Anthropic just published what may be the most consequential AI policy paper of 2026. “2028: Two scenarios for global AI leadership” isn’t an academic exercise—it’s a strategic warning with a clear message: the decisions made by policymakers this year will shape whether democracies or authoritarian regimes control the most powerful technology humanity has ever created.
This isn’t Anthropic’s first foray into geopolitical AI discourse. Back in February, they disclosed industrial-scale distillation attacks by Chinese AI labs—over 16 million exchanges through 24,000 fraudulent accounts designed to steal Claude’s capabilities. That disclosure was the opening salvo. This paper is the strategic framework that explains why it matters.
Let’s break down what Anthropic is arguing, what it means for security professionals and enterprise leaders, and why the window for action is narrowing faster than most realize.
The Core Thesis: Compute Is the Chokepoint
The paper’s central argument is deceptively simple: whoever controls advanced AI chips controls the future of AI development. Everything else—talent, data, algorithms—matters, but none of it matters if you don’t have sufficient compute.
This isn’t speculation. It’s the empirical reality of how AI has advanced over the past decade. Model performance scales predictably with computing power. The majority of capability gains have come from simply using more chips. And critically, compute advantage compounds: more compute enables more experiments, which yields more algorithmic discoveries, which then multiply the effectiveness of future compute investments. It’s a flywheel effect.
Right now, democracies are winning the compute competition decisively. US and allied semiconductor companies—NVIDIA, AMD, TSMC, Samsung, ASML—have built the world’s most advanced chips. US export controls have restricted China’s access to both the chips themselves and the manufacturing equipment needed to produce them. One analysis cited in the paper estimates that if current restrictions hold, America will have access to roughly 11 times more compute than China’s AI sector.
The problem? That advantage is being systematically undermined through two channels: illicit compute access and illicit model access.
The Two Leakage Channels
Illicit Compute Access
Despite export controls, Chinese AI labs continue to access American chips through smuggling operations and offshore data centers. Federal prosecutors recently charged a Supermicro co-founder with diverting $2.5 billion worth of servers containing export-controlled chips to China. According to both US government sources and media reports, DeepSeek trained its latest model on banned NVIDIA chips. Alibaba and ByteDance reportedly train their flagship models on export-controlled chips in Southeast Asian data centers—a loophole that exists because current export law covers chip sales, not remote access.
The infrastructure supporting these evasions is sophisticated. Proxy services run what Anthropic calls “hydra cluster” architectures—sprawling networks of fraudulent accounts that distribute traffic and regenerate when individual accounts get banned. This is adversarial infrastructure built for sustained operations, not opportunistic scraping.
Illicit Model Access: Distillation at Scale
The second channel is distillation attacks—the systematic extraction of capabilities from US frontier models through massive API abuse. As we covered in February, this isn’t theoretical. DeepSeek, Moonshot, and MiniMax ran coordinated campaigns totaling over 16 million exchanges across approximately 24,000 fraudulent accounts.
Distillation is particularly insidious because it lets labs bypass the entire R&D investment that went into creating frontier capabilities. Decades of foundational research, billions in investment, thousands of engineers—all of it gets shortcut. The result is near-frontier capability at a fraction of the cost, effectively subsidized by American innovation.
Worse, distilled models typically don’t retain safety guardrails. The careful work that responsible labs do to prevent their models from assisting with bioweapons development, offensive cyber operations, and other harmful use cases gets stripped out. You end up with powerful capabilities in the hands of actors who have no interest in responsible deployment.
Chinese AI experts openly acknowledge distillation’s importance. A recent article in state-owned media described distillation attacks on US models as the “back door” that China’s AI labs depend on as a core part of their business model. An ex-ByteDance researcher confirmed that PRC labs use distillation as a shortcut to avoid investing in their own data pipelines.
The Mythos Preview Wake-Up Call
The paper points to Anthropic’s recent Mythos Preview release as evidence that we’re entering an acceleration period. With access to the model through Project Glasswing, Mozilla fixed more security bugs in one month than they had in all of 2025—almost 20 times their monthly average.
The response from Chinese analysts was telling. One PRC cybersecurity analyst wrote that China is “still sharpening our swords while the other side has suddenly mounted a fully automatic Gatling gun.”
This acceleration isn’t slowing down. The “country of geniuses in a datacenter” that Dario Amodei described as transformative AI—that level of capability is approaching rapidly. And the paper is explicit: 2026 may be the breakaway opportunity for American AI. The window to lock in advantage is narrowing.
Two Scenarios for 2028
The paper presents two detailed scenarios for what the world looks like in 2028. They’re worth understanding in full because they illustrate the stakes.
Scenario One: Democratic Leadership
In this scenario, US policymakers have acted decisively. Export control loopholes are closed—chip smuggling and offshore data center access are effectively disrupted. Enforcement budgets are funded adequately. Distillation attacks face legal and technical countermeasures that make them impractical at scale.
The result: US AI models are 12-24 months ahead on intelligence, and the lead is growing. When American labs release breakthrough models in 2028, China won’t have access to equivalent capabilities until 2029 or 2030. This breathing room allows democracies to set the rules and norms for frontier AI systems.
American AI becomes the backbone of the global economy. The Trump administration’s push for domestic adoption and AI exports succeeds. Global adoption skyrockets. China’s AI firms can’t compete for international market share outside a narrow group of autocracies. The world’s most powerful AI systems are shaped by democratic values—making it harder for authoritarian states to weaponize AI for mass surveillance and repression.
On the security front, cyber operators use advanced AI to reduce attack surfaces and blunt the CCP’s ability to maintain footholds in critical infrastructure. America’s AI advantage becomes a powerful deterrent to aggression.
Perhaps most importantly, a virtuous cycle emerges: AI leadership makes the US and allies more attractive partners, which expands the market for American AI and the coalition setting global norms, which reinforces the lead, which attracts more technical talent. The democracy-led international order is anchored through the transition to transformative AI.
Scenario Two: CCP Parity
In this scenario, policymakers fail to act. Export control loopholes remain open. Distillation attacks continue at scale. SME servicing and maintenance gaps accelerate China’s self-sufficiency efforts.
The result: AI labs in China are only a few months behind US models. Despite a weak semiconductor production capacity, continued access to smuggled chips, offshore compute, and stolen model capabilities has closed the gap.
Beijing’s whole-of-nation “AI+” push on domestic adoption pays off. Even with slightly less capable models, aggressive integration gives China deployment advantages that offset the intelligence deficit. The CCP’s AI-enabled cyber force becomes a serious threat. PLA cyber actors gain additional access to critical infrastructure in the US and globally, enabling them to disrupt essential functions. As AI gets incorporated deeper into critical systems, democracies enjoy no security advantages despite having developed the technology first.
Globally, Huawei and Alibaba data centers become prevalent, especially in the Global South. They run on older chips that China can export because domestic demand is met through a combination of licensed purchases, smuggled hardware, and offshore access. These facilities host “good enough” models that are cheap and flexible. Similar to Huawei’s telecom playbook, China’s near-frontier models capture a growing segment of the global economy—and give Beijing significant influence over those markets.
The race dynamics also make safety harder. When competitors are neck-and-neck, both sides feel pressure to release faster, with less safety testing. Governments become reluctant to enact responsible AI policies for fear of falling behind. The paper notes that Chinese AI labs already lag significantly on safety practices—only 3 of 13 top Chinese labs published any safety evaluations last year, and none disclosed CBRN risk evaluations. CAISI found that DeepSeek’s R1-0528 model complied with 94% of overtly malicious requests under common jailbreaking techniques, compared to 8% for US reference models.
Why This Matters for Enterprise Security
If you’re a security professional or enterprise leader, this might seem like geopolitical abstraction. It’s not. The implications are immediate and practical.
Supply chain risk. If scenario two materializes, Chinese AI infrastructure becomes embedded in your partners, vendors, and international operations. The attack surface expands dramatically. Due diligence on AI providers becomes a security imperative, not just a procurement consideration.
Threat landscape acceleration. AI-enabled offensive capabilities are already reshaping cybersecurity. The Mythos Preview disclosure shows what AI-assisted vulnerability discovery looks like at scale. Now imagine that capability in the hands of state actors without safety guardrails. Your threat models need to account for attackers with access to frontier-equivalent AI—possibly sooner than you expected.
Safety-stripped models in the wild. Distilled models without safety guardrails will proliferate. They’ll enable automated disinformation, CBRN research assistance, and offensive cyber tooling for actors who previously lacked the capability. This isn’t theoretical—the paper cites an independent assessment of Moonshot’s Kimi K2.5 that found it failed to refuse CBRN-related requests at far higher rates than US frontier models. Expect the threat surface for AI-assisted attacks to expand rapidly.
Critical infrastructure exposure. If CCP-controlled AI ecosystems achieve parity, the cyber advantage that democracies should have from developing the technology first evaporates. The paper is explicit: in scenario two, “democracies enjoy no security advantages over China in AI, despite having developed the technology first.” That means critical infrastructure remains vulnerable to AI-enhanced intrusion and disruption.
Regulatory and compliance complexity. The two scenarios imply radically different regulatory futures. Democratic leadership likely means AI governance frameworks that prioritize safety, transparency, and civil liberties. CCP parity means fragmented global standards with authoritarian-influenced norms. Your compliance roadmap depends on which future materializes.
The Policy Levers
Anthropic identifies three key areas for policy action:
Close the loopholes. This means tightening enforcement on chip smuggling, extending export controls to cover remote data center access, closing gaps in semiconductor manufacturing equipment restrictions, and properly funding enforcement agencies. The Commerce Department’s BIS budget request cited in the paper suggests they’re at least asking for more resources.
Defend innovations. Legislative clarification that distillation attacks are illegal, combined with technical countermeasures and threat intelligence sharing between AI labs and the US government. The paper notes that recent legislation from the House Foreign Affairs Committee addressing distillation attacks passed unanimously out of committee—a rare bipartisan signal.
Champion American AI exports. Proactively driving global adoption of trusted AI infrastructure built on democratic principles. The Trump administration’s AI Action Plan explicitly prioritizes this. Locking in trusted infrastructure now denies the CCP’s AI ecosystem the global footholds it needs to compete on cost and adoption later.
The Window Is Narrow
The paper’s most urgent message is temporal: we have a limited period to set the conditions of the competition. The acceleration dynamics of AI development—scaling laws, AI-assisted research, compounding compute advantages—mean that leads can either widen rapidly or collapse quickly.
If policymakers act decisively in 2026, a 12-24 month capability lead by 2028 is achievable. That lead would be enormously advantageous for shaping AI governance, maintaining security advantages, and ensuring that the transition to transformative AI happens under democratic rather than authoritarian direction.
If they don’t act—if loopholes remain open, if distillation continues at scale, if compute keeps leaking—then we’re looking at a neck-and-neck race with all the safety compromises and security risks that entails.
Anthropic is betting that making this case publicly, in detail, with specific policy recommendations, will influence the outcome. Given the bipartisan attention that export controls and distillation attacks have already received, they might be right.
Conclusion
This paper represents Anthropic staking out a clear position on one of the most consequential questions of our time: who will control transformative AI? Their answer is unambiguous: democracies must lead, and the policy decisions made this year will determine whether they do.
For those of us working in security and technology strategy, the implications are concrete. The threat landscape is being reshaped by AI capabilities—and the strategic decisions being made now about compute access, model security, and global AI infrastructure will determine what that landscape looks like in two years.
We’ve covered distillation attacks before. We’ve analyzed the security implications of agentic AI. This paper connects those threads into a strategic framework that explains why it all matters.
The scenarios Anthropic describes aren’t predictions—they’re possibilities. The question is which one we’re building toward. Based on current policy momentum, there’s reason for cautious optimism. But the window is narrow, the adversary is adaptive, and the stakes are as high as they’ve ever been.
Read the full paper. Understand the scenarios. And think carefully about what it means for your organization’s AI strategy—because the geopolitical context in which that strategy unfolds is being determined right now.