubber-stamping customers one at a time.

Before I take a bat to this, I conceded that Frontier cyber models are dangerous. Testing a product before it ships is ordinary, and we do it to jet engines and drugs. Russell Brandom made the honest point that these capabilities now carry political weight, and containing them requires collective action that binds every lab or none. Dean Ball, who is no AI dove, calls the underlying security worry legitimate and serious. Take all of it as given. The fight was never about whether to review a model for danger. The fight is about a government gate with no published standard, with nobody qualified staring at it, swung at a capability that mostly helps defenders and already sits everywhere. A real safety regime hands you a standard and measures you against it. This one measures you against a standard that has never been written.

A License With No License

The executive order forbids, on paper, exactly what the government is doing in practice. Section 3 says nothing authorizing a “mandatory governmental licensing, preclearance, or permitting requirement” for releasing an AI model. The same order then hands the government a hand in choosing which partners get early access, with not one single criterion written down. Run that one customer at a time, and you have built a licensing regime. The administration refuses to call it one, which changes nothing.

Dean Ball named it a “de facto involuntary licensing regime” the day the order landed. He is also joining OpenAI, so weigh him accordingly. His core claim survives the conflict. Nobody knows what clears a model, and he means NOBODY. By his account, the administration itself can’t tell you what standard a company would have to meet to make it comfortable releasing a model with Mythos-level reach. A lab asks whether it can ship to the public. The answer is no. It stays no until somebody writes a standard that doesn’t exist.

A discretionary regime is worth exactly as much as the judgment of the people running it. Look at who that is. The administration hired one person to run the Center for AI Standards and Innovation, someone who had worked inside both OpenAI and Anthropic. Senior officials fired him within days. They parked the rest of the staff on a stop-work order through the worst of the post-Mythos scramble and barred them from talking to other agencies. Ball, who sat inside the White House on this administration’s AI strategy, says nobody he knows there has ever built anything. That is the crew writing a test you can’t see and can’t pass.

The calendar makes it worse. With no standard and no one able to write one quickly, “no” becomes the answer to an open-ended stretch. Ball lands the sharper blow. The capability curve moves so fast that any standard this crew writes today is stale by September. The fix rots before it ships, and you would be planning your business against a bar that moves as fast as the models do.

The money makes it worse again. A frontier model earns back most of its training cost in the few months it has the market to itself, before rivals catch up and margins collapse. Every week stuck in review burns that window. The data-center buildout that David Sacks calls essential to the economy assumes a global market for American AI, not whatever hundred companies a federal official decides to bless. Squeeze releases hard enough, and you produce the demand collapse that years of overbuild warnings couldn’t. The regime misfires on security and taxes the one industry the administration swears it wants to win.

I have watched the small version of this in regulated industries for 30 years. It was a discretionary approval process with no written standard, where the answer turned on who answered the phone and how their week was going. The teams under those regimes never feared the hard rules. They feared the unwritten ones because you can’t plan against a decision that changes with the mood in the room. A hard no, you engineer around. A maybe that lands differently every time freezes everything behind it.

They Gated The Defender’s Tool

The coverage buried the worst part. The model the government boxed up is better at defending your network than at breaking into anybody else’s.

OpenAI’s own write-up on Sol, the flagship of the GPT-5.6 line, says it is better at helping people find and fix vulnerabilities than at running attacks end-to-end. It matched an earlier Anthropic model on the ExploitBench security benchmark while using about a third as many output tokens. Turned loose on Chromium and Firefox, it surfaced bugs and parts of an exploit, but it couldn’t chain into a working full attack on its own. It came in under OpenAI’s own Cyber Critical threshold, the internal line the company draws at opening genuinely new paths to severe harm. They locked up a model that never crossed the bar its own maker set for dangerous.

Your defenders would use models like this to find and close holes faster than attackers can turn them into weapons. Take the better one off the board, and the gap between a bug appearing and your team killing it gets wider. That gap is the exact ground where ransomware crews and state-sponsored teams live. Gate the defender’s tool, and you do not slow the attacker down. You give him a longer runway.

Measure what the gate delivered. The skill of finding and fixing flaws at machine speed doesn’t belong to one model or one country. It runs across every frontier model and across every border. Pull one American vendor, and the offensive half of that skill drops by roughly nothing, because every other model that does the same work is still online, and China keeps shipping its own. I did the math on this in the Fable piece and won’t rerun it here. The conclusion holds. The ceiling on this capability is the architecture, not a single lab’s mistake, and you can’t undo it by powering down a single set of weights.

What the gate did accomplish is simple. It pulled the better defensive tool out of the hands of the people defending American networks and left every attacker on the planet exactly as armed as they were the day before. Call that restraint if it helps you sleep. It reads to me like cutting off your nose to spite your face.

A Blessed Few, And What Competent Authority Would Do Instead

Strip the national-security paint off and look at what’s underneath. Picture 20-odd companies, chosen behind closed doors, sitting on the most capable cyber tooling money can buy. That is the inverse of what defenders need. The thing that lifts the floor is broad, monitored access for the people guarding hospitals, pipelines, and water plants. A blessed few list lifts it for 20 names and drops it for everyone else.

Ball puts the deeper rot in plain words. The people with the most power, wielding the most capable technology ever built, behind a curtain the public can’t see through, isn’t a setup you should bet ends well. He calls it inconsistent with a democratic republic, and on that, he is right, no matter who signs his next paycheck.

Jeffrey Ding’s diffusion argument, which Ball invokes, who studies how technology turns into national power, argues that general-purpose tools only pay off when they spread through a whole economy, not when they pool in a few hands. We figure out what a general-purpose technology is good for by putting it in front of many people. Lock frontier AI to 20 incumbents and you concentrate the power and choke off the learning at the same time.

A real alternative exists, and it’s not just my brilliant idea. You want to regulate? Regulate the industry… as you would something like financial services…, not by the weights of a single release. A model is a pile of floating-point numbers a lab ships dozens of times over, and the compute needed to hit any given capability falls every few months, so a rule pinned to model characteristics is obsolete before the ink dries. Audit the labs against their own safety commitments through independent verification outfits, technical shops, and government certification, as it certifies financial auditors. Take the transparency floor of the three states already built and make it national. California’s SB 53, along with New York and Illinois, already requires frontier labs to publish a safety framework and follow it. Representatives Obernolte and Trahan put roughly this into their Great American AI Act discussion draft, which sets a bipartisan frontier governance bill on the table for the first time.

This is coming from a person (me) who loathes overregulation and government overreach.

That is the architecture-first move I keep coming back to. Identity ties to privilege, privilege ties to accountability, and you govern the agent and the company that builds it instead of throwing a breaker on the weights and calling the result safety. I wrote about that shape when the Five Eyes agencies put out their agentic guidance. The capability the government tried to bottle up belongs to the entire class of models. You do not regulate a class by blacking out one member of it.

The CISO Read

Model availability now runs through an unwritten, unappealable, one-customer-at-a-time process, and the people running it can’t show you the standard they are using. Your most capable AI vendor ships when an official you will never meet decides it ships, and not a day sooner.

The irony (and it’s a good one in this case)? The same day the government gated OpenAI, it partly lifted the Fable order and let Mythos 5 back to a narrow set of cyber defenders and infrastructure operators.

Follow that pattern.

A capability the order branded too dangerous for foreign nationals to touch on June 12 went back to a hand-picked list on June 26, after the NSA itself had lost access under that same order. Availability ran from on to off to selectively on inside two weeks, and the government published a reason for none of the three.

You can’t write your way out of this with a vendor SLA, because the hand on the switch doesn’t belong to your vendor. You plan for it the way you plan for any single point of failure you do not control. This is the Fable playbook, and the target moving from Anthropic to OpenAI did not change a line of it.

Key Takeaway: Frontier AI model release restrictions have hardened into a licensing regime with no written standard, no appeal, and nobody qualified at the gate, and the one model it reliably keeps from your hands is the one your defenders needed most.

What To Do Next

You have two moves.

Inside your program, run the CARE loop from the Fable breakdown. CREATE the inventory of every workflow that leans on a hosted frontier model, ranked by what breaks the day it vanishes. ADAPT the contracts with a model-continuity clause, then exercise a real fallback for every tier-one workflow, a second hosted model and an open-weight option you have stood up and run yourself. RUN vendor-revocation drills, not the tame outage drills you already pass. EVOLVE the AI risk register so “a federal official can gate or kill our vendor’s model on a whim he never has to explain” sits right next to accuracy, bias, and security as a named availability risk. The full playbook lives in my breakdown of the Fable blackout as a supply chain risk.

Outside your program, scream the quiet part at full volume. Alex Stamos, a former chief security officer at Meta, told reporters that nobody in the industry sees “any factual basis for this action,” and that gating models this way hands ground to China. Representative Lori Trahan called it the government deciding access company by company, with “no law, no process, no oversight.” The wrecking ball only gets taken away from the people swinging it blind when the defenders it keeps hitting stop nodding along and calling the bruises safety. I called this exact failure before it happened, that prerelease vetting would aim at the wrong risk surface and miss, and here it is in the wild. If you run security, you have the standing to say so out loud, and staying quiet reads as a yes.

👉 For ongoing analysis of agentic AI governance frameworks, the conversation continues at RockCyber Musings.

👉 Visit RockCyber.com to learn more about how we can help with your traditional Cybersecurity and AI Security and Governance journey.

👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com

👉 As a bonus, check out my conversation with AI Cyber Magazine, where we talked about everything from Context Rot to Least Agency. My interview is also highlighted in the AI Cyber Magazine 2026 Summer Issue.

The views and opinions expressed in RockCyber Musings are my own and do not represent the positions of my employer or any organization I’m affiliated with.

Share RockCyber Musings