There’s a common mantra in the outskirts of AI policy thought: driven by market pressures and overheated capital markets, AI tokens will soon be abundant—and the future belongs to those who can use them best. The further you get away from San Francisco, the louder this mantra grows. It reaches a fever pitch in the peripheries, the many middle powers of the world still caught up in a plan to navigate the AI revolution on the basis of merely good-enough models. That view requires important AI capabilities to be widely accessible: defenders have access to models before attackers do, firms in all domains compete based on access to the same AI capabilities.

Recent events have thrown that view for a loop, and it now seems clear that access to frontier AI will soon be limited by economic and security constraints. In early April, Anthropic announced it had developed Mythos, a leading cybersecurity model, and that it would only make its considerable ability to patch extant vulnerabilities available to a select few companies. Cybersecurity start-ups in the Mission District, systems integrators on the Eastern Seaboard and allied capitals on the Atlantic and Pacific all had a similar experience: scrolling down the page to see the list of privileged partners only to find a limited selection of U.S.-based corporations.

Perhaps you were hopeful that OpenAI was going to stick to its preferred method of rollout—that it would release gpt-5.5-cyber, a model reportedly similar to Mythos in capabilities, more broadly. And yet it did not: in their Daybreak initiative, OpenAI too committed to a limited release, dispelling hopes that this was a fluke or ‘doomer’ marketing. Even worse: while it’s not quite clear to anyone—including the U.S. government—what exactly the U.S. government will do about all this, by all reports, it’s at least planning to do something at some point. And while it’s easy to dismiss this as a confluence of current events, the Mythos moment actually reveals structural trends that have been ramping up for a while.

Mythos and Reality

Three trends—compute, security, and U.S. government involvement—will further constrain the availability of frontier AI1 in the future. They compound and reinforce each other, and have dramatically accelerated in recent weeks and months. Everyone outside the inner circle of U.S.-based developers needs to grapple with that fact.

Security & Distillation

The first and most obvious constraint on widespread availability is the one we’ve seen in the Mythos context: security considerations prevent developers from providing top-tier capabilities to every paying customer.

The canonical story starts with misuse risks: a highly capable new model seems realistically useful for conducting some sort of dangerous activity, such as cyberattacks or biological weapons design. Instead of rolling it out to the general public right away, you might first distribute it to defenders who can use their early access to shore up vulnerabilities—like we’ve seen in the case of Mythos. You continue by rolling out some models only to customers of which you’re reasonably sure they won’t outright abuse the model for criminal purposes; and perhaps only after the model is no longer state-of-the-art, you roll out to everyone.

Already now, we’re seeing the second stage: the U.S. government realises that this sort of restricted access is better both for the national interest and national security, and starts flirting with the idea of making the virtuous early example into a general rule. There are many reasons for the national security apparatus to do this—perhaps they don’t trust AI developers to keep dangerous capabilities away from just-as-dangerous criminals, non-state actors and adversaries. Or perhaps they’d rather like to know which exploits the new models are about to reveal so they can use them themselves first—as they’ve done before. Put differently: if I were the NSA and sitting on a bunch of zero-days, I’d also love to know which of them Mythos can find so I could use them to my advantage before everyone gets their patch online.

Next to misuse risks, there’s another dimension that might motivate even more straightforward crackdowns on availability: risks of model theft, espionage and distillation. The former would make developers wary of where to host models—weights in an unsecured datacenter would pose a substantial vulnerability, and many countries outside the U.S. haven’t even started thinking about securing datacenters. But the latter, distillation, is the more pressing concern. Multiple reports indicate that part of the success story of so-called fast followers—model developers 6-9 months behind the frontier like China’s DeepSeek—is based on distillation practices that require more or less unfettered access to API tokens.

Distillation is not tenable for model developers in the long run: it will be very hard to capture sufficient revenue if you have to recoup all R&D investment in the six months until someone distilled your model. That point is extremely salient to politicians, and plays right into latent concerns on U.S.-China competition and industry espionage. So I’d expect distillation crackdowns, if not from the government, then from developers—more burdensome KYC, more restrictive default access, more geopolitically motivated access conditions. None of those bode well for broad-based frontier access.

Compute Crunches

But the trouble does not stop with security concerns. More fundamentally, providing access to a frontier model is a zero-sum game. Veterans of the tech industry and European sovereignty hawks both like to invoke the parallel to software licenses—that yes, software innovation came with some marginal dependencies, but that the logic of consumer market size prevailed in the end: Microsoft and others face low marginal costs compensated at full market prices for rolling out their software for everyone. But not so with frontier AI.

Providing access to AI models, especially those at the bleeding edge, takes massive amounts of computational resources. The marginal compute demand to service another thousand tokens is high—so high, in fact, that leading developers time and time again face compute crunches, reduce offerings, and struggle to balance subsidising their consumer subscriptions against the real constraints on the chips they have. So dire is the compute crunch for Anthropic specifically that the firm is now shopping around for ad-hoc access deals to less well-utilised datacenters, such as one with rival firm xAI. It seems likely that this situation would get worse, not better. If AI systems really do rival the output of human workers in a few months, the amount of tokens required to reproduce that much human activity would be staggering.

The often-invoked hope that ‘efficiency curves’ will compress token costs quickly doesn’t save us here: efficiency curves mean that next year, Mythos-level capabilities might be very cheap; they don’t mean that Mythos 2 will be cheaper than Mythos. The opposite is the case: frontier capabilities have grown more expensive month-to-month for years now. So if you, like me, believe that competitive dynamics between economic rivals and attackers and defenders mean you not only need good enough AI, but the best AI, efficiency curves will not bail you out.

That means the marginal cost of providing access to a new user—country or firm—is high. There’s still value in expanding your coverage: inroads into new markets for when your capacity expands, more demand to increase prices, goodwill with governments, and so on. But these benefits trade off against costs: compliance costs of entering new markets, product design costs of catering to new consumers—and the costs in terms of security and relationship to the U.S. government described in this piece. The market power effect isn’t entirely inverted, but it’s strongly diminished—you cannot count on your role as ‘interested buyer’ to carry much weight in securing your access.

This is complicated even further by the fact that, faced with this trend, competition around who gets access to these tokens will emerge. The U.S. will be protective of its domestic economy, and I think we might see a comeback of the same logic that motivated the GAIN Act proposal a few months back. Back then, advocates were toying with the idea of giving Americans right of first refusal to American chips; soon, perhaps American firms will be declared buyers of first resort of American-produced tokens of intelligence. Or the competition turns purely economic, margins shrink and become razor-thin, and only those who can shoulder the cost or most effectively turn API tokens into revenue are able to afford them. Who would that be? My bet is neither on governments that haven’t internalised the logic of million-dollar AI subscriptions nor on European businesses constrained in their ability to generate software revenue by many, many adverse conditions.

The U.S. Government Is Here To Help

Lastly, what starts as restrictions motivated only by genuine concerns doesn’t always stay that way. Once it has a more formal role in overseeing the flow of frontier tokens, the U.S. government might wield its access control to pursue its political and strategic interests. That starts with security concerns. Revisiting the NSA example, it’s clearly not in the interest or mission of the NSA to ensure the equitable diffusion of AI capabilities throughout the world. Instead, it’s closer to the intelligence community’s DNA to limit any potential adversary’s access even to the detriment of softer upsides like economic productivity or ally relationships.

And it doesn’t stop with the security questions: the Trump administration’s signature style of international engagement is to wield American leverage as a bundle. Deadlocks in trade negotiations are broken by threatening to withhold intelligence, tech deals are stalled by reference to food safety standards. And so I don’t know when a U.S. administration would choose to leverage its seemingly inevitable predeployment authority over frontier models to secure its broader interests, but I’m sure it would in due time. That means that even if we do everything ‘right’ on the security and economic side, frontier access is still fundamentally contingent as long as there’ll be divergences between governments’ strategic interests.

The Next Equilibrium

In that new world, access to unlimited APIs is the exception, not the norm. A new frontier model might first make it to the U.S. national security apparatus, where embedded interests might decide to stall its deployment for security reasons, wield it first to plug defenses or attack its adversaries. The model might then be handed back to the developers, with the implicit understanding or explicit demand that it would first be rolled out to trusted defenders: U.S. firms and perhaps a few internationals, if we’re so lucky. If the risks are cybersecurity, the defenders might be quick to resolve them; if they’re thornier biological or agent-autonomy-driven risks, they might take another few weeks.

Once that phase is over, the circle of unfettered access might expand again—to firms that have cleared high KYC bars and U.S. security concerns. Everyone else, enthusiastic consumers, scrappy startups and nervous governments all over the world, might never get clean API access, but draw their access through fundamentally limited product layers: maybe the chatbot and coding agent interfaces of today, maybe the few big startups that could afford to hire the lawyers and lobbyists to make the good list. A few months after development, the model will have made it into the hands of everyone—but not everyone will have enough tokens to use that capability well, and most might only get to deploy it in ways that trusted vendors have charted out for them. Only when the next generation has already entered the same pipeline would everyone have the de facto unlimited access to frontier AI that we all still enjoy today.

Unevenly Distributed Futures

This is not a future we should welcome. AI tokens will be strategically and economically central to all future societies, so we should do our best to enable their free flow. If we fail, we’ll bear costs, economic and geopolitical. Economically, I think the accelerationists in their criticism of Anthropic have it right: restricting frontier model access to start-ups and ambitious deployers is antithetical to innovation and economic growth; iterative deployment unleashes our ability (call it Hayekian if you absolutely must) to actually figure out how we want to live and work with AI at scale and capture its benefits. But it’s not Anthropic’s purported quest for nationalisation that’s at fault—it’s the market dynamics and security implications of advanced AI that send us barreling toward a world where that’s no longer possible.

In that world, we’ll also see geopolitical rifts opening: countries will be divided into the frontier haves and have-nots. I don’t mean to exaggerate when I say that those living in the former might be much wealthier and safer than the latter, with access to better public services, greater economic opportunities, and shielded by security agencies that actually operate at the state of the art. If AI will be as big as I and many of the readers of this publication believe, there’s no telling what these suddenly-emerging asymmetries do to global order. In the past, when the fruits of industrial revolutions were unevenly distributed, the resulting shifts in relative wealth, security and power have prompted mass migration, reopened dormant conflicts, and destabilised democracies. I hope it never gets this far, and there are still many technical and economic trends pulling toward broader diffusion that could bail us out. But we’d be naive to disregard the dangers of asymmetrically distributing transformative technology in an unstable world order.

Some Overdetermined Solutions

So, we might want to do something about all this and avert the cut-off scenario. The solutions at hand are not new ideas, but they are frequently misunderstood: sometimes, accelerationists that should agree with my wanting to avert restrictions on model diffusion think they’re safetyist plots, and sometimes safetyists think they are accelerationist vehicles to hasten dangerous development in disguise. Neither is the case, and I think all these policies are and should be areas of convergence.

First, we can make the world safer so the need for security-motivated restraint is less pressing. Despite the warranted cynicism on instrumentalised access controls, genuine concerns are still what portends future restricted access. The reason Mythos has scared the world into action is that firms actually felt vulnerable to the exploits it could find. If we could harden the world against the most obvious pathways for biological agents to cause harms—build resilience, screen the manufacturing of protein structures, and so on—, the Mythos-for-bio moment might not move us further down this path, and so on.

By the same token, there are many frontier lab employees that argue dealing with distillation is a straightforward technical fix to usage policy and monitoring. If that’s the case, we might want to start deploying fixes soon, before anyone else chooses a more heavy-handed way to deal with salient distillation concerns. The same goes for global proliferation of advanced models: would-be-importers would do well to improve their own cybersecurity, including specifically datacenter security, to not make it a huge risk for American firms to run their models outside the U.S.

Second, we should simply build a lot of datacenters to alleviate the coming compute crunch. This is not complicated, just fairly hard—much has been said about how to accelerate the buildout in the U.S. and elsewhere, and every GPU we get online this year makes a more equitable diffusion in three years more likely. If you’ve objected to rapid buildouts on ‘minimising-the-risks’-grounds, you should think again.

Third, non-U.S. countries should build out compute in exchange for access. I’ve made the argument in greater detail before; in short: U.S. allies can offer American hyperscalers favourable terms for datacenter buildouts in return for frontier access guarantees. Subsidised energy prices or even outright energy access can be provided to these datacenters in return for contractual guarantees to always provide frontier capabilities. If the hyperscalers or labs renege, they’re on the hook for their capital expenditure on the now-unpowered datacenter; if the U.S. government tries to force access restrictions, it faces an angry lobby of domestic tech companies that would rather make do and take the revenue from their international infrastructure investments. The incentive for going for these deals would have to be commensurate to this downside risk for the investors, but amidst a frenzy to capture markets and get compute online, I feel optimistic that we’ll find a middle ground.

And last, while I’m still confident they cannot resolve this issue by outright building their own frontier systems today, middle powers will still need contingency options to secure frontier capabilities for the edge cases in which all the above fails and frontier AI access does become the privilege of the few. Much of it has to do with leverage, but some will have to go through retaining some ability to build as well. But that is a much deeper problem, and it will be the topic of the next post.

All in all, frontier AI access is not a new problem, and it does not require particularly clever new solutions. It just requires taking much more seriously what the centre of the AI policy discussion has long suggested we should do: build infrastructure that can host advanced AI systems at scale, and build a world that can handle them without coming apart at the seams. If you still needed a wake-up call to execute on that agenda, the Mythos moment should be it. Otherwise, we really are headed for the end of the Andy Warhol era of AI access—where the rich and the poor will no longer have access to the same AI capability.