Safety for Thee, Frontier Models for Me
Safety for Thee, Frontier Models for Me
Last week Anthropic released Claude Fable 5, a version of Mythos that was supposed to be safe and generally available. Shortly after, the US government imposed an export restriction on it that is essentially an outright ban of the model.
The easiest way to read the Fable ban is as a joke: Anthropic spent years telling everyone that frontier models are dangerous, and spent months hyping up Mythos as a security threat so powerful that it couldn’t be released. Then their own government took their word for it and blocked their flagship model. The internet reaction was predictable, and memes flooded all corners of social media.
There is some truth in that reaction, but it is too cheap.
If we wanted to be cynical, we could say that Anthropic’s position may be self-interested, that Amodei’s public writing treats AI safety and democratic strategic primacy as closely linked, and that the policy response is clumsy. And the underlying safety concern may still be real.
The problem is not that someone said a powerful model was dangerous. The problem is what happens next: if the model is dangerous, why is it still available to some people and not others?
A safety rule that only applies to foreigners is not a safety rule, it is an export-control regime.
If a model is too dangerous for general release, then the restriction should be argued as a universal risk measure. If it is safe enough for American companies and citizens, then excluding Europeans is not “AI safety”, it’s just access control. Nationality is a strange proxy for trustworthiness.
That difference matters.
I do not think the right response to frontier AI risk is to pretend the risk is fake. The opposite, actually. The more I use these systems, the harder it is to believe that capability increases will remain socially boring. Even current models are already good enough to compress expertise, automate parts of software work, make persuasion cheaper, and help people act at a distance with more leverage than they had before. Future models will be better. Some of that will be wonderful. A lot of it will be bad.
So I am not interested in the “just release everything, nothing matters” position, that feels childish.
But the “responsible frontier lab plus national-security state decides who deserves access” position is not much better. It may even be more dangerous in the long run, because it turns a real safety concern into a legitimacy problem and a geopolitical and political risk for everyone, including the citizens of that country.
There are three different claims that often get collapsed into one:
- This model is powerful enough to create misuse risk.
- This company has incentives to exaggerate or frame that risk in useful ways.
- This state will use the risk argument to preserve strategic advantage.
All three can be true at the same time.
A model can be dangerous. A company can be self-interested (and if we learned anything from the last few decades of corporate US history — including big tech — this is almost guaranteed to be true). A government can turn safety into industrial policy. None of these facts cancels the others.
This is why the “haha, they got what they asked for” reaction misses the point. It frames the ban as a play about hypocrisy, when the more important issue is institutional. Once safety becomes a policy language, it will be used by states. Once it is used by states, it will be shaped by geopolitical incentives. And once that happens, a different set of problems arises.
People inside the dominant jurisdiction should not assume they are merely the beneficiaries of this arrangement. The same state capacity that restricts access abroad can also justify surveillance, secrecy, compliance mandates, and the erosion of domestic rights at home. The national-security state does not only point outward.
People outside that jurisdiction will ask a different question: whether “safety” means safety for everyone, or control by the people who already own the frontier.
For Europe, this is not an abstract concern.
Europe is in a strange position with AI: it has contributed enormously to the intellectual foundations of the field. The history of modern machine learning is not an American-only story, not at all. It runs through European mathematics, British and Canadian research, Japanese hardware and robotics traditions, open-source communities, and a long chain of distributed scientific work.
But the current frontier is not governed by intellectual contribution. It is governed by compute, capital, infrastructure, and corporate concentration.
If you have enough money to buy the GPUs, enough cloud capacity to run the training jobs, enough legal and political integration with the dominant state, and enough distribution to turn models into products, you get to sit at the table. If not, you become a customer. Or, worse, a regulated customer who may discover that access to the best systems can be narrowed for reasons decided elsewhere or by someone else that does not have your best interests in mind. Europe already learned this lesson once with social networks; it should not need to learn it again with AI.
That is the dependency problem.
Europe likes to talk about regulation, but regulation without capability is mostly a way to negotiate the terms of dependency. Don’t get me wrong, it is still necessary and it can still be useful. It protects citizens, sets norms, and constrains abuses. But it does not answer the harder question: what happens when the most important capabilities are built somewhere else, priced somewhere else, filtered somewhere else, and possibly withdrawn somewhere else?
European AI strategy cannot mean “use American APIs and hope American politics stays sane.” That cannot be Europe’s AI strategy, because it is not really strategy. It is procurement. And we have seen how well that works.
Europe cannot base critical infrastructure on the assumption that allied governments will remain stable, liberal-democratic, cooperative, and committed to the political and moral principles that made the alliance credible in the first place. Even an ally can take a nationalist, populist, authoritarian-leaning, protectionist, or isolationist turn. It can withdraw from international commitments, undermine alliances, impose tariffs, weaponize export controls, or make access to critical infrastructure conditional on its own domestic politics.
Europe does not need to assume the United States is an enemy to understand that relying on US-controlled AI infrastructure is a strategic risk.
This is where local inference starts to look different.
For a while (which here probably means months even though it feels like a decade given how fast things move), local inference had an almost hobbyist aura around it: people running quantized models on gaming GPUs, comparing tokens per second, trying to squeeze surprising capability out of consumer hardware. That world is still there, and it is fun, I’m having fun doing it myself. But the strategic meaning is changing.
Local inference is not just about saving money on API calls. It is an exit strategy.
Not a complete exit. Not a fantasy where every organization trains its own frontier model from scratch. That is not realistic. Pre-training at the frontier is unreasonably expensive, and Europe is not going to close that gap by pretending otherwise.
But most useful control does not require training a frontier model from zero.
Control can mean knowing which workloads can run on open or locally hosted models. It can mean fine-tuning and post-training open-weight models that already exist. It can mean keeping sensitive data out of foreign APIs. It can mean routing different tasks to different systems based on cost, latency, privacy, and quality. It can mean being able to survive a vendor policy change without rewriting the entire application stack.
The point is not that every organization should immediately replace frontier APIs with local models. The point is that a serious organization should know which parts of its AI stack can survive losing access to them.
That is the difference between adoption and dependency.
The technical side is also more subtle. Local inference is not automatically cheap or easy. Modern models are heterogeneous. Sparse models and mixture-of-experts (MoE) architectures do not magically make serving simpler. If many simultaneous users activate different experts, batching can become awkward. Hardware utilization can be less clean than expected. Cooling, memory bandwidth, routing, cache locality, and failure handling all matter. You can spend a lot of money on GPUs and discover that the serving pattern is the hard part.
This is precisely why the layer around the model matters.
The model is not the whole system. The application should not have to know, in every code path, whether a request belongs on a frontier API, a private fine-tune, a local model, a cheaper batch endpoint, or a fallback provider. That decision needs to live somewhere explicit. It needs observability. It needs policy. It needs the ability to change without editing every application.
In other words, sovereignty is not just “having a model”. It is having operational control over inference.
That control has several parts:
- Which model handles which task?
- Where does the data go?
- What happens if a provider refuses, degrades, changes terms, or disappears?
- How much does a route cost?
- What quality trade-off was accepted?
- Which workloads can run locally?
- Which workloads actually require the frontier?
- Which decisions are policy, and which are accidents embedded in application code?
These are infrastructure questions, but infrastructure is where political dependency becomes visible.
The Fable ban is interesting because it makes the dependency visible.
If the frontier labs and the American state converge on the idea that some models are too powerful to distribute evenly, Europe has only a few options.
It can complain. It can regulate the systems it still has access to. It can hope that domestic frontier labs catch up. Or it can build serious infrastructure around the models it can control, while also investing in its own frontier models.
Only the last two change the balance of power.
And because catching up at the pre-training frontier is expensive and uncertain (albeit not impossible), the practical work probably starts elsewhere: post-training, specialization, local deployment, routing, evaluation, cost control, and the boring stuff that lets organizations use a portfolio of models instead of becoming dependent on one remote frontier endpoint.
This does not solve AI safety. It does not even solve AI sovereignty by itself. But it changes the posture. It turns “please keep serving us” into “we know exactly where we depend on you, and we are reducing the parts that matter most.” And it’s a necessary step toward real autonomy.
That is a healthier position.
The hard part is that we need to hold two thoughts at once.
First: frontier AI risk is real enough that serious people should not dismiss it as marketing, even though the language of safety is often used for marketing, regulatory positioning, and strategic advantage. Capabilities are increasing. The systems are useful, general, and difficult to fully understand. Some restrictions may be justified.
Second: restrictions that preserve privileged access for the already-powerful will not be perceived as neutral safety measures — because they are not. They will be perceived as hierarchy.
If AI safety becomes indistinguishable from American access control, it will lose legitimacy outside America.
That would be bad even for people who care about safety. A safety regime that others see as a cartel will invite evasion. It will push capability development into less transparent places. It will make international coordination harder. It will turn every warning into a suspected power play. It will destroy the credibility of the safety regime itself.
So the standard should be higher.
If a model is too dangerous, make the case universally. If access must be limited, explain why the line is drawn where it is. If the restriction is really about national advantage, stop pretending and say that too. But do not ask the rest of the world to pretend that unequal access is the same thing as collective safety.
The ban is not the problem, the problem would be accepting a world where the most powerful AI systems are described as too dangerous for humanity while remaining conveniently available to the people, companies, and jurisdictions that already control them.
#ai #anthropic #claude-fable #europe