U.S. Targets Adversarial AI Distillation as National Security Threat

Extraction campaigns target U.S. frontier models

In February 2026, two major incidents brought adversarial AI distillation into sharp policy focus. Anthropic revealed that approximately 24,000 fraudulent accounts had bombarded its Claude model with 16 million interactions, apparently harvesting outputs to train a competing system. Simultaneously, OpenAI testified before the House Select Committee on China that DeepSeek employees had engineered methods to bypass access restrictions and extract model outputs for training purposes, according to the Center for Data Innovation.

Adversarial distillation exploits a legitimate AI development technique—using outputs from an advanced "teacher" model to train a less capable "student" model—but does so without authorization and through deliberate circumvention of access controls. The practice threatens U.S. interests on three fronts: eroding the competitive advantage built on billions in American R&D investment, potentially flowing advanced capabilities into Chinese military applications through Beijing's military-civil fusion strategy, and creating systems that inherit frontier capabilities while stripping away safety guardrails designed to prevent assistance with weapons development, offensive cyber operations, or dangerous materials synthesis.

Why it matters

Systematic extraction of U.S. AI capabilities represents more than intellectual property theft—it's a mechanism for adversaries to leapfrog years of development work while potentially weaponizing the results. The scale of these campaigns, involving thousands of coordinated accounts and millions of interactions, suggests state-level resources and organization rather than isolated bad actors.

Existing legal tools fall short

Current U.S. law provides limited recourse against coordinated, state-affiliated extraction efforts. While the Computer Fraud and Abuse Act likely covers campaigns using fraudulent accounts to defeat access controls, prosecuting individuals abroad—particularly in China—proves largely unenforceable. The Defend Trade Secrets Act offers another avenue, but model outputs themselves don't qualify as trade secrets, forcing companies into technically complex arguments about the connection between extracted outputs and resulting capabilities.

Export controls, sanctions under the International Emergency Economic Powers Act, or Entity List designations could target identified foreign AI labs, but may function merely as a cost of doing business for state-sanctioned programs. Critically, no systematic intelligence-sharing mechanism exists between government and targeted companies, no structured process designates adversarial actors, and no diplomatic framework coordinates allied responses.

Legislative response takes shape

The House Foreign Affairs Committee unanimously advanced the Deterring American AI Model Theft Act of 2026, which would deploy export controls and sanctions against foreign entities systematically scraping U.S. models. The White House Office of Science and Technology Policy issued Memorandum NSTM-4 formally characterizing foreign adversarial distillation campaigns as a national security threat.

Yet policymakers face a calibration challenge: anti-distillation measures must avoid criminalizing standard academic benchmarking or legitimate AI research while not handicapping U.S. developers with restrictions foreign competitors ignore. The Center for Data Innovation argues that defensive legislation represents only a stopgap, advocating for AI security as a core cyber defense pillar paired with technical investments in advanced watermarking and algorithmic detection mechanisms.

This analysis was originally published by the Center for Data Innovation.