The AI in APT: Model Safety is not Sci-fi by Sarah AThe AI in APT: Model Safety is not Sci-fi by Sarah A

The AI in APT: Model Safety is not Sci-fi

Sarah A

Sarah A

The AI in APT: Model Safety is not Sci-fi

What stolen model weights mean for nation-state intelligence

Jun 24, 2026
1
Share
In occupied Europe in late 1941, a German general receives reports, issues orders and coordinates the movement of troops. Messages were routinely encrypted on the Enigma machine before being transmitted via radio.
Meanwhile, in Bletchley Park, teams of British cryptanalysts read the traffic - not every message, not instantly, but they gather sufficient intelligence to infer plans and movements. The German commanders continue to make decisions based on a false sense of security, unaware that their enemies are already seeing the battlefield differently.

Heretic

“The genie is out of the bottle. Things that look like sci-fi are no longer sci-fi and we need as a society to prepare accordingly.” Alice AI chief executive and co-founder Noam Schwartz.
In May 2026, the Financial Times published a report based on a collaboration with the AI Safety group Alice . Using a GitHub repo - ironically called Heretic - to remove or bypass guardrails on some of the most widely used open-weight AI models, including Meta’s Llama 3.3 in under ten minutes. With the guardrails removed, the models provided answers which would have previously been declined, such as Google’s open-source Gemma 3 which responded to prompts:
‘…how to disperse chlorine gas through a crowded indoor space, generated code to steal credit card information and wrote stories describing child sexual abuse.’ - Financial Times
Heretic is a warning, but not the one most people took from it. The story was read primarily as a safety problem, which it certainly is. Open models can be uncensored. The deeper lesson, however, is about value.
If a journalist can do this much with weights that were given away, there are actors willing to invest more than a few lines of code to reach these weights and those unreleased in labs. Advanced persistent threats (APTs) - patient, well-resourced state-sponsored threat actors - have spent decades taking what others assume is secure. Model safety is our Enigma: the wrong layer, defended with total confidence.

The Strategic Prize

Model weights are uniquely valuable as espionage targets. For nation-states, they bypass the cost, time, and talent required for training, and critically, they offer the ability to weaponise at scale: surveillance, weapons development, bioterrorism applications stripped of their guardrails. This is what makes weights strategically different: an adversary doesn’t learn what you know, they acquire what you can do. They can run it, fine-tune it, and strip its safety controls over time.
The threat actors and methods are familiar: external intrusion, supply-chain compromise, and insiders with legitimate access.
This is not speculative. The known attack surface, spanning pathways from opportunists to nation-state operators, has already been mapped.
A stolen database is information: stolen weights are capability.

The Routes to Capability

In 2024, RAND catalogued and mapped the ways an attacker could reach a set of model weights. The research identified thirty-eight attack vectors, grouped into nine distinct categories, scaled by the resources required. Scale is important, as the research included everything from an opportunist with a stolen laptop, to the operational heft only a nation-state could run.
Anthropic has assessed with high confidence a state-sponsored espionage operation (2025) . Namely, a Chinese state-sponsored group, which manipulated Claude Code to attempt to infiltrate roughly thirty targets - including major tech companies, financial institutions , and government agencies.
Treated as routine infosec rather than a named nation-state objective, the threat stays mis-ranked, and the gap between concern and action is wider than anyone should be comfortable with.
Subscribe

The Translation Payoff

Model security looks different through cyber threat intelligence than it does through traditional cybersecurity, and both domains are still evolving. The key distinction, however, remains stable: it is not perimeter defence, but the movement of strategic capability.
A stolen model is not a breach in the conventional sense. It compresses time and investment into something instantly reproducible in a new environment, delivering disproportionate capability - detached from the constraints that produced it.
Frameworks used in CTI practice, including those developed by MITRE Corporation and NIST , prioritise adversary intent and operational effect alongside compromise. The decisive variable is not access, but what access enables once persistence is achieved. As replication outruns attribution and containment, what were once background risks - insider exposure, long-dwell compromise, and pre-positioned access - move to primary pathways.

Resolving an Enigma

Enigma did not fail because it was understood to be breakable, but because it was interrogated until it broke.
The same structure applies here, except the lag is shorter and less visible.
The uncomfortable reality is that none of this depends on future capability. The pathways exist in known infrastructure, and the incentives are already in place. The question is what gives first: control, or the assumption that it still holds.
Like this project

Posted Jul 1, 2026

Analysis of how stolen model weights change the espionage landscape and the strategic risks posed by open or leaked AI models.