Distillation Just Became a Foreign Policy Problem

For the last year, distillation has lived in an awkward middle space. Researchers argued about whether training a smaller model on a bigger model's outputs counted as legitimate technique, sketchy borrowing, or outright theft. Companies hinted at it without naming names. The whole thing felt academic.

That ended this week.

According to Reuters, the U.S. State Department sent a diplomatic cable globally directing American posts to warn foreign counterparts about "concerns over adversaries' extraction and distillation of U.S. A.I. models." The cable named DeepSeek, Moonshot AI, and MiniMax. A separate demarche went to Beijing.

The accusation itself did not surprise me. The State Department doing it, on cables, to allied governments, in the same week the White House was airing similar charges, did. Distillation stopped being a technical complaint between labs and turned into a foreign policy posture.

What the cable actually says

The substantive argument, per Reuters, is that distillation lets foreign actors stand up models that look comparable on benchmarks for a small fraction of training cost but do not match full system performance. The exact language from the cable:

"AI models developed from surreptitious, unauthorized distillation campaigns enable foreign actors to release products that appear to perform comparably on select benchmarks at a fraction of the cost but do not replicate the full performance of the original system."

There is a quieter claim in the cable that I think matters more than the benchmark argument. The U.S. is also alleging that copied models can have safety protocols and truth-seeking mechanisms stripped out during distillation. If that framing sticks, the next phase of AI policy fights is not about who built what. It is about whether a deployed model still carries the guardrails of the original.

Beijing rejected all of it. China's response, quoted in Reuters, called the accusations "groundless and ... deliberate attacks on China's development and progress in the AI industry."

The DeepSeek V4 timing

Same day the cable went out, DeepSeek dropped a V4 preview adapted for Huawei chips. I want to be careful here, because the reporting does not give us hard performance numbers and I am not going to pretend I have benchmarks I do not have. But the optics are loud. American diplomats are being told to warn allies about Chinese model copying, and the company at the center of the warning ships a new model running on domestic silicon the same afternoon.

You can read that timing two ways. Either DeepSeek is rubbing it in, or this is what an independent Chinese AI stack looks like once it stops needing American hardware. Probably some of both.

How we got here in eight weeks

OpenAI flagged this exact concern back in February when it told U.S. lawmakers that DeepSeek was targeting leading American AI firms for replication. At the time it read like a single company protecting its outputs.

Eight weeks later, the same accusation is wearing a State Department letterhead and going to embassies.

That progression is the actual story. Model output extraction used to be a terms-of-service problem. Then it became a competitive complaint between labs. Now the U.S. government is treating it as adversarial IP exfiltration and asking allies to pick a side.

The Reuters story notes the cable lands a few weeks before a Trump-Xi meeting in Beijing. I would not assume sanctions or formal enforcement are imminent. The reporting describes the cable as setting groundwork for follow-up, not as the follow-up itself. But quiet diplomacy this is not.

What builders should actually do

If you ship a closed model and your business depends on the gap between what you sell and what someone can clone from your outputs, the threat model just got reclassified. You are no longer defending against scrapers. You are defending against actors that one of your largest customers, the U.S. government, is now publicly naming.

A few things worth thinking about:

• Output rate limiting and pattern detection are not optional. They are part of your IP posture.
• If you sell into regulated sectors, expect "have you been distilled" to start showing up in security questionnaires.
• For anyone using Chinese models in product, that is a procurement decision you will be asked about now. It used to be a tech decision.

The part I keep getting stuck on

I do not think anyone has the line right between "training on outputs" and "stealing IP." The technique is too new, the law has not caught up, and most of what we call distillation today happens on data that was scraped from somewhere else first.

The line is being drawn anyway. Once you put it in a cable, it stops being theoretical. Allied governments will respond. Procurement rules will move. The labs in the middle of all this, on both sides, will end up operating inside whatever framework gets written, whether or not that framework reflects how the technology actually works.

That is the part to watch.