In April, the White House and the U.S. House Foreign Affairs Committee (HFAC) took steps toward a government response to Chinese adversarial distillation of U.S. frontier AI models. On April 22, HFAC advanced the Deterring American AI Model Theft Act of 2026 (DAAMTA), which would mandate assessments of model extraction attacks, create a public list of responsible entities, and authorize sanctions against them. The following day, the Office of Science and Technology Policy (OSTP) released NSTM-4, a memorandum signed by Director Michael Kratsios. According to the memo, the U.S. government has information indicating that foreign entities principally based in China are engaged in “deliberate, industrial-scale campaigns to distill U.S. frontier AI systems.” The memo commits the administration to information sharing, defensive coordination, developing best practices, and consideration of accountability measures.
As I have previously written, recent disclosures by OpenAI, Anthropic, and Google have revealed industrial-scale efforts to extract capabilities from leading U.S. frontier models, including campaigns involving Chinese AI laboratories such as DeepSeek, Moonshot AI, and MiniMax. These extracted capabilities risk cascading through the Chinese AI ecosystem and into Chinese military and intelligence systems through Beijing’s military-civil fusion strategy. I argued that the U.S. government should respond with a phased escalation strategy, beginning with Entity List designation of the responsible laboratories and building toward a purpose-built sanctions program under the International Emergency Economic Powers Act (IEEPA) with intermediate tools. Private defenses alone cannot change the incentive structure for Chinese AI labs, which reap substantial benefits and incur minimal costs from these campaigns. Only U.S. government action can impose costs at the scale needed to change this calculus.
The April developments build on that argument. While they do not yet impose costs, they lay the groundwork for doing so. DAAMTA would create an assessment and reporting process. Together, the OSTP memo and DAAMTA would support detection and defense and create a path toward deterrence measures. The question is whether that groundwork will produce concrete actions that pressure the Chinese AI labs and their facilitators. This article examines each part and whether it is fit for purpose.
Assessment and Diplomatic Strategy
The bulk of DAAMTA is devoted to assessment. Section 4 would require the executive branch to determine, within 180 days, which entities of concern have conducted extraction attacks against U.S. frontier models and which entities are acting as “fraudulent account network providers.” The assessment must also identify the countries from which these actors operate, document any material assistance from governments of countries of concern, and catalog the methods attackers employ. It must evaluate detection approaches, the economic and national security consequences of the attacks, and the assistance the U.S. government is providing model owners. The bill would further require a diplomatic strategy for engaging allies and partners on detection and prevention. A companion report to Congress must follow 30 days later, with annual updates for three years.
The bill is process-heavy, but that process serves an important function. IEEPA designations and Entity List additions are built on undisclosed evidentiary records, often including classified intelligence, which are legally durable but can be publicly opaque. A report to Congress, paired with the public Attackers List and annual updates, converts part of that internal work into a record that supports oversight and public accountability. It establishes a consistent methodology across cases and produces case-specific findings on the labs’ methods, their facilitator networks, and the role distillation plays in their development pipelines. The role-of-distillation finding is particularly important. The scale and persistence of the campaigns indicate that distillation is valuable to the Chinese AI labs, but the public record does not yet show how central it is to any specific lab’s development pipeline. That granularity would enable the executive branch to calibrate responses to each entity’s conduct, and it undermines casual dismissals—whether from Beijing, Chinese labs, or others—in a debate that has so far been based on corporate disclosures by the targeted labs.
The diplomatic strategy requirement is also important. Proxy accounts and other access facilitators have been central enablers of the campaigns. Disrupting networks of facilitators outside of China will require the U.S. government to engage with foreign allies and partners. But diplomatic strategy should not be limited to allies and partners. Direct signaling to Beijing about the costs of continued distillation campaigns should be part of any serious diplomatic strategy. The OSTP memo serves as the administration’s opening statement on that front, characterizing distillation attacks as “acts of malicious exploitation” and a “threat” to U.S. innovation. Diplomatic engagement is already beginning. On April 24, the State Department reportedly instructed U.S. diplomats to warn foreign counterparts about alleged model extraction by DeepSeek, Moonshot AI, and MiniMax, and sent a formal message to Beijing.
Detection and Defense
Both the OSTP memo and DAAMTA address U.S. government assistance in detecting and defending against adversarial distillation. The OSTP memo commits the administration to sharing information and developing best practices. It will “[s]hare information with U.S. AI companies concerning attempts by foreign actors to conduct unauthorized, industrial-scale distillation, including the tactics employed and actors involved.” It will also “[w]ork together with private industry to develop best practices to identify, mitigate, and remediate industrial-scale distillation activities and build strong defenses against such activities.”
DAAMTA takes a similar approach. Section 4(f) directs the executive branch to establish a voluntary, confidential information-sharing mechanism for model owners to share information with the government. (Presumably, this will be a two-way street in practice, with the government also sharing appropriate information with industry.) Section 4(h) requires the executive branch to publish best practices, and Section 4(c) directs consultation with targeted firms, other companies, academic experts, and industry fora to identify attacker patterns and develop best practices for identification and defense.
Taken together, these provisions map onto a defensive framework familiar from cybersecurity. It combines government-to-industry intelligence sharing, industry-led best practices, and coordinated detection. OSTP also addresses one additional cybersecurity analogue that DAAMTA does not: information sharing among U.S. AI developers themselves to strengthen private-sector defense. The OSTP memo commits the administration to enabling “the private sector to better coordinate against [adversarial distillation] attacks.”
Federal action is needed to reduce the antitrust uncertainty that can inhibit private-sector information sharing. Some coordination has occurred through the Frontier Model Forum—which includes Anthropic, OpenAI, and Google, among others—but Bloomberg reported in April that information sharing on distillation remains limited because of uncertainty over what companies can exchange under existing antitrust guidance.
Defending against distillation is harder when companies cannot share narrow security information with their competitors, such as indicators of compromise, signatures of fraudulent account networks, and evolving attacker techniques in real time. Such collaboration would likely survive rule-of-reason scrutiny under existing antitrust law, but it would require case-by-case analysis, and risk-averse in-house counsel will surely limit the pace and scope of coordination without clearer guidance.
My organization, the Law Reform Institute, recently requested that the Department of Justice (DOJ) and the Federal Trade Commission (FTC) issue guidance on this issue. Ideally, the agencies should issue a joint policy statement analogous to the 2014 Antitrust Policy Statement on Sharing of Cybersecurity Information, confirming that narrowly tailored collaboration on distillation defense and other AI security risks does not raise antitrust concerns. In the 2014 statement, the agencies concluded that they do not believe antitrust “is — or should be — a roadblock to legitimate cybersecurity information sharing.”
Congress then codified and expanded that position in the Cybersecurity Information Sharing Act of 2015 (CISA) (6 U.S.C. § 1503(e)). The same two-step approach should be adopted here: agency guidance as a first measure, followed by a statutory safe harbor for coordination on enumerated AI security risks, to provide durability against future policy changes. Congress could add a statutory safe harbor as part of DAAMTA, or when reauthorizing CISA, which expires on September 30. Without these fixes, in-house counsel’s predictable caution will continue to constrain the coordination the OSTP memo envisions.
Deterrence
DAAMTA’s deterrence provisions sit in Section 5. Subsection (a) directs the Under Secretary of Commerce for Industry and Security, in coordination with the End-User Review Committee, to determine by majority vote whether entities identified through the Section 4 process, and certain majority-owned affiliates, should be added to the Entity List. The affiliate language matters because it anticipates evasion through nominally separate entities. Subsection (b) authorizes (but does not mandate) the executive branch to use IEEPA to block all property and interests in property of identified entities of concern, with standard exceptions for international obligations, humanitarian assistance, and intelligence, law enforcement, and national security activities. Violations are subject to IEEPA’s civil and criminal penalties.
The OSTP memo, for its part, commits the administration to “[e]xplore a range of measures to hold foreign actors accountable for industrial-scale distillation campaigns.” That language is deliberately open-ended, tracking the discretionary nature of DAAMTA’s sanctions authorities. Both texts appear to proceed from the premise that the objective is not just to punish the actors involved in the distillation campaigns, but to encourage them to change their behavior. Measured against that objective, discretion is what generates leverage.
Start with DAAMTA. The proposed Section 5 sanctions authority is permissive, not mandatory. DAAMTA would provide that the President “may” block and prohibit transactions; it does not require it. That discretion is the same structural design embedded in IEEPA itself and in most major U.S. sanctions programs. The President’s ability to defer imposition, condition it on counterparty conduct, or pair it with diplomatic engagement is what generates the leverage in the first place. A mandatory sanctions trigger forecloses all three.
DAAMTA pairs these authorities with a public “AI Model Extraction Attackers List,” an initial report, and recurring assessments. The list itself is an accountability mechanism, regardless of whether sanctions follow. The recurring assessment provides durable oversight. Congress can track which entities the executive branch identifies, whether sanctions follow identification, and whether new attackers are being captured as techniques evolve. The framework creates the conditions for coercive diplomacy. It provides a developed evidentiary record, named counterparties, a credible threat of consequences, and room to bargain.
That bargaining space is important. If Chinese AI laboratories cease their campaigns, abandon their fraudulent account networks, and provide verifiable commitments, the administration retains the option of declining to escalate. If they do not, the authorities are available and the evidentiary predicate will have been built.
That is why the framework being constructed is consistent with, rather than a substitute for, the phased escalation strategy I outlined in my March article. Entity List designation remains available as a first step, as DAAMTA expressly contemplates. IEEPA remains available for a range of intermediate measures and, if necessary, full blocking sanctions against the laboratories themselves and follow-on measures against the commercial proxy operators and other facilitators that have sustained the campaigns.
Skeptics have questioned whether the OSTP memo’s commitment to “explore a range of measures” will translate into action, drawing on the long history of disappointing U.S. responses to Chinese intellectual property theft. That history is a fair warning. But the framework being built creates the conditions for an effective response. The mandated assessment produces evidence and accountability. The detection and defense provisions strengthen private-sector resilience. And the deterrence authorities, properly exercised, make the cost of continued distillation attacks higher than the benefits. The framework is not itself the response. Whether the executive and legislative branches follow through is the question.
Next Steps
DAAMTA is one of a suite of export control-related bills advanced by HFAC that may be added to this year’s defense authorization bill. If included, the bill must still clear the full House, pass the Senate, and be signed by the President. But the executive branch need not wait for it before implementing the OSTP memo commitments. The State Department should implement its allied strategy and engage directly with China. The Commerce and Treasury Departments should consider existing designation tools. Meanwhile, the Cybersecurity and Infrastructure Security Agency and intelligence agencies should work with U.S. AI labs to detect and defend. Finally, DOJ and FTC should address the antitrust uncertainty. Legislative action would regularize and expand that work, but it should not delay it.
Moving quickly, however, does not mean moving carelessly. The implementation path must account for effects on U.S. companies. Industry groups have already raised concerns about DAAMTA’s unintended consequences, particularly the compliance burdens on cloud service providers. Those concerns are legitimate. Entity List designation would impose meaningful screening and diligence burdens on U.S. cloud providers, API intermediaries, and model platforms with commercial ties to listed Chinese AI labs or their affiliates. IEEPA blocking sanctions would reach further. They would affect payments, hosting arrangements, and licensing relationships with blocked entities, and would raise hard questions for U.S. firms that have built products on Chinese open-weight models distributed under permissive licenses. None of this means the authorities should not be used. But it does counsel for using them carefully. The Commerce and Treasury Departments and other implementing agencies would need to design license policies, wind-down periods, and general licenses that minimize unintended disruption.
While these implementation concerns deserve attention, the national security stakes justify urgent action. A recent analysis by the Research Institute for Democracy, Society and Emerging Technology examining the Chinese AI ecosystem argues that extracted capabilities from a small number of laboratories are being adopted by other Chinese labs through published architectural techniques and open-weight releases, producing a secondary diffusion within that ecosystem that entity-based controls cannot easily reach. As I previously argued, this “distillation cascade” continues beyond the commercial sector, as extracted capabilities, stripped of safety and security constraints, flow into Chinese military and intelligence systems. As U.S. frontier models become more advanced and Chinese distillation techniques adapt and expand, the cost of inaction will only grow.
Conclusion
The April actions by OSTP and HFAC do not, by themselves, solve the adversarial distillation problem. They begin to close the gap between diagnosis and design. The executive branch has attributed industrial-scale distillation to foreign entities principally based in China and committed to certain initial steps. HFAC has advanced a bill that defines the conduct, creates a framework for its investigation, and proposes sanctions to respond to it. DAAMTA states plainly that model extraction attacks “represent a threat to the national security and foreign policy interests of the United States” and that the U.S. government “should take steps to identify, punish, and deter” such attacks. The OSTP memo reflects the same diagnosis.
The harder work is still ahead. Defenses must be hardened. Assessments must produce determinations of responsibility. Those determinations must produce deterrence measures, which must be defended against diplomatic pressure and adjusted as attackers adapt. None of this will happen on its own. New and existing authorities will not deter further distillation campaigns until deployed or credibly threatened. The administration and a key congressional committee are now proceeding from the same understanding of the problem and have crafted the beginnings of an executive and legislative framework. Whether that shared diagnosis and design leads to deterrence is the question for the coming months.
