The United States Needs a Strategic Response to Adversarial AI Distillation

In February 2026, Anthropic disclosed that roughly 24,000 fraudulent accounts had bombarded its Claude model with 16 million interactions, likely to harvest its outputs for training a competing model. At the same time, OpenAI testified to the House Select Committee on China that DeepSeek employees had developed methods to circumvent its access restrictions and harvest model outputs to train a competing model. Both incidents point to a contentious practice known as adversarial distillation. Policymakers have been quick to respond—and they are right to take the threat seriously, but they need to take a carefully calibrated approach to avoid collateral damage to the broader AI ecosystem.

Distillation is a widely used method where a “student” model learns from the output of a more advanced “teacher” model, inheriting much of the teacher’s capability at a fraction of the cost. Adversarial distillation involves deploying this technique without authorization, often using deliberate workarounds to circumvent access controls. The illicit use of these methods produces three distinct problems that justify policy attention.

First, U.S. competitiveness. Systematic extraction of the capabilities of frontier AI models from U.S. companies would erode their global lead, allowing foreign competitors to close the gap while taking advantage of billions in U.S. R&D investment.

Second, foreign military capabilities. Extracted capabilities risk flowing into Chinese military and intelligence applications through Beijing’s military-civil fusion strategy. The House Homeland Security Committee’s investigation has highlighted this downstream risk explicitly.

Third, safety alignment. Distilled models can inherit a frontier AI model’s underlying capabilities while losing its safety guardrails, allowing others to produce systems capable of assisting with weapons development, offensive cyber operations, or dangerous materials synthesis, without the constraints U.S. developers built.

Unfortunately, while existing U.S. laws offer some tools to address adversarial distillation, they are unlikely to be sufficient for coordinated, state-affiliated, industrial-scale efforts. For example, Computer Fraud and Abuse Act violations are likely present in campaigns involving thousands of fraudulent accounts engineered to defeat access controls. But criminal prosecution of individuals located abroad is often unenforceable, especially in China, assuming they can be identified. Similarly, firms could attempt to bring claims under the Defend Trade Secrets Act, but model outputs themselves are not trade secrets, so they would likely face an uphill legal battle attempting to prove the technically complex linkage between extracted outputs and resulting model capabilities. The U.S. government could use export controls, IEEPA sanctions, or the Entity List process to target identified foreign AI labs engaged in adversarial distillation, but that may do little to deter state-sanctioned efforts if those restrictions just become the cost of doing business. Most importantly, existing law provides no systematic mechanism for intelligence sharing between the government and targeted AI companies, no structured process for identifying and designating adversarial actors, and no diplomatic framework for engaging allies in a coordinated response.

Policymakers have quickly started to fill in these gaps. The House Foreign Affairs Committee unanimously passed the Deterring American AI Model Theft Act of 2026 (DAAMTA, H.R. 8283), which would use export controls and sanctions to raise the cost for foreign bad actors who systematically scrape U.S. models to shortcut their AI development. And the White House Office of Science and Technology Policy (OSTP) issued Memorandum NSTM-4 characterizing foreign adversarial distillation campaigns as a national security threat.

While the threat of industrial-scale extraction requires a robust legal framework, policymakers should tread carefully to ensure that anti-distillation measures do not inadvertently criminalize standard academic benchmarking or undermine legitimate AI research and development. A poorly calibrated law risks walling off American innovation from the global developer ecosystem or limiting U.S. developers from using distillation while foreign ones do so with impunity. Moreover, any legislative response should include enhancements of existing authorities and be combined with better technical defenses and international coordination.

Defensive legislation is only a stopgap. To maintain its strategic advantage, the U.S. government should treat AI security not merely as a matter of trade secrets and export controls, but as a core pillar of cyber defense. This means pairing statutory enforcement with aggressive technical investments—such as supporting the development of advanced watermarking and algorithmic detection mechanisms—to build a dynamic, public-private defense strategy capable of evolving as fast as the models themselves.

Image credit for social media preview: Generated with DALL-E