On June 25, 2026, the White House Office of the National Cyber Director and the Office of Science and Technology Policy jointly asked OpenAI to stagger the release of GPT-5.6. Approximately 20 organizations received access in the initial wave. Broader access was described as coming in the weeks following. The request was framed as a precautionary measure tied to the model's assessed offensive cyber capability.
In the same week, Anthropic withdrew its Mythos and Fable models from broader availability under comparable pressure. Together, these two actions mark the first time US government intervention has restricted access to frontier AI models based on their assessed dual-use offensive potential rather than on compute thresholds, hardware export rules, or training data controls.
The Anthropic precedent
Anthropic's Mythos model is significant beyond its capability profile. Its withdrawal represents the first instance where a model was restricted specifically because of offensive cyber utility, not because of raw compute size or geographic export risk. Export controls on chips are calibrated to FLOP thresholds and destination countries. Anthropic's withdrawal establishes a parallel track: a model can now be restricted based on what it can do to a network, regardless of where it runs.
The dual-use gap that existed a year ago, where a model was either a defender tool or an export risk but rarely both in the same regulatory conversation, has collapsed. Security teams that evaluated AI vendors purely on feature sets and data handling now need to add a third dimension: what is the regulatory status of this model's capability tier?
What this means for GPT-5.6 and the defenders trying to use it
The roughly 20 organizations approved for early GPT-5.6 access are primarily defense contractors, national laboratories, and a small number of large financial institutions with established government relationships. Most enterprise security teams, including the majority of MSSPs, government contractors below a certain clearance tier, and virtually all mid-market organizations, are in the waiting queue. OpenAI issued a public statement noting the stagger was voluntary and that broader access would follow quickly, but gave no binding timeline.
For defenders, the immediate consequence is a capability gap. If the security teams defending critical infrastructure lack access to the same model tier as the attackers who can access equivalent capability through other means, the asymmetry widens. Defenders using GPT-4.5 and attackers with access to models at the GPT-5.6 capability level is not a hypothetical for the length of the stagger window.
The unstable logic
The restriction applies to US-based frontier labs. DeepSeek V4-Pro, which benchmarks within a narrow margin of GPT-5.6 on several red-team offensive cyber evaluations, is available at $0.44 per million tokens with no access controls, no gating, and no export review. A nation-state actor or a well-funded criminal group does not need to wait for OpenAI's stagger window to close.
This is not an argument against the gating policy. It is a constraint that security teams should incorporate into their planning. Regulatory risk is now a vendor evaluation criterion for AI tools at the same level as uptime SLAs and data residency requirements. If a capability tier is restricted today, it may be unavailable for longer than the announced window, and the model you selected for a detection use case could become inaccessible with limited notice. Track your AI capability dependencies and assign regulatory risk ratings alongside operational ones.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are evaluating AI model governance or assessing the security implications of frontier AI restrictions.