Evidence Pack: The National Security Stakes of Open-Weight AI and the US Policy Shift

The June 2026 landscape marks a definitive pivot in United States artificial intelligence policy, transitioning from a precautionary safety posture to a "growth-first" national security strategy. The White House's recent "Cyber Strategy at the AI Frontier" Executive Order officially designates advanced AI as both a critical cyber-defense capability and a national security-sensitive technology. This directive signals that the federal government increasingly views frontier models not merely as commercial products, but as essential infrastructure required to maintain global supremacy in an increasingly volatile digital domain.[1]

This strategic shift is driven by a rapidly closing geopolitical gap and the commoditization of advanced capabilities. According to the UK Government Office for Science's updated "AI Scenarios 2030" report released this week, the January 2025 release of highly capable, low-cost open-weight systems by Chinese firm DeepSeek effectively ended America's uncontested AI leadership. The proliferation of these models demonstrated that adversaries could match Western capabilities without replicating the massive capital expenditure previously thought necessary. Consequently, US policy has reoriented toward establishing global dominance through rapid deployment, massive infrastructure build-outs, and aggressive commercialization, accepting certain proliferation risks as the necessary cost of maintaining a competitive edge in a multi-polar technological landscape.[4]

This evidence pack evaluates the core claims underpinning this policy shift, mapping the empirical consensus and transparent uncertainties surrounding open-weight models, autonomous agents, and international security. The central tension lies in balancing the democratization of innovation against the proliferation of dual-use capabilities to adversarial state and non-state actors. By examining recent government assessments, security frameworks, and independent evaluations, we can surface where the evidence for AI safety is robust and where critical blind spots remain. The stakes are unprecedented: the decisions made in the coming months will dictate the architecture of the internet, the resilience of critical infrastructure, and the balance of global power for decades to come.

The foundational evidence supporting the continued permissiveness toward open-source AI rests on the assertion that widely available models provide a net economic and defensive benefit. This position is heavily anchored by the National Telecommunications and Information Administration (NTIA) report on dual-use foundation models. The agency was tasked with evaluating whether the federal government should intervene to restrict the publication of model weights—the core mathematical parameters that dictate how an AI system functions. After extensive consultation with industry and civil society, the NTIA established the baseline framework that currently governs the US approach to open-source artificial intelligence, prioritizing innovation over hypothetical harms.[2]

Conducting a "marginal risk analysis," the NTIA concluded that the government should not restrict the wide availability of model weights at this time. The agency found that open weights decentralize market control, lower barriers to entry for academic researchers, and enable independent auditing of safety benchmarks. By focusing on the specific, marginal risks introduced by open weights rather than the general risks of AI, the report determined that the immediate benefits to competition and transparency far outweigh the theoretical security threats, provided that the government maintains active monitoring capabilities.[2]

Furthermore, the open-source community argues that widely available weights are essential for defensive cybersecurity. By allowing independent security researchers to probe models for vulnerabilities, stress-test guardrails, and develop robust countermeasures, open models theoretically harden the entire ecosystem against novel attack vectors. This crowdsourced approach to security mirrors the historical trajectory of open-source software, where transparency ultimately proved more resilient than security-through-obscurity. Advocates contend that restricting access to frontier models would only consolidate power among a few massive tech incumbents while leaving the public blind to the internal flaws of the systems governing their digital lives.

Countering this economic optimism, national security researchers present strong evidence that open weights bypass the primary chokepoint of artificial intelligence development: compute infrastructure. The proliferation of frontier model weights is increasingly viewed not as a triumph of democratization, but as an unmitigated risk of empowering adversaries. While traditional software vulnerabilities can be patched, the capabilities embedded within a massive neural network are fundamentally dual-use; a model that can write secure code can also be directed to discover zero-day exploits. This paradigm shift challenges the historical analogy to open-source software, suggesting that the sheer destructive potential of advanced AI requires a fundamentally different security posture.

A comprehensive analysis by the RAND Corporation warns that states cannot control the spread of advanced models once their weights are open-sourced or stolen. Because training a frontier model requires billions of dollars in specialized hardware and massive energy resources, the weights represent the culmination of immense capital investment. If adversarial states or non-state actors acquire these weights, they gain complete control over the model without needing the infrastructure to train it from scratch. This drastically lowers the barrier to entry for launching sophisticated cyberattacks, generating mass disinformation, or accelerating biological weapons research.[3]

OpenAI's recent security analysis corroborates this threat model, noting that artificial intelligence is rapidly emerging as a distinct domain of geopolitical concern alongside cyberspace and outer space. The report emphasizes that frontier systems capable of complex cognitive labor and strategic planning could disrupt the foundations of international stability if proliferated indiscriminately. As models become capable of accelerating scientific discovery and strengthening coordination in complex strategic competitions, the unchecked distribution of their underlying weights threatens to erode the deterrence mechanisms that have historically maintained global security.[5]

With broad bans on open weights currently off the table, the US government has pivoted to measurement and evaluation as its primary security mechanism. The Department of Commerce's Center for AI Standards and Innovation (CAISI)—formerly the US AI Safety Institute—serves as the institutional anchor for this approach. Rather than attempting to halt the proliferation of technology, the government is focusing on understanding exactly what these models can do before they are released into the wild, establishing a framework of voluntary compliance and rigorous scientific testing.[6]

As of May 2026, CAISI has completed more than forty pre-deployment evaluations of frontier models from leading developers, including Google DeepMind, Microsoft, and xAI. These evaluations focus on rigorous measurement science to understand a model's capabilities in highly sensitive areas, such as synthetic biology, chemical synthesis, and offensive cyber operations. By partnering directly with industry leaders, the agency aims to identify and mitigate unacceptable risks prior to deployment, creating a standardized benchmark for safety that balances the imperative for rapid innovation with national security requirements.[6]

However, the evidence supporting the long-term efficacy of voluntary pre-deployment evaluations remains weak. Security experts note that evaluating a model's capabilities at the point of deployment does not account for post-deployment fine-tuning. An open-weight model deemed "safe" during a CAISI evaluation could theoretically be downloaded and fine-tuned by a malicious actor to systematically remove its safety guardrails and optimize it for harmful tasks. This fundamental limitation suggests that pre-deployment testing, while necessary, is insufficient to contain the risks posed by the open distribution of highly capable foundation models.

The policy landscape is further complicated by the rapid transition from static chatbots to autonomous artificial intelligence agents. These systems introduce novel, systemic vulnerabilities that current regulatory frameworks are ill-equipped to handle. Unlike traditional models that require continuous human prompting, autonomous agents are designed to execute multi-step actions, make independent decisions, and interact directly with enterprise software, financial networks, and critical infrastructure. This shift from passive generation to active execution exponentially increases the potential blast radius of a compromised or misaligned system.

The Cloud Security Alliance and NIST CAISI have identified prompt injection and accountability gaps in autonomous action chains as the leading security vulnerabilities in this new paradigm. As AI agents are granted access to internal databases and authorized to execute transactions, malicious actors can exploit these systems by injecting hidden instructions into the data the agent processes. Because these agents operate autonomously across multiple platforms, tracking the origin of a malicious command and establishing accountability becomes a profound technical challenge, leaving enterprise networks highly exposed.[7]

The evidence suggests a severe mismatch between deployment velocity and regulatory readiness. Gartner projects that forty percent of enterprise applications will incorporate task-specific AI agents by the end of 2026, up from fewer than five percent in 2025. This explosive adoption rate is vastly outpacing the development timelines for NIST's forthcoming AI Agent Standards Initiative. Consequently, critical infrastructure operators and financial institutions are integrating highly autonomous systems into their core operations long before the government can finalize the technical guidance required to secure them.[7]

The current US "growth-first" policy relies heavily on the assumption that domestic innovation will consistently outpace adversarial exploitation. While the economic benefits of open-weight models are well-documented and empirically strong, the national security risks—though currently theoretical—carry potentially catastrophic consequences. The strategy accepts a high degree of vulnerability in the short term, betting that the rapid deployment of AI will ultimately yield defensive capabilities sophisticated enough to neutralize the very threats the technology enables. This high-stakes gamble defines the modern era of statecraft, where technological stagnation is viewed as a greater existential threat than the proliferation of dual-use weapons.

The most significant gap in the evidence base is the lack of empirical data on the "offense-defense balance" in AI-enabled cybersecurity. It remains entirely uncertain whether the defensive advantages of open-source AI—such as automated vulnerability patching and real-time threat detection—will ultimately outweigh the offensive advantages granted to threat actors equipped with the same advanced reasoning capabilities. Until this balance is proven in the wild, the policy consensus will remain fragile, built on a foundation of optimistic projections rather than guaranteed security.[1][8]