Gov and Big Labs Get Frontier AI First. We Don't.

Here's a pattern almost nobody names out loud: the most capable AI built each year now debuts in a locked room. The labs that make it see it first. Government agencies get it next. The rest of us get a slower, safer, time-delayed edition — if we get one at all.

That sequence has happened quietly enough that it now reads as normal. It shouldn't. We're setting a precedent for who gets frontier intelligence first, and the default is hardening into "a handful of companies and the state, then everyone else." This is an opinion piece, so let me be direct about why that worries me — and honest about where the worry is overblown.

The slow-rollout playbook is now the default

Look at the arc this site has tracked over the past two months. Anthropic's Claude Mythos — a cyber-focused model that autonomously found a vulnerability that had sat unpatched for 27 years — was never offered to the public. Access went to "vetted security partners, government agencies, and approved researchers." The White House publicly opposed widening it. Months later, the public finally got a version: Claude Fable 5, a Mythos-class model wrapped in a safety-routing layer that hands sensitive queries off to the more conservative Opus 4.8.

Restricted preview, then government and partner access, then a guardrailed public release. That's the playbook. And it isn't unique to Anthropic — it's the shape of nearly every frontier launch now. Waitlists, "preview" tiers, capability holdbacks, enterprise-first rollouts. The public version is the last and most sanded-down link in the chain.

The question isn't whether any single delay is justified. It's whether we're comfortable making "the public gets the weakest version, last" the permanent default.

It's not one model — it's the whole stack

If this were one offensive-security tool, fine. Gating exploit-generation capability is defensible. But the gating now shows up across the entire frontier, and the government has been moved to the front of the line by design.

• Dedicated government models. In June 2025, Anthropic shipped Claude Gov — a custom model set for U.S. national security customers, with access "limited to those who operate in classified environments" (per Anthropic's announcement). The company says it was the first to put frontier models into classified networks. These variants are tuned on capabilities the public build never receives.
• Defense contracts at the frontier. In July 2025 the Department of Defense awarded up to $200 million each to Anthropic, Google (Gemini), OpenAI (ChatGPT), and xAI (Grok) to bring frontier models into defense workflows.
• Government-wide distribution deals. In August 2025, the GSA's OneGov agreement put ChatGPT Enterprise in front of every federal agency for $1 a year (TechCrunch, GSA), explicitly in support of the White House's America's AI Action Plan. Anthropic and Google followed with comparable government-wide offers.

So the state isn't just another customer. It has privileged, subsidized, and sometimes exclusive access to frontier systems — plus bespoke variants the public can't touch and, in the Mythos case, capabilities the public is explicitly told it isn't allowed to have.

Who actually gets what

None of these tiers is outrageous on its own. Stacked together and repeated every release cycle, they describe a structural ordering of who gets to think with the best tools — and that ordering puts the public dead last by default.

"Safety" is carrying a lot of weight here

Let me steelman the gatekeepers, because the strongest version of their case is real. Dual-use risk at the frontier is not imaginary. Mythos reportedly surfaced more than 10,000 high- and critical-severity vulnerabilities in its first month — the same capability that helps defenders patch faster would help attackers en masse if handed out raw. Fable 5's routing design, where the model itself escalates risky queries to a more conservative model rather than just refusing, is a genuinely thoughtful answer to that problem. If the choice is "release the unguarded cyber model to everyone tomorrow" or "stage it," staging wins.

But "safety" is also doing convenient double duty. The same restriction that reduces misuse risk also concentrates capability, entrenches the incumbents who hold it, and makes governments dependent on a few vendors. Those second effects are commercially and politically useful, and they're almost never separated from the safety rationale in public. We're asked to trust the holdback without seeing the math behind it — no published criteria for what triggers a restriction, no timeline for when the public tier catches up, no independent audit of whether a given capability was actually too dangerous or just too valuable to share early.

The precedent that actually worries me

Three things, in order of how much they keep me up at night.

1. A few players decide what the public is "ready" for. When a small set of labs and agencies controls both the capability and the release schedule, they also control the public's baseline for what AI can do. That's enormous soft power, exercised with little transparency and no real appeal process.

2. Government entanglement cuts both ways — and it's already getting ugly. Look at the Anthropic–DOD dispute. In late February 2026, the administration directed agencies to stop using Anthropic's technology, and in March the Department of Defense designated the company a "supply-chain risk" after Anthropic refused to allow unrestricted use for things like mass domestic surveillance and autonomous weapons without human oversight (per Anthropic's own statement and subsequent reporting). My read: that fight is a preview of the real hazard. Once frontier access runs through a few vendor-government relationships, whoever controls access controls leverage — and a lab that gates its best work to the state becomes hostage to the state's goodwill, and vice versa. Concentration doesn't just risk misuse; it creates a chokepoint that can be squeezed.

3. The capability gap compounds. If the best tools reliably land with the most powerful institutions first, the advantage they confer accrues to those already ahead — every cycle, on top of the last one. "Democratized AI" was the original pitch. A subscription-and-clearance divide is what's actually forming, where meaningful agentic capability sits behind enterprise contracts, security clearances, and $200-a-month tiers.

The counterweight is open weights — and it's weaker than the hype

The honest pressure valve here is open-weight models. DeepSeek proved in early 2025 that near-frontier performance didn't require a hyperscaler's budget, and Meta's Llama line keeps capable weights in public hands. That's the most important countertrend to everything above, and it deserves more support than it gets.

But I won't oversell it. Open weights consistently trail the closed frontier, and the gap is widest in exactly the agentic, long-horizon, security-grade capabilities that are being gated hardest. Open models democratize last year's frontier, not this year's. They keep the floor rising, which matters — but they don't close the gap at the top, which is where the concentration actually lives.

What to watch, and what to do

Watch the delay, not the launch. The metric that matters isn't how impressive a restricted model is — it's the gap, in months, between when the capability exists and when the public can use a real version of it, and whether that gap is widening. Push for transparency on holdbacks: a lab that restricts a capability should be able to say why, against what criteria, and for how long.

If you build on this stuff, don't anchor your product to a model tier you don't control. The Anthropic–DOD spat shows access can be revoked overnight by forces that have nothing to do with you. Keep an open-weight fallback in your stack even if it's a notch behind, and treat any "preview" dependency as temporary.

The honest take: some staging is genuinely warranted, and pretending otherwise is naive about dual-use risk. But "a few companies and the government get the real thing first, the public gets a guardrailed copy later" is not a law of nature — it's a choice being made repeatedly, with very little public accounting for the tradeoff. The precedent is being set right now, in the quiet space between each restricted preview and its sanded-down public release. The least we can do is stop treating it as normal.