Getting frontier access
Frontier AI is becoming ever more powerful. AI Security Institutes are best positioned to secure European governments’ reliable access.
Here are some ways the American government is using frontier AI:
Cyber offense: Anthropic’s Mythos, an AI model that has already identified 10,000 high-risk cyber vulnerabilities, is used by the National Security Agency (NSA) to conduct cyberattacks.
Cyber defense: The US government is using the same AI model to identify and patch vulnerabilities within its own systems.
Warfare: Frontier models are integrated into Palantir’s Project Maven and were used for target prioritization in the US airstrike campaign on Iran.
Last week, the White House ordered all national-security agencies to accelerate AI adoption further. Already, new AI models are available to the Department of Defense upon release, and, as per DoD, half of its staff (more than 1 million people) use AI systems in their work.
What about Europe? There is no public record of any European military or security agency using frontier AI in its operations. The French government intends to adopt AI—but the models used would be Mistral’s systems, not OpenAI’s or Anthropic’s.
European AI systems are less capable than American frontier models. Using them might be acceptable for writing emails or reviewing planning applications. But in competitive domains, relative ability makes all the difference: a small but persistent edge between rivals in territorial conflict or cyber warfare will ultimately tilt the balance toward the stronger side. Just imagine you had to improve a server’s security setup with the two-year-old GPT-4o, while your adversary could prod the server using Mythos.
Right now, many still argue we should rely on lagging European models for sovereignty’s sake. But this is quickly becoming untenable. Soon enough, using laggard AI systems will be equivalent to staffing our governments with middling interns, while America and China deploy millions of ever-improving AI agents across their militaries and security services.
Incorporating American frontier AI systems across Europe’s security agencies and militaries will be complex, bureaucratic, and politically fraught. Yet the institutions that could liaise between European governments and American frontier companies are currently being set up—just yesterday, Germany’s National Security Council announced it would launch an AI Security Institute. Making sure these institutes can secure frontier AI access for their governments is getting more important by the day.
The final procurement policy
Over the past year, prominent European institutions have floated the idea of requiring governments to procure European AI systems. Arthur Mensch, the CEO of Mistral, recently argued for such mandates. Similarly, the Commission’s Apply AI Strategy calls for adopting European AI systems in public administrations.
Going through with these proposals would see European governments opt for worse, more expensive models instead of better, cheaper alternatives: Mistral’s Medium 3.5 performs worse than GPT-5.4 nano, while costing fourteen times as much. The revenue thus generated will not be enough to allow European companies to become competitive: large European governments spend around $5 billion per year on IT1. If three such governments together paid Mistral $3 billion a year for model access, the resulting revenue would represent six percent of Anthropic’s annual revenues.
Procurement mandates are bad industrial policy. But they might prove far worse than simply wasting public monies: they would prevent European governments from using frontier AI systems for cyber defense, while others are free to use frontier AI systems to scour our governments’ systems for vulnerabilities.
Since OpenAI and Anthropic launched their cyber defense programs, they’ve discovered thousands of software vulnerabilities. Even among applications that are deemed highly secure, vulnerabilities were flagged that escaped humans for years, including in the operating systems of Apple, and in the open-source OpenBSD (commonly used for running critical infrastructure). It is fair to assume that many European government systems are nowhere near as well secured as the systems of Apple, a company that can pay cybersecurity professionals hundreds of thousands of dollars per year, and OpenBSD, whose code is publicly available and has been pored over by thousands of people.
Now, some European institutions are actually using American AI systems. But, based on private conversations, both their usage policies and the models in use are inadequate.
The EU Commission was still using GPT-4o late last year, well after Claude Opus 4.5 was available, and has only recently moved to GPT-5.1. Closed-source models like GPT-5.1, however, cannot be used on private materials, so staff must rely on open-weight models instead. But again, rather than using reasonably good Chinese models, they are served outdated Llama models hosted on Commission services.
To informed citizens, the EU’s AI use policies should be unnerving. But aside from the performance hit the Commission is taking, interacting with outdated models also makes staff blind to the sheer ability of AI models. Using Anthropic’s latest AI model, Fable, in a coding harness is vastly more impressive than Llama writing mediocre emails, and makes you much more inclined to take cybersecurity risks seriously.
AI Security Institutes could prove central to European frontier access
European AI policy discourse is only slowly taking security issues more seriously. But I think this might change very soon. Prompted by the Mythos release, more governments are studying AI’s security risks. Most importantly, they are launching AI Security Institutes, as the German government did on June 8.
One of the shortest paths to frontier AI adoption in European governments goes through such institutes, both because they engage directly with frontier companies, and because they are (ideally) staffed by individuals who understand frontier AI well. But for such institutes to perform well, they need to be set up well. In thinking about how to do this, we can learn from the world’s most performant such institute: UK AISI. They played a large role in publicizing Mythos’ cybersecurity potential, and can be a template for other nations.
What will matter most for attracting top AI experts into government is pay, mission focus, and fast, flexible hiring. UK AISI has done this reasonably well—they can pay more than the UK government usually would and are free to employ non-UK nationals. Germany should follow this model. It can also learn from the setup of SPRIND, Germany’s ARPA equivalent, which was given more flexible hiring and financing rules through a SPRIND-specific law. A more cautionary example is the EU’s AI Office. While staffed with some excellent mission-driven people, its pay scales are rigid, and months-long hiring processes make it hard to routinely attract top talent. It also follows the same type of country-proportionate hiring that degrades the effectiveness of many other parts of the Commission.
If Germany’s AI Security Institute and similar organizations are modeled after UK AISI, being staffed with individuals who are competent and aware of AI’s direction of travel, they could play a key role in establishing long-run relationships with frontier AI companies. Once such relationships are established, they could provide their respective governments’ security agencies and militaries with reliable, secure frontier AI access.
How to deploy frontier AI without surrendering sovereignty
Now, I understand why European governments would be wary of using American AI systems, given how unreliable the United States has become. But there are ways to integrate AI into our governments that would minimize downsides, while giving us the large benefits of using the world’s best AI systems.
For general public service use, governments should simply act like any other market participant: purchasing different AI systems and thus reducing the dependency on any one specific company. There are European companies like Langdock that allow users to access many different AI systems through one portal, even ensuring European hosting of some AI systems. At the same time, having parallel bespoke agreements to host compute for public sector AI is commendable—the OpenAI for Germany program is one such example.
For national security use, I expect we want solutions that are even more secure, just like the American government wants compute reserved for national security applications. Comparing artificial intelligence to prior dual-use technologies is somewhat treacherous, given how different AI is. But we can still learn from how the West shared dual-use technologies among Allies in the past.
One example is the United Kingdom’s Trident program. Under it, the UK has full control over its own nuclear weapons, though it requires the United States for maintenance. Similarly, American frontier companies could work with AISIs to provide individual European governments with secure frontier access, using air-gapped, domestic AI clusters that run the same AI models accessed by the United States government.
Such models would require frequent updating. But even if updates happened a couple weeks after model release, this would be vastly preferable to relying on systems that lag the frontier by a year or more.
There are surely better mechanisms than the one I briefly sketched here. But almost anything beats the status quo: in competitive domains, laggard systems are entirely inadequate. AI Security Institutes are best positioned to make their governments understand this. And while the subsequent work of providing European governments with secure frontier AI access will be hard, it will prove crucial to maintaining Europe’s security.
Germany’s federal IT spending was around €4 billion per year according to the Bundesrechnungshof; the French state spends roughly €10 billion annually on IT, of which a minority goes to software and cloud services; Italy’s public administration spent around €6 billion on ICT in 2024.