The Open-Weight Paradox: Why Restricting Access to AI Models May Undermine the Safety It Seeks to Protect

TL;DR

This paper argues that restricting access to open-weight AI models may increase risks and proposes hardware-layer governance and multilateral institutions as safer alternatives to binary openness restrictions.

Contribution

It challenges the binary framing of AI model openness versus restriction and introduces hardware-layer governance and a multilateral approach as novel solutions.

Findings

Restrictions may displace risks rather than reduce them.

Hardware-layer safeguards like chip attestation can enhance safety.

A multilateral institutional framework is needed for effective governance.

Abstract

The governance of open-weight artificial intelligence (AI) models has been framed as a binary choice: openness as risk, restriction as safety. This paper challenges that framing, arguing that access restrictions, without governed alternatives, may displace risks rather than reduce them. The global concentration of compute infrastructure makes open-weight models one of the most viable pathways to sovereign AI capacity in the Global South; restricting such access deepens asymmetries while driving proliferation into unsupervised settings. This analysis proposes that hardware-layer governance, including chip-level attestation mechanisms such as FlexHEG, trusted execution environments, confidential computing, and complementary software-layer safeguards, offers a defense-in-depth alternative to the current binary. A threat model taxonomy mapping misuse vectors to hardware, software, institutional, and liability layers illustrates why no single governance mechanism suffices. To operationalize this approach, the paper argues that effective AI governance as a dual-use technology will likely require a multilateral institutional architecture functionally analogous, though not identical, to the role performed by the IAEA in the nuclear domain, with explicit safeguards against the co-option of hardware controls for domestic repression. The relevant policy question is how to make openness safer through technical and institutional design while addressing the transition realities of legacy hardware, attestation at scale, and civil liberties protection.