The PGP precedent offers a valuable lesson for AI export controls. In the 1990s, the US government classified strong encryption software as munitions, subject to export controls. The idea was to prevent adversaries from accessing tools that could obscure their communications. The reality, however, proved otherwise: the controls were ineffective.
PGP's source code was published as a book, making it a First Amendment issue. It was then distributed globally via the internet, a network designed for resilience and information sharing, not control. The software was small, easily copied, and could be run on commodity hardware. Once it was out, it was out. The controls only really hindered legitimate US companies and researchers, while determined actors simply got the software elsewhere. The government eventually conceded, recognizing the impossibility of containing widely distributed information.
The PGP Precedent: A Lesson for AI Export Controls
Similar control mechanisms, effectively AI export controls, are now being applied to frontier AI models like Anthropic's Fable 5 and Mythos 5. The core problem here for AI export controls is the definition of "export" when you're talking about an API-accessed service. Is it the model weights? The act of inference? The capability itself? The directive, issued by the Commerce Department’s Bureau of Industry and Security (BIS) on June 12, 2025, and delivered by letter (not publicly released), applies Export Administration Regulations to a continuously available model, not a discrete transfer of an identifiable item. This action was taken due to stated national security concerns. This is where the fundamental flaws in the control mechanism become apparent.
The Mythos Architecture: New Challenges for AI Export Controls
Access to Anthropic's models, typically via an API, means users aren't downloading a binary; instead, they are sending requests and receiving responses from a remote service. To enforce nationality-based access, you need a robust identity and access management (IAM) system that can reliably verify the nationality of every single user, for every single request, in real-time. This is a non-trivial problem.
Why Nationality Screening Breaks at Scale for AI Export Controls
This kind of control, particularly in the context of AI export controls, presents significant technical and logistical challenges:
Identity Verification at the Edge: How do you definitively prove a user's nationality at the point of access? IP geo-location, often cited as unreliable (e.g., studies, for instance, have indicated inaccuracy rates for IP geo-location that can exceed 30% for specific regions or mobile users), is easily bypassed with VPNs.
Requiring government IDs for every API call introduces significant user inconvenience, substantial operational overhead, and considerable privacy implications, while still not guaranteeing real-time nationality. A user could be a foreign national residing in the US, or a US citizen abroad. The directive requires suspending access for any foreign national, whether located abroad or inside the United States. This means you can't just geo-fence.
Data Consistency Challenges: To enforce this, Anthropic would need a globally consistent view of user nationality and access permissions. Maintaining strong consistency across a globally distributed user base, especially with real-time verification requirements, demands substantial investment and engineering effort. This approach inherently struggles with eventual consistency issues, where a user's status might not be propagated everywhere instantly.
The "Export" of Knowledge: Even if you could perfectly block API access, the true capability of an AI model lies in the knowledge it embodies, not merely its weights. If a determined adversary can query the model repeatedly, they can use those outputs to train their own, smaller, specialized models – a process known as distillation. This represents a form of information leakage that no API control can prevent, as the knowledge can be extracted and replicated even without direct access to the underlying model weights.
Anthropic's decision to disable Fable 5 and Mythos 5 entirely shows the practical impossibility of implementing such granular AI export controls without sacrificing the service's availability. They were faced with an untenable dilemma: either provide the service globally and risk non-compliance, or shut it down. This situation exemplifies a fundamental trade-off between the desired consistency of control and the practical availability of the service. The government's demand for strong consistency in control mechanisms, without providing feasible methods for implementation, inevitably compromises the service's availability.
Policy Trade-offs in AI Export Controls: Incremental vs. Capability-Based
The policy debate itself highlights this architectural disconnect regarding AI export controls. The "incremental-risk" approach suggests controls only if a model genuinely expands an adversary's capabilities beyond what's already available. This aligns with the reality that comparable capabilities are often widespread, with numerous open-source models and research initiatives demonstrating similar functionalities globally. The "capability-based" approach, as indicated by recent policy discussions and unreleased directives, triggers control by the mere presence of a sensitive capability.
The incremental-risk approach acknowledges the distributed nature of AI development and the difficulty of controlling information. It's more pragmatic. The capability-based approach, while seemingly safer, is an administrative nightmare. It demands that agencies possess deep, current technical knowledge of the global AI landscape, which is a moving target. It's easier to administer, yes, but it's also easier to administer ineffectively.
What We Should Be Doing Instead of AI Export Controls
Trying to implement AI export controls via export directives is a misapplication of a physical-world control mechanism to a digital, distributed reality, where the scale and nature of the challenge far exceed the capacity of the chosen tools.
Instead of attempting to block model access, a more effective leverage point for AI export controls, albeit still challenging, lies in focusing on the data provenance—the inputs and compute infrastructure used to train these models—rather than the outputs of an already deployed model. Furthermore, the PGP precedent underscores that restricting access to powerful tools can inadvertently hinder our own defensive capabilities. US researchers and companies require access to frontier models to develop the necessary countermeasures, safety protocols, and defensive AI systems against emerging threats. Finally, the current reliance on ad hoc enforcement actions, which set precedent case-by-case, generates unpredictable outcomes and significant instability. A published standard, potentially linked to Center for AI Standards and Innovation (CAISI) assessments, is imperative. This standard must clearly define which capabilities warrant specific restrictions and outline how these restrictions can be systemically integrated without impeding innovation.
These AI export controls on Mythos 5 will not stop anyone determined to access or replicate its capabilities. They will, however, slow down legitimate development, create unnecessary friction for US companies, and reinforce the perception that the government is applying outdated strategies to new challenges. The nature of information, especially in a globally connected, distributed system, means that once a capability exists, it will find a way to propagate. The lessons from PGP suggest that similar dynamics will likely play out with AI.
