Governments have spent the last 30 years attempting to restrict the international movement of sophisticated software designed for cybersecurity purposes. The results have been consistently disappointing.

Now, as artificial intelligence companies develop powerful models capable of identifying and exploiting computer vulnerabilities, policymakers face a familiar challenge: how to prevent dual-use AI technology from reaching adversarial nations and malicious actors. Historical precedent suggests their efforts will encounter the same obstacles that have undermined previous attempts.

A Pattern of Regulatory Failure

According to TechCrunch AI, the track record of controlling cybersecurity-related software exports is remarkably poor. Encryption tools, intrusion detection systems, and penetration testing frameworks have all been targets of export restrictions at various points. Yet none of these measures succeeded in meaningfully slowing technological diffusion across borders.

The reasons for this failure are structural:

  • Information about software vulnerabilities and security techniques spreads through academic research, open-source contributions, and informal technical communities that operate across national boundaries.
  • Talented engineers and security researchers exist globally, making centralized control nearly impossible.
  • The underlying mathematics and algorithmic principles cannot be restricted once they enter the public domain.
  • Commercial pressures encourage companies to find legal workarounds and alternative distribution methods.

AI Models Present New Complications

The emergence of specialized AI models for cybersecurity introduces additional complexity. Anthropic's Mythos represents a new category of technology: machine learning systems trained to understand and manipulate computer systems at scale. Unlike traditional software tools with fixed capabilities, AI models can be fine-tuned, adapted, and deployed in unexpected ways.

This flexibility makes traditional export controls even more difficult to enforce. A model's underlying weights and parameters could theoretically be transmitted through multiple channels, modified incrementally across jurisdictions, or reverse-engineered from outputs. The fundamental challenge of controlling information remains unchanged, but the enforcement mechanisms appear even more fragile.

The Fundamental Problem

Export controls assume that technology exists in discrete, controllable packages that can be managed at borders. Modern cybersecurity and AI research operate in a fundamentally different environment. Knowledge compounds through distributed development, academic publication, and open collaboration. A regulatory framework designed for controlling physical goods or clearly defined software products struggles against a landscape where crucial capabilities emerge from thousands of incremental contributions.

Policymakers might argue that restricting access to frontier AI models differs meaningfully from earlier attempts to control encryption or penetration testing tools. Perhaps regulating the largest, most capable systems through licensing agreements with AI developers could achieve something previous efforts could not.

Yet the historical pattern suggests skepticism is warranted. When the underlying knowledge becomes sufficiently well-understood, distributed enough across the global scientific community, and valuable enough to motivate determined actors, centralized control consistently fails. The question facing regulators is whether AI security models will follow this same trajectory, not whether controls will eventually prove inadequate.