For three years, the AI race has been narrated as a story about hardware: who can buy the most advanced chips, who gets cut off, and how tightly Washington can squeeze the supply of compute. But the latest flashpoint has nothing to do with silicon. According to reporting from Build Fast with AI, Anthropic has publicly accused Alibaba of running a large-scale model-distillation campaign — using the outputs of Anthropic’s own models to train a cheaper imitation — and has sent a letter to the US Senate urging lawmakers to treat access to frontier models, not just chips, as a control point for national security. (We’ve flagged the specifics for verification against primary sources; the policy thrust is the news here.)
If the accusation holds, it points to an uncomfortable truth that the chip-centric export-control regime has largely ignored: frontier capability does not only leak through hardware. It can be siphoned, quietly and cheaply, through an API. Here’s what distillation is, why it matters, and what builders — especially in India — should take from it.
What a distillation attack is
Model distillation is, at its most benign, a well-known engineering technique. You take a large, expensive “teacher” model and use its outputs — answers, reasoning traces, completions — to train a smaller, cheaper “student” model that mimics the teacher’s behaviour. Done in-house on your own model, it’s how labs ship lighter, faster versions of their flagship systems.
The problem arrives when the teacher belongs to someone else. A so-called distillation attack involves querying a competitor’s model at scale, harvesting the outputs, and using that corpus to train a rival system that inherits the original’s hard-won capabilities — without paying for the research, the data curation, or the compute that produced them. You don’t need the original weights. You don’t need the chips. You just need sustained, high-volume access to the model’s responses.
This is what makes it strategically dangerous, and it’s the crux of Anthropic’s argument. A distilled clone can replicate advanced capabilities while sitting outside the original model’s safety controls. The guardrails, refusal behaviours, and alignment work baked into the teacher don’t automatically transfer to the student; what transfers is raw capability. So distillation sidesteps two things at once: the commercial moat a lab builds through expensive training, and the safety scaffolding a lab builds to keep that capability from being misused.
That is the lens through which Anthropic has framed its accusation against Alibaba — not merely as intellectual-property theft, but as a mechanism by which frontier-grade capability escapes into systems that nobody has audited, governed, or restrained. Whether the specific allegations against Alibaba are substantiated is something courts, regulators, and independent reviewers will have to test. But the underlying technique is real, and it is cheap relative to building a frontier model from scratch.
From hardware to access controls
The substance of Anthropic’s Senate letter is a proposed shift in where the controls sit. Today’s export regime is built around compute: restricting the sale of advanced GPUs and the equipment to make them, on the theory that whoever can’t train frontier models can’t compete. Anthropic’s argument is that this misses a side door. If you can distill a frontier model through its API, you can acquire much of its capability without ever needing the restricted hardware.
The letter, as reported, asks lawmakers to do three things:
- Treat model access as a controllable asset. Extend export-control thinking to cover who can query frontier models and how, not just who can buy chips.
- Mandate screening of high-volume API usage. Distillation at scale leaves a signature — enormous, systematic querying patterns designed to extract a model’s behaviour across domains. Anthropic wants that kind of usage flagged and scrutinised rather than treated as ordinary traffic.
- Formalise lab-government coordination. Build channels through which frontier labs and national-security agencies share intelligence on extraction attempts and emerging threats, closing the gap between what labs see in their logs and what regulators can act on.
According to Build Fast with AI, this move extends a 2026 pattern in which model access itself is increasingly treated as a strategic, controllable asset — following earlier export-control actions that affected the availability of frontier models. In other words, this isn’t a one-off complaint; it’s a lab trying to shape the next phase of AI governance around its own threat model.
It’s worth naming the obvious tension here. Anthropic is a commercial actor with a direct interest in protecting its models from being cloned. A policy that screens “high-volume API usage” also happens to protect Anthropic’s revenue and competitive position. That doesn’t make the national-security argument wrong — but it does mean the proposal should be read as both a security pitch and a business one, and policymakers should weigh it accordingly.
Why it reframes the race
The deeper point is that compute-only export controls assume capability is bottlenecked by training. Distillation breaks that assumption. If the most valuable thing a frontier lab produces — sophisticated, generalised capability — can be partially extracted by anyone with API access and patience, then the real leak in the system isn’t chips smuggled across borders. It’s capability bleeding out through the front-end interface that labs are commercially incentivised to make as open and frictionless as possible.
That creates a genuine policy bind. The entire business model of a frontier lab depends on selling access. The entire national-security case Anthropic is making depends on restricting it. You cannot have a maximally open, developer-friendly API and a tightly controlled, screened, security-gated one at the same time — at least not without sorting users into trusted and untrusted tiers, which raises its own questions about who decides and on what basis.
There’s also a framing battle underway between two ways of describing the same act. Call it IP theft, and it’s a commercial dispute resolved through licensing terms, lawsuits, and competition. Call it a national-security threat, and it becomes the business of the Senate, export-control agencies, and intelligence-sharing arrangements. Anthropic is deliberately pushing the conversation toward the latter. The reframing matters because it determines which institutions get to write the rules — and whether the response is a contract clause or a federal control regime.
The honest assessment: compute controls were always a blunt instrument, and distillation exposes how blunt. But access controls are harder to design well and far easier to abuse — as competitive weapons, as surveillance infrastructure, or as instruments that entrench incumbents. The right answer is probably neither pure openness nor heavy gating, but the debate Anthropic has forced open is overdue.
The India read
For Indian founders, marketers, and operators, this is not an abstract Washington squabble. A large share of India’s AI product layer is built directly on top of frontier APIs from a handful of US labs. If “model access as a national-security control point” becomes policy, the terms on which Indian builders consume those models could change — quietly, and not necessarily in their favour.
Consider the practical exposure:
- High-volume usage screening cuts both ways. A legitimate Indian startup running large-scale inference, synthetic-data generation, or evaluation pipelines can look, from the outside, a lot like an extraction campaign. Screening regimes designed to catch distillation could create friction, additional compliance burden, or outright access restrictions for ordinary builders far from any geopolitical fault line.
- Access can be revoked by policy, not just by price. If model access becomes export-controlled, your dependency on a foreign API becomes a dependency on another country’s national-security politics. That’s a different and harder risk to model than a price hike.
- Open-weight alternatives become a sovereignty hedge. The strategic case for open-weight models — and for India’s own sovereign-AI ambitions — gets stronger every time frontier access tightens. Open weights you can run locally aren’t subject to someone else’s screening regime. The trade-off is capability and cost, but the option value of not being gated is rising.
The pragmatic move for Indian teams isn’t panic; it’s resilience. Avoid single-vendor lock-in. Keep an open-weight fallback warm. Document your usage patterns so you can demonstrate legitimacy if screening arrives. And watch this policy thread closely, because the precedent being set in the Anthropic–Alibaba dispute — that capability, not just hardware, is something governments can fence off — will eventually shape the rules everyone downstream has to build under.
Distillation has reframed the leak. The question now is whether the response protects the public from ungoverned capability, or simply protects incumbents from competition. For builders outside the US, the difference is everything.
