White House Memo Targets ‘Adversarial Distillation’ of U.S. AI Models

April 24, 2026Provided by Utku Ege Tuluk

The White House Office of Science and Technology Policy (OSTP) released NSTM-4, “Adversarial Distillation of American AI Models,” on April 23, 2026, accusing foreign entities — primarily in China — of running “deliberate, industrial-scale campaigns” to copy U.S. frontier AI systems. The memo, signed by OSTP Director Michael Kratsios, directs federal agencies to share intelligence with AI companies, co-develop defensive best practices, and explore ways to hold foreign actors accountable.

General Audience

White House and U.S.-China AI policy imagery accompanying the OSTP memo on adversarial distillation — Image credit: Nextgov/FCW

What the Memo Says

The four-page memorandum describes a tactic the administration calls “adversarial distillation”: a process in which a distiller feeds thousands or millions of carefully constructed queries to a frontier AI model, collects the responses, and uses those responses to train a cheaper rival model. According to the memo, foreign entities are using “tens of thousands of proxies and jailbreaking techniques in coordinated campaigns” to do this at scale against leading U.S. systems.

Kratsios framed the practice bluntly in public remarks: “There is nothing innovative about systematically extracting and copying the innovations of American industry.” The memo notes, however, that “models developed from surreptitious, unauthorized distillation campaigns like this do not replicate the full performance of the original” — a technical caveat that matters for how the policy is likely to be enforced.

The Evidence Behind the Memo

The OSTP action builds directly on a February 2026 disclosure from Anthropic, which reported that three Chinese labs — DeepSeek, Moonshot AI, and MiniMax — ran extraction campaigns against its Claude models using roughly 24,000 fraudulent accounts and more than 16 million exchanges. Per Anthropic’s breakdown:

MiniMax — more than 13 million exchanges with Claude
Moonshot AI — over 3.4 million exchanges, focused on reasoning, tool use, and coding
DeepSeek — more than 150,000 exchanges, concentrated on logic and alignment

Those figures — not the memo itself — do the rhetorical heavy lifting. The memo generalizes the Anthropic findings into a government-wide posture and signals that future enforcement actions (sanctions, export controls, entity-list additions) could follow.

The White House podium, representing the administration's announcement on adversarial distillation — Image credit: Decrypt

The Open-Weights Question

The memo does not restrict open-weight releases outright, but its framing puts pressure on the ecosystem. The administration argues that distillation attacks can also “remove security safeguards and other controls” from extracted behavior — language that maps directly onto debates over whether open models accelerate proliferation of capabilities the U.S. would rather keep gated.

Enforcement is the hard part, as outside analysts have quickly pointed out. Distillation “occurs over the internet, through API calls that can be routed through any jurisdiction,” and the legal status of model outputs — whether harvested completions qualify as trade secrets under existing IP frameworks — remains unsettled. A companion bill in Congress, H.R. 8283 (the Deterring American AI Model Theft Act, introduced April 15, 2026), attempts to address some of this by creating new civil remedies, but has not yet moved.

The memo also arrives three weeks before a scheduled Trump–Xi summit on May 14, 2026, positioning AI distillation alongside the existing $2.5 billion Nvidia chip-smuggling case as a live U.S.–China technology policy issue.

What This Means

For the open-source AI community, NSTM-4 is a shot across the bow rather than an immediate rule change. No new export controls, entity listings, or API-access restrictions were announced. But the memo formalizes a narrative — that large-scale API querying of frontier labs is a national-security concern — and that narrative is what typically precedes concrete controls. Expect U.S. frontier labs to tighten rate limits, enforcement against proxy accounts, and terms-of-service language in the coming months, and expect the open-weights debate to get louder.

Related Coverage

Anthropic Exposes Industrial-Scale Distillation Attacks by DeepSeek, Moonshot, and MiniMax — the February 2026 disclosure that provided the evidentiary base for the OSTP memo.
Apple’s Simple Self-Distillation Boosts Code Generation by 30% — a benign use of distillation (a model improving on its own outputs), useful context for how broad the term is.
Nvidia Introduces Lower-Cost Blackwell AI Chip for China Amid Export Restrictions — the hardware-side parallel to the current software-export conversation.