Under the Radar: How the Best AI Capabilities Could Evade Government Scrutiny
Key Takeaways
« The solution is to clarify that companies should disclose models with state-of-the-art capabilities regardless of their stage of development, for which we provide three policy options.
« The Trump Administration has recently issued two important policies to keep powerful new AI capabilities in cyber and other domains out of the hands of our adversaries and ensure the U.S. government has access to and awareness of them.
« However, the best AI capabilities in the world are limited to undisclosed models, which are only available to AI company staff. This creates a loophole in government testing and access that threatens crucial policy goals.
Introduction
In June 2026, the Trump Administration took two important actions on artificial intelligence (AI). On June 2, the Administration issued Executive Order 14409, which provides for voluntary U.S. Government (USG) access and testing of top models. This order tasks USG offices with developing a classified benchmarking process to determine which models have notable cyber capabilities that warrant granting early access to the USG to harden networks and infrastructure.
On June 12, following a demonstration that Anthropic’s models could be “jailbroken” and safeguards removed, the Administration levied export controls on Anthropic’s Mythos 5 and Fable 5. This prevented foreign adversaries, like the People’s Republic of China (PRC), from accessing the models. (As of this writing, the Administration has lifted export controls on these particular models.)
These policies demonstrate that this Administration is taking AI’s national security implications seriously. They clarify that the USG has a sacred responsibility to put the security of the American people first. This is far from the last time the USG will need to use its national security authorities to ensure AI releases prioritize Americans’ security.
As the America First Policy Institute (AFPI) has noted in our research, these policies would be especially effective if placed in the context of a comprehensive and cohesive AI and national security strategy.
Policymakers should take note, however, of the fact that these policies leave an important gap: undisclosed models. Because AI companies train new models constantly, the best models in the world are deployed within the companies that built them for months before anyone outside learns of them, much less gains access. Because of this, although the USG placed export controls on Mythos 5, foreign national employees may freely use “Mythos 5.5,” a hypothetical model with even better cyber capabilities about which the USG has limited knowledge. Indeed, some reports suggest that a successor to Mythos finished training in late June and did not face export controls.
In this expert insight, we discuss this so-called “undisclosed-models loophole.” We provide three policy options for the Administration to remedy this loophole in ways that would provide access and situational awareness to policymakers and the U.S. national security enterprise. Overall, the solution is to clarify that any system, no matter the stage of development, with capabilities at or above the organization’s state-of-the-art level as defined by EO 14409’s classified benchmarking process is subject to disclosure.
Recent Actions: AI-Cyber EO and Model Export Controls
On June 2, 2026, President Trump issued Executive Order 14409, “Promoting Advanced Artificial Intelligence Innovation and Security.” This order addressed the national security implications of emerging AI capabilities in cyber. Among other things, the order established a voluntary review framework by which the USG can access and test new powerful AI systems “for a period of up to 30 days before [developers] plan to release such models to other trusted partners.” The National Security Agency (NSA), Department of the Treasury, and the Cybersecurity and Infrastructure Security Agency (CISA), among others, will “develop and maintain a classified benchmarking process” to determine which models should fall under the voluntary framework.
The Administration issued this order in response to the new industry norm, exemplified by processes such as OpenAI’s Trusted Access for Cyber (TAC) program, which provides model access to trusted defenders before widespread public deployments. The order creates a formal voluntary framework for such programs that standardizes the rollout of new capabilities. This will boost USG knowledge of and early access to AI capabilities and ensure the USG can safeguard the American people, economy, and critical infrastructure.
On June 12, 2026, Commerce Secretary Howard Lutnick alerted Anthropic that its most powerful public models, Mythos 5 and Fable 5, cannot be provided to foreign persons. (Fable is a version of Mythos with reduced capabilities in cyber, biology, AI research, and other areas.) The alert invoked the Department’s export controls powers to prevent Anthropic from providing Mythos or Fable access to any foreign person or any entity outside the United States, according to a reportedly leaked version of the text. This includes all Anthropic staff who are foreign persons. In response, Anthropic revoked Mythos and Fable access for all users, including trusted partners and the public.
Secretary Lutnick reportedly levied these export controls upon learning that users could jailbreak Anthropic’s models to bypass safeguards that restricted its cyber capabilities. Officials also worried that these powerful models “could be deployed by military intelligence users in China, Russia, or other countries of concern.” These are crucial U.S. policy priorities. We cannot compromise on Americans’ safety so that companies can improve their bottom line, nor can we give our adversaries cyber capabilities that may soon be the world’s best.
The Department of Commerce partially lifted export controls on June 26th. It informed Anthropic that Mythos 5 and Fable 5 could be deployed to specific trusted partners and to their foreign national employees, following “progress” on safeguards and diversion risk. Commerce then lifted controls on Fable, the publicly available version of Mythos, on June 30, following further progress.
On June 5, President Trump also issued National Security Presidential Memorandum (NSPM) 11, which directs the national security enterprise in its use of AI. A week later, it was followed by NSPM-12, which enhances the cybersecurity of the government’s National Security Systems. These memorandums are outside the scope of this piece but further emphasize the success of the Trump Administration in addressing important AI issues, for instance, by directing national security agencies to “develop partnerships with willing private-sector companies to help secure America’s most cutting-edge AI technologies” from foreign theft and interference.
All of these June policy actions are clear and compelling indicators that the USG understands AI is an important new frontier for national security. However, AI and national security policy still need to close an important loophole: undisclosed models.
What are Undisclosed Models?
The best AI models in the world are not those that the public is familiar with. Models like Mythos 5 and GPT-5.5 are the publicly known frontier, but the world’s best models are more capable—and clandestine. They are those that the top AI companies have just finished training and are available and known only to their staff. We call these “undisclosed models.”
As of early 2026, undisclosed models at top AI companies had capabilities about two months ahead of the public frontier. Undisclosed models are universal in the industry. Companies use them because each new generation of model has better capabilities, but it takes weeks for staff to fine-tune them for public use. Engineers must ensure that models refuse harmful requests, design and build dedicated infrastructure to reduce the cost of using the model, and boost performance on important tasks before they can be released more widely. For example, OpenAI announced its second reasoning model, o3, in December 2024 but officially released it four months later.
In the meantime, however, undisclosed models are used only by the companies that create them. These models are increasingly useful for research and engineering of AI models and products, which is the primary activity of top AI companies. Thus, the best undisclosed models are used to accelerate AI research itself. OpenAI, for instance, has written that it seeks to “Build an automated AI researcher” by March 2028. Anthropic reports that its staff wrote eight times as much production code per person in Q2 2026 as its average output before 2025. More than 80% of that code was written by AI.
Undisclosed deployments have always existed, but restricted external deployments like TAC, which is a middle ground between undisclosed and public deployments, are a new phenomenon. The companies are right to grant cyber defenders and the USG priority access. But these programs mean that the gap in capabilities between internal and external deployments is likely widening, thereby presenting problems for government policy.
The Undisclosed Models Loophole
Existing policy does not address undisclosed models even though they pose many of the same risks of foreign diversion that have motivated recent actions. Both the AI-cyber executive order and Mythos export controls leave this undisclosed-models loophole, as described below:
- The AI-cyber executive order. Notably, the access and testing framework created by EO 14409 applies only to models planned for external deployment, which leaves a gap for undisclosed, internal-only models. The voluntary framework, however, does include coordination between developers and government to “determine whether model(s) under development” have covered capabilities. It is not clear whether this entails government access or testing during development, and if so, at which stage(s) of development.
- Mythos export controls. While Secretary Lutnick’s levying of export controls on Anthropic’s models does partially address the problem of irresponsible insiders (by restricting access for foreign persons within the companies), it does not provide access to or situational awareness of undisclosed models. Indeed, some reports suggest that a successor to Mythos finished training in late June and did not face export controls. This would accord with the text of the reportedly leaked version of the export controls letter from Commerce to Anthropic, which placed controls on “Anthropic’s Claude Mythos 5 Model and Claude Fable 5 Model,” not any successors or equivalents.
Together, these policies demonstrate how undisclosed models bypass government policy. Under existing policy, an AI company could develop advanced cyber and other dangerous capabilities without the USG becoming aware. Indeed, the USG has no visibility into some top AI developers, such as Safe Superintelligence, founded by OpenAI co-founder Ilya Sutskever, because they have never released a model.
The undisclosed-models policy gap presents several challenges for the Administration’s AI policy priorities in national security and situational awareness. These challenges could cause problems for ongoing policy objectives if left unaddressed.
Problem 1: Lack of visibility. Without coverage under the AI-cyber EO or model export controls, undisclosed models are entirely unknown to the USG. We have written that new deployments are now national security events, but it is also new developed models, and therefore new capabilities, that are national security events. It is not acceptable for there to be national security events that the USG does not learn about until after thousands of people in a company, many of whom are foreign nationals. Indeed, this is a symptom of a broader lack of USG visibility into these companies which, as we have written previously, raises several issues. Companies could easily, and indeed now do, keep their most advanced capabilities for themselves, including the most capable cyber capabilities. Advanced cyber capabilities at the level of Mythos 5 are already advanced enough to be “must-haves” for the U.S. national security enterprise; those developed a year from now will be far better. These simply cannot be allowed to remain secret from the government.
Problem 2: Undisclosed models can be stolen. Top AI companies in the U.S. face mounting cyber and insider threats from foreign adversaries. They seek to steal and sabotage American AI. Although it is true that all models, internally or externally deployed, are at risk of theft and sabotage, undisclosed models pose a unique problem. If a foreign adversary steals an undisclosed model that the USG does not have access to, it will achieve cyber and bioweapons capabilities more advanced than the best in use by the USG and industry to secure our infrastructure. This is a legitimate and unacceptable possibility.
Problem 3: Use by untrusted lab employees. Because company employees typically gain unrestricted access to the most powerful undisclosed models, they could use them for harm. Our research has shown that over half of the researchers at top AI companies are foreign nationals. Perhaps as much as 50% of all their researchers are unvetted Chinese nationals. Given the well-documented connections between Chinese individuals in American high-tech industries and PRC espionage, these pose a substantial insider threat for dangerous use of undisclosed models. An irresponsible insider could use an undisclosed model with better-than-public cyber capabilities to, for example, automate cyberattacks against American infrastructure at the behest of PRC authorities.
Problem 4: Undisclosed models are new models. Undisclosed models are often new models, or new versions of models, from those that are publicly released. This means, for example, that though foreign persons at AI companies cannot access the models restricted under the June Department of Commerce order, they may be able to use even more advanced models that are not yet publicly known or deployed.
Policy Options
The United States should remedy the undisclosed-models loophole. Here we present three policy options that could allow the USG to achieve its counter-proliferation, situational awareness, and national security priorities for undisclosed models. These options are not intended to be a systematic and comprehensive reaction to the proliferation and access challenges presented by rapidly emerging advanced capabilities in cyber and other areas. Instead, these are narrowly targeted policy options. AFPI plans to recommend longer-term comprehensive policy options in future research.
Policy option 1: Apply the AI-cyber framework to include undisclosed models. The simplest response would be to apply the AI-cyber voluntary testing and access framework established in EO 14409 to include undisclosed models. The implementing offices (Treasury, NSA, CISA, and others) could indicate that the language in the framework for the USG “to determine whether model(s) under development meet the designation of ‘covered frontier model’” entails granting appropriate offices in the USG access to undisclosed models immediately upon achieving capabilities at or surpassing the best otherwise available within the company (regardless of the state of development at which this occurs) based on the classified benchmarking process. Otherwise, companies could develop top models that avoid the intended framework by slightly altering them or arguing that they intend not to release that specific undisclosed version.
Policy option 2: Require top companies to grant the USG access to undisclosed models. As argued in this piece, undisclosed-model deployments are national security events about which the USG must be made aware. Awareness may not be enough; offices that can perform defensive hardening and evaluate national security implications, like NSA and Treasury, should also have access to top-tier cyber capabilities before they proliferate elsewhere. To achieve this, the President could require top companies to submit new covered models (as defined through the benchmarking process in EO 14409), or those likely to become covered if tested, to a set of government agencies (NSA, Treasury, etc.) immediately upon achieving capabilities at or surpassing the best otherwise available within the company based on the classified benchmarking process.
Policy option 3: Require transparency reporting. Information reporting is another option. The President could require, or provide a voluntary framework for, top AI companies to periodically (e.g., monthly) report their current state-of-the-art undisclosed-model capabilities to NSA, Treasury, the Center for AI Standards and Innovation (CAISI), and other offices. These reports could include benchmark scores, the amount of computing power dedicated to undisclosed-model deployments, model and infrastructure vulnerabilities, and other relevant metrics. This would prioritize situational awareness over access and proactive defensive hardening.
Under any of these three options, the undisclosed-models loophole should be plugged by creating a discrete threshold for undisclosed model disclosure that cannot be further gamed by developers. The classified cyber benchmarking process established by EO 14409 would do this as long as it is made clear that any system, no matter the stage of development, with capabilities at or above the company’s state-of-the-art level on the benchmarks is subject to disclosure. Once dangerous capabilities beyond cyber, like biological weapons, become sufficiently advanced, similar benchmarking processes in those areas should be developed and applied to the disclosure process.
Conclusion
The national security implications of AI start when they are trained, not when they are released to the public. As such, the USG needs visibility, and probably access, to the best models at AI companies, not just those deployed widely. It is unthinkable for cyber capabilities surpassing those of Mythos and GPT-5.5, which will soon be accessible to the employees of AI companies, to be kept secret from the government. The United States should close the undisclosed-models loophole.