Getting frontier access
Frontier AI is becoming ever more powerful. AI Security Institutes are best positioned to secure European governments’ reliable access.
Here are some ways the American government is using frontier AI:
Cyber offense: Anthropic’s Mythos, an AI model that has already identified 10,000 high-risk cyber vulnerabilities, is used by the National Security Agency (NSA) to conduct cyberattacks.
Cyber defense: The US government is using the same AI model to identify and patch vulnerabilities within its own systems.
Warfare: Frontier models are integrated into Palantir’s Project Maven and were used for target prioritization in the US airstrike campaign on Iran.
Last week, the White House ordered all national-security agencies to accelerate AI adoption further. Already, new AI models are available to the Department of Defense upon release, and, as per DoD, half of its staff (more than 1 million people) use AI systems in their work.
What about Europe? There is no public record of any European military or security agency using frontier AI in its operations. The French government intends to adopt AI—but the models used would be Mistral’s systems, not OpenAI’s or Anthropic’s.
European AI systems are less capable than American frontier models. Using them might be acceptable for writing emails or reviewing planning applications. But in competitive domains, relative ability makes all the difference: a small but persistent edge between rivals in territorial conflict or cyber warfare will ultimately tilt the balance toward the stronger side. Just imagine you had to improve a server’s security setup with the two-year-old GPT-4o, while your adversary could prod the server using Mythos.
Right now, many still argue we should rely on lagging European models for sovereignty’s sake. But this is quickly becoming untenable. Soon enough, using laggard AI systems will be equivalent to staffing our governments with middling interns, while America and China deploy millions of ever-improving AI agents across their militaries and security services.
Incorporating American frontier AI systems across Europe’s security agencies and militaries will be complex, bureaucratic, and politically fraught. Yet the institutions that could liaise between European governments and American frontier companies are currently being set up—just yesterday, Germany’s National Security Council announced it would launch an AI Security Institute. Making sure these institutes can secure frontier AI access for their governments is getting more important by the day.
The final procurement policy
Over the past year, prominent European institutions have floated the idea of requiring governments to procure European AI systems. Arthur Mensch, the CEO of Mistral, recently argued for such mandates. Similarly, the Commission’s Apply AI Strategy calls for adopting European AI systems in public administrations.
Going through with these proposals would see European governments opt for worse, more expensive models instead of better, cheaper alternatives: Mistral’s Medium 3.5 performs worse than GPT-5.4 nano, while costing fourteen times as much. The revenue thus generated will not be enough to allow European companies to become competitive: large European governments spend around $5 billion per year on IT1. If three such governments together paid Mistral $3 billion a year for model access, the resulting revenue would represent six percent of Anthropic’s annual revenues.
Procurement mandates are bad industrial policy. But they might prove far worse than simply wasting public monies: they would prevent European governments from using frontier AI systems for cyber defense, while others are free to use frontier AI systems to scour our governments’ systems for vulnerabilities.
Since OpenAI and Anthropic launched their cyber defense programs, they’ve discovered thousands of software vulnerabilities. Even among applications that are deemed highly secure, vulnerabilities were flagged that escaped humans for years, including in the operating systems of Apple, and in the open-source OpenBSD (commonly used for running critical infrastructure). It is fair to assume that many European government systems are nowhere near as well secured as the systems of Apple, a company that can pay cybersecurity professionals hundreds of thousands of dollars per year, and OpenBSD, whose code is publicly available and has been pored over by thousands of people.
Now, some European institutions are actually using American AI systems. But, based on private conversations, both their usage policies and the models in use are inadequate.
The EU Commission was still using GPT-4o late last year, well after Claude Opus 4.5 was available, and has only recently moved to GPT-5.1. Closed-source models like GPT-5.1, however, cannot be used on private materials, so staff must rely on open-weight models instead. But again, rather than using reasonably good Chinese models, they are served outdated Llama models hosted on Commission services.
To informed citizens, the EU’s AI use policies should be unnerving. But aside from the performance hit the Commission is taking, interacting with outdated models also makes staff blind to the sheer ability of AI models. Using Anthropic’s latest AI model, Fable, in a coding harness is vastly more impressive than Llama writing mediocre emails, and makes you much more inclined to take cybersecurity risks seriously.
AI Security Institutes could prove central to European frontier access
European AI policy discourse is only slowly taking security issues more seriously. But I think this might change very soon. Prompted by the Mythos release, more governments are studying AI’s security risks. Most importantly, they are launching AI Security Institutes, as the German government did on June 8.
One of the shortest paths to frontier AI adoption in European governments goes through such institutes, both because they engage directly with frontier companies, and because they are (ideally) staffed by individuals who understand frontier AI well. But for such institutes to perform well, they need to be set up well. In thinking about how to do this, we can learn from the world’s most performant such institute: UK AISI. They played a large role in publicizing Mythos’ cybersecurity potential, and can be a template for other nations.
What will matter most for attracting top AI experts into government is pay, mission focus, and fast, flexible hiring. UK AISI has done this reasonably well—they can pay more than the UK government usually would and are free to employ non-UK nationals. Germany should follow this model. It can also learn from the setup of SPRIND, Germany’s ARPA equivalent, which was given more flexible hiring and financing rules through a SPRIND-specific law. A more cautionary example is the EU’s AI Office. While staffed with some excellent mission-driven people, its pay scales are rigid, and months-long hiring processes make it hard to routinely attract top talent. It also follows the same type of country-proportionate hiring that degrades the effectiveness of many other parts of the Commission.
If Germany’s AI Security Institute and similar organizations are modeled after UK AISI, being staffed with individuals who are competent and aware of AI’s direction of travel, they could play a key role in establishing long-run relationships with frontier AI companies. Once such relationships are established, they could provide their respective governments’ security agencies and militaries with reliable, secure frontier AI access.
How to deploy frontier AI without surrendering sovereignty
Now, I understand why European governments would be wary of using American AI systems, given how unreliable the United States has become. But there are ways to integrate AI into our governments that would minimize downsides, while giving us the large benefits of using the world’s best AI systems.
For general public service use, governments should simply act like any other market participant: purchasing different AI systems and thus reducing the dependency on any one specific company. There are European companies like Langdock that allow users to access many different AI systems through one portal, even ensuring European hosting of some AI systems. At the same time, having parallel bespoke agreements to host compute for public sector AI is commendable—the OpenAI for Germany program is one such example.
For national security use, I expect we want solutions that are even more secure, just like the American government wants compute reserved for national security applications. Comparing artificial intelligence to prior dual-use technologies is somewhat treacherous, given how different AI is. But we can still learn from how the West shared dual-use technologies among Allies in the past.
One example is the United Kingdom’s Trident program. Under it, the UK has full control over its own nuclear weapons, though it requires the United States for maintenance. Similarly, American frontier companies could work with AISIs to provide individual European governments with secure frontier access, using air-gapped, domestic AI clusters that run the same AI models accessed by the United States government.
Such models would require frequent updating. But even if updates happened a couple weeks after model release, this would be vastly preferable to relying on systems that lag the frontier by a year or more.
There are surely better mechanisms than the one I briefly sketched here. But almost anything beats the status quo: in competitive domains, laggard systems are entirely inadequate. AI Security Institutes are best positioned to make their governments understand this. And while the subsequent work of providing European governments with secure frontier AI access will be hard, it will prove crucial to maintaining Europe’s security.
Germany’s federal IT spending was around €4 billion per year according to the Bundesrechnungshof; the French state spends roughly €10 billion annually on IT, of which a minority goes to software and cloud services; Italy’s public administration spent around €6 billion on ICT in 2024.






I agree that AISIs could help the governments to understand the importance of the frontier. Though I think it originally worked the other way around in the UK.
I haven't dared to think about the frontier labs giving the weights to anyone. Every extra place where they keep the weights increases the risk of someone stealing them... and finetuning the model for anything they want.
I believe that cooperation with AISIs can provide value for the labs and for the US government, decreasing their incentives to switch off the frontier access. Since only 2% of all AI research published (between 2017-2022) is focused on safety, that might be a good niche to fill.
Interesting article!
I have several questions about this paragraph:
"But there are ways to integrate AI into our governments that would minimize downsides, while giving us the large benefits of using the world’s best AI systems..."
I really don't see how diversifying model access between American companies is going to minimize the downside risk of American AI export control; perhaps if there were 10s of companies in this space but we're talking about 2 and a half frontier labs. If Trump is annoyed at Europe after the next G7 meeting, I don't really see how the Bundeslander governments being dependent on a mix of GPT and Claude is going to fix anything; similarly, the trident program is likely cheaper than the French system but it's not like this is an acceptable compromise for civilian infrastructure. The UK primarily did this because it's demand for weapons was fractional compared to the US; for AI, even in nominal terms, the EU's economy is more than half of the US's, it's very large globally speaking, the AI demand for a modern EU economy isn't going to be a fraction of the US and therefore I think it's more difficult to argue that the EU should give up on the model layer.
I think you've explained well why procurement mandates won't solve these issues either so let me propose something else for you to disagree with:
Meta has so far failed to create a good model after spending a ridiculous amount but the benchmarks from show more promising results for some newer (and much cheaper) Chinese OS models like GLM. Perhaps Europe should be aiming for "a CERN of AI" that tries to produce a near-frontier open source or open weights model, this would likely attract much more good will from the other middle powers in the world and could be a vessel to diffuse the dangerous race between China and the US.
However, assuming that an EU frontier model is copium, it seems like a much more obvious conclusion is that the downsides of adopting US models are actually pretty big but (at least in your opinion), the potential economic benefits for the EU are much more tangible the cost of giving the US more leverage in future, more hostile, relations.