What happened
CNAS researchers Daniel Remler and Ben Hayum introduce and define 'adversarial distillation' as a distinct category of national security threat: the extraction of AI model capabilities at scale through unauthorised access to U.S. AI systems to develop models for a foreign adversary. The paper documents that Anthropic, OpenAI, and Google have all identified named and unnamed Chinese entities conducting this activity at scale, and that the Chinese security apparatus has already incorporated distilled capabilities — via models such as DeepSeek — into military modernisation and mass surveillance. The report argues that 'left unaddressed, adversarial distillation represents a strategic vulnerability for the U.S. AI ecosystem' because it circumvents weight-theft defences by exploiting model responses rather than model weights, and because each generation of distilled U.S. capability compounds China's gains. The authors situate the threat within the broader U.S.–China AI competition and analyse NSTM-4 (April 2026) as a first government acknowledgement, then propose a set of policy and industry countermeasures including identity verification, geographic controls, and API access monitoring.
Why it matters
This paper provides the first systematic policy-facing definition and analysis of adversarial distillation as a threat category; it has direct implications for enterprise AI API governance, access controls, and corporate security posture, as well as for export-control and regulatory strategy.
Action needed
Review your organisation's API access controls, customer identity-verification practices, and terms-of-service enforcement mechanisms in light of the adversarial distillation threat model; legal and security teams should assess exposure and flag to government affairs if your AI services could be exploited under the patterns documented here.