Three companies that compete on everything just agreed to cooperate on one thing: stopping Chinese AI labs from copying their models.

OpenAI, Anthropic, and Google are now sharing adversarial distillation data through the Frontier Model Forum, the nonprofit they co-founded with Microsoft in 2023. The arrangement, reported by Bloomberg on April 6, is designed to detect and counter systematic attempts by Chinese labs to extract proprietary model capabilities through automated querying at scale.

That they had to team up at all tells you how badly individual efforts have failed. This is not a fresh initiative. It is an escalation. Each company tried to solve this problem alone. None of them could.

The Bloomberg report describes a coordinated data-sharing arrangement. The three companies will pool information on adversarial distillation attacks, including detection signatures, access patterns, and account behaviour linked to suspected Chinese operations, through the Frontier Model Forum's existing infrastructure.

Anthropic has been the most specific about what it found. In February testimony and subsequent disclosures, the company documented 16 million unauthorised exchanges across thousands of fraudulent accounts. It named three Chinese labs directly: DeepSeek, Moonshot, and Minimax.

US officials have told multiple outlets that the estimated annual losses from adversarial distillation run into the billions of dollars. The labs being targeted have spent tens of billions building frontier models. The labs doing the copying have spent a fraction of that.

The Frontier Model Forum was originally created to coordinate on AI safety research. Repurposing it as an intelligence-sharing mechanism for IP protection is a significant shift in its mission.

The alliance did not come out of nowhere. It came after six separate approaches failed to stop the problem. Each one had a specific, identifiable weakness.

Terms of service bans. Both OpenAI and Anthropic explicitly prohibit competitive distillation in their terms of service. DeepSeek, Moonshot, and Minimax ignored them. No litigation was filed. Legal analysis from Winston & Strawn highlights the core issue: enforcing US contractual terms against Chinese companies operating outside US jurisdiction is effectively impossible. A ToS ban without a credible enforcement threat is just a sign on the wall.

Geographic access blocks. OpenAI blocks API access from China. It did not work. Rest of World reported that Chinese labs circumvented the restrictions through obfuscated third-party routers and fake accounts registered in other jurisdictions. The blocks added friction. They did not add security.

Account detection and banning. Anthropic documented the 16 million exchanges and banned the fraudulent accounts. New ones appeared. Thousands of them. The detection capability was impressive. The deterrence value was zero. Banning accounts that cost almost nothing to create is a game you cannot win through volume.

Watermarking and fingerprinting. The technical community pinned a lot of hope on this one. If you could embed invisible markers in model outputs, you could prove copying forensically. It has not held up. Research presented at IEEE SaTML 2026 from the University of Edinburgh found that AI fingerprints were removed in more than 80 percent of tested cases. Watermarks were forged in half the systems evaluated. The Foundation for Defense of Democracies analysis notes that distillation techniques are specifically designed to strip provenance signals. The forensic tools are not keeping pace.

Congressional testimony. OpenAI warned Congress in February 2026 that DeepSeek was "state-controlled" and that adversarial distillation posed a national security risk. Congress listened. Congress did nothing. No legislation followed. The IAPS policy paper specifically called for targeted government intervention. None materialised.

Lobbying for government bans. OpenAI went further and called for outright bans on PRC-produced models. No regulatory action followed. The political appetite for a blanket ban on Chinese AI models, while trade tensions were already elevated, simply was not there.

Six approaches. Six failures. The alliance is attempt number seven.

For readers less familiar with the technique: distillation is a training method where a smaller "student" model learns by studying the outputs of a larger "teacher" model. It is a legitimate technique. Google invented it.

What makes adversarial distillation different is scale and intent. Instead of a researcher running a few thousand queries to compress their own model, the attacker runs millions of automated queries through fraudulent accounts, harvests the outputs, and uses them to train a competing model at a fraction of the cost.

DeepSeek's R1 reasoning model, released in 2025, is what triggered the current scrutiny. Reports indicated that DeepSeek built R1 for roughly $5.6 million. The US labs whose outputs it allegedly trained on spent billions developing their frontier models. The economics are stark. If copying is cheap enough, the incentive to copy overwhelms the incentive to innovate.

Here is the thing. This is not just an AI intellectual property story. It is a supply chain security story that extends directly into payments.

These frontier models are the engines powering agentic commerce. Visa's Trusted Agent Protocol, Mastercard's Agent Pay, Stripe's agent toolkit. All of them assume the underlying AI model is legitimate, tested, and operating within known safety parameters.

A distilled clone does not carry those guarantees. The safety controls, the alignment training, the guardrails that prevent a model from authorising transactions it should not, those layers are the first things stripped in adversarial distillation. The attacker wants the capability. They do not want the constraints.

Every agent-initiated payment running on a cloned model inherits whatever security gaps the clone carries. The trust frameworks that Visa and Mastercard have built assume a known, auditable model at the base of the stack. If the model is a stripped-down copy of unknown provenance, the entire chain of trust from model layer to payment layer is compromised.

The payment networks have not yet addressed this risk publicly. They should.

Sharing data is better than acting alone. Pooling detection signatures across three of the four largest frontier labs gives each company a broader view of attack patterns. That is genuine progress.

But this is voluntary cooperation through a nonprofit with no legal enforcement power. The Frontier Model Forum cannot sanction anyone. It cannot compel disclosure. It cannot reach across borders. China's Global Times has already characterised the alliance as "driven by anxiety" rather than legitimate IP protection, framing it as protectionism.

The fundamental problem remains unchanged. Detection without enforcement does not change incentives. If a Chinese lab knows its fraudulent accounts will be detected and banned, but new accounts cost almost nothing to create and no legal consequences follow, the rational move is to keep going.

The IAPS research paper made the case for targeted government intervention: export controls on model access, diplomatic engagement on IP norms, and coordinated action through existing trade frameworks. The alliance does none of those things. It is an industry workaround for a problem that probably requires a government solution.

If detection without enforcement does not change incentives, what exactly has to change before attempt number eight?