The Open-Weight Paradox: Why Restricting Access to AI Models May Undermine the Safety It Seeks to Protect

The governance of open-weight artificial intelligence (AI) models has been framed as a binary choice: openness as risk, restriction as safety. This paper challenges that framing, arguing that access restrictions, without governed alternatives, may displace risks rather than reduce them. The global concentration of compute infrastructure makes open-weight models one of the most viable pathways to sovereign AI capacity in the Global South; restricting such access deepens asymmetries while driving proliferation into unsupervised settings. This analysis proposes that hardware-layer governance, including chip-level attestation mechanisms such as FlexHEG, trusted execution environments, confidential computing, and complementary software-layer safeguards, offers a defense-in-depth alternative to the current binary. A threat model taxonomy mapping misuse vectors to hardware, software, institutional, and liability layers illustrates why no single governance mechanism suffices. To operationalize this approach, the paper argues that effective AI governance as a dual-use technology will likely require a multilateral institutional architecture functionally analogous, though not identical, to the role performed by the IAEA in the nuclear domain, with explicit safeguards against the co-option of hardware controls for domestic repression. The relevant policy question is how to make openness safer through technical and institutional design while addressing the transition realities of legacy hardware, attestation at scale, and civil liberties protection.

Summary

Main Finding

Restricting access to open-weight AI models without providing governed alternatives can displace and amplify risks rather than reduce them. Hardware-layer governance (e.g., chip attestation like FlexHEG, TEEs, confidential computing) combined with software, institutional, and liability measures — and supported by a multilateral institutional architecture functionally analogous to the IAEA — offers a defensible path to “make openness safer” while protecting sovereignty and civil liberties.

Key Points

Binary framing (open = risky, closed = safe) is misleading. Unilateral restrictions deepen global compute asymmetries and push activity into less auditable “shadow” environments.
Global compute concentration: a small set of countries and cloud providers control most training-capable infrastructure. Evidence cited: US ≈ 75% of GPU cluster performance, China ≈ 15%; only 39 countries host public cloud regions and 30 offer GPUs (Lehdonvirta et al., Epoch AI, Pilz et al.).
Openness is an engine of capability diffusion for the Global South because downloadable weights let resource-constrained actors run or adapt models without frontier training compute.
Empirical signs of displacement and circumvention: GPU smuggling (US DOJ case, ~$160M in H100/H200 GPUs), rapid growth of open-weight ecosystem (Hugging Face >2M models by 2025), local execution tools (Ollama, LM Studio), and enterprise shadow use (Gartner survey: 69% suspected employee use of prohibited public generative AI tools).
Fine-tuning vulnerability is central and agnostic to openness: harmful guardrails can be removed with minimal compute and very few adversarial examples (Qi et al., 2024; UK AISI, 2025). This affects both open weights and models offered via fine-tuning-capable APIs.
Regulatory thresholds based on training compute (e.g., EU AI Act rebuttable presumption at 10^25 FLOP; indicative 10^23 FLOP guideline) miss low-compute modifications that produce high-risk behavior, creating a regulatory blind spot.
Threat taxonomy (paper’s Table 1) maps major misuse vectors (e.g., guardrail removal, model extraction, covert deployment, sanctions evasion, scaled misuse) to the governance layers best positioned to mitigate them: hardware, software, institutional, liability. No single layer suffices — coordinated, layered defenses are required.
Hardware-layer governance (FlexHEG and related proposals) aims to make execution verifiable at the chip level (attestation, tamper-resistance, logging, compute caps on unattested workloads), enabling broader distribution of weights while retaining oversight at point-of-compute.
Software safeguards (pre-release testing, watermarking, provenance registries) and legal incentives (product/platform liability, export controls) complement hardware measures; each has limits and must be combined.
Institution-building: the paper argues for a multilateral governance architecture functionally akin to the IAEA but tailored to AI’s dual-use character, including safeguards to prevent hardware controls being used domestically for repression.
Transition challenges: legacy hardware, attestation at scale, protecting civil liberties, and the geopolitics of deployable attested chips are nontrivial practical constraints.

Data & Methods

Approach: interdisciplinary policy analysis combining literature review, case studies, threat modeling, and institutional design proposals.
Evidence sources: academic and policy literature (e.g., Sastry et al. 2024; Aarne, Fist & Withers 2024; Bengio et al. 2025), industry/monitoring reports (Epoch AI, Stanford AI Index), regulatory texts (EU AI Act and Guidelines), major incidents (DeepSeek R1 example; US DOJ GPU-smuggling case), and surveys (Gartner 2025).
Analytical tools:
- Threat model taxonomy mapping misuse vectors to governance layers.
- Comparative policy analysis of openness vs. restriction regimes and alternative governance mixes (restriction without alternatives; restriction with governed alternatives; openness with hardware-layer governance).
- Normative institutional design drawing analogy to IAEA while highlighting differences for AI.
Limitations noted by the author:
- Not an original empirical dataset; relies on synthesis of existing reports and cases.
- Some elements (FlexHEG feasibility, multilateral architecture design) are proposals/blueprints rather than proven implementations.
- Geopolitical and civil-liberties trade-offs imply significant political friction; practical deployment and scaling of hardware attestation remain challenging.

Implications for AI Economics

Market structure and global division of labor:
- Hardware attestation and regulated compute could create a new premium market for “verifiable” chips and services. Suppliers able to provide attested hardware may extract rents or gain strategic leverage.
- Restrictions without alternatives increase dependence on foreign cloud platforms, altering bargaining power and potentially shifting value capture from downstream developers/nations to platform owners.
Diffusion and innovation incentives:
- Open-weight models materially lower barriers to local adaptation and application development in compute-poor regions; overly strict distribution bans could retard legitimate capability-building, local innovation, and market formation in the Global South.
- Conversely, hardware-layer governance that enables safe openness could sustain innovation while limiting harmful uses, altering incentives for firms to invest in compliance and attestation technologies.
Compliance, enforcement, and transaction costs:
- Implementing layered governance (hardware + software + institutional + liability) raises compliance costs for hardware manufacturers, cloud providers, and model deployers; these costs will be internalized into prices for compute, model licensing, and services.
- Enforcement challenges and smuggling risk mean that shadow-market activity may persist, creating enforcement costs and distortions (higher returns to gray-market intermediaries).
Trade and geopolitics:
- Export controls and attestation regimes become trade-policy tools with macroeconomic consequences (supply-chain reconfiguration, regionalization of compute capacity).
- Multilateral frameworks (IAEA-like) could reduce unilateral policy externalities and lower transaction costs, but bargaining and verification frictions will shape which countries and firms capture benefits.
Liability and insurance markets:
- Broader product/platform liability exposure could shift risk to deployers and insurers, increasing the cost of deployment and incentivizing investments in safety testing and attested compute.
- Insurance markets for AI liabilities may grow, but premiums will reflect regulatory clarity and enforceability of hardware/software safeguards.
Inequality and welfare trade-offs:
- Policies that close off open weights without governed alternatives risk widening economic and technological inequality by concentrating capability and rents among a few actors.
- A managed openness approach with verifiable compute could better balance safety and inclusive economic development, but requires upfront public investment, standards-setting, and multilateral coordination.
Investment signals:
- Demand for attested hardware, confidential computing, and monitoring services could generate new investment opportunities; at the same time, firms facing stricter liability may divert R&D from open releases toward private, platform-hosted models.
Final economic takeaway:
- The choice is not simply between openness and restriction but between governance architectures. Economically efficient and equitable outcomes will depend on designing incentives (via liability, procurement, subsidies), standards (attestation, provenance), and multilateral institutions that enable the social benefits of openness while internalizing safety-related externalities.

Assessment

Paper Typetheoretical Evidence Strengthn/a — The paper is a conceptual and policy analysis without empirical identification or causal estimates; it advances arguments, analogies, and a threat-model taxonomy rather than presenting data-driven causal evidence. Methods Rigormedium — The paper presents a coherent threat-model taxonomy, surveys relevant technical mechanisms (chip attestation, TEEs, confidential computing) and institutional analogies (IAEA-style safeguards), and engages trade-offs (civil liberties, legacy hardware); however, it lacks empirical validation, quantitative modelling of incentives or diffusion, and operational feasibility studies at scale. SampleNo empirical sample; the analysis is based on literature synthesis, technical proposals (e.g., FlexHEG, attestation, confidential computing), conceptual threat-taxonomy mapping misuse vectors to hardware/software/institutional/liability layers, and policy analogies to nuclear safeguards. Themesgovernance adoption inequality innovation GeneralizabilityArguments are normative and dependent on political will and multilateral cooperation, which may not generalise across geopolitical contexts., Technical feasibility varies widely across jurisdictions and legacy hardware ecosystems; recommendations may be less applicable where hardware cannot support attestation., Assumes availability of centralized/regulated supply chains and institutions—less relevant in highly decentralized or adversarial settings., Economic and distributional impacts depend on local industrial policy and existing compute concentration; implications for small states or informal sectors are uncertain., Civil liberties and governance trade-offs may limit adoption in authoritarian regimes or where state capture of hardware controls is a risk.

Claims (8)

Claim	Direction	Confidence	Outcome	Details
The governance of open-weight artificial intelligence (AI) models has been framed as a binary choice: openness as risk, restriction as safety. Governance And Regulation	null_result	high	policy framing of AI governance (openness vs restriction)	0.12
Access restrictions, without governed alternatives, may displace risks rather than reduce them. Ai Safety And Ethics	negative	high	risk displacement vs risk reduction from access restrictions	0.12
The global concentration of compute infrastructure makes open-weight models one of the most viable pathways to sovereign AI capacity in the Global South. Adoption Rate	positive	high	pathways to sovereign AI capacity (access/adoption of open-weight models)	0.12
Restricting access to open-weight models deepens asymmetries while driving proliferation into unsupervised settings. Inequality	negative	high	geopolitical asymmetries and proliferation into unsupervised settings	0.12
Hardware-layer governance, including chip-level attestation mechanisms such as FlexHEG, trusted execution environments, confidential computing, and complementary software-layer safeguards, offers a defense-in-depth alternative to the current binary framing of openness vs restriction. Governance And Regulation	positive	high	effectiveness of hardware-plus-software safeguards as an alternative governance approach	0.02
A threat model taxonomy mapping misuse vectors to hardware, software, institutional, and liability layers illustrates why no single governance mechanism suffices. Governance And Regulation	negative	high	completeness/adequacy of single governance mechanisms	0.12
Effective governance of AI as a dual-use technology will likely require a multilateral institutional architecture functionally analogous (though not identical) to the role performed by the IAEA in the nuclear domain, with explicit safeguards against co-option of hardware controls for domestic repression. Governance And Regulation	positive	high	need for multilateral institutional governance to manage dual-use AI	0.02
Operationalizing hardware-based governance must address transition realities including legacy hardware, attestation at scale, and protection of civil liberties. Governance And Regulation	mixed	high	practical hurdles to governance deployment (legacy hardware, attestation scalability, civil liberties risk)	0.02

Blocking open-weight AI risks concentrating capability and pushing development underground; chip-level attestation and a multilateral safeguards regime offer a pragmatic alternative to a binary openness-or-restriction choice.