Position: AI Security Policy Should Target Systems, Not Models

Researchers demonstrate that swarm attacks using small, coordinated LLM agents can achieve significant safety bypasses and vulnerability discovery on frontier AI models using only commodity hardware and open-source models. The findings suggest that restricting model access provides limited security benefit when system-level coordination techniques can replicate restricted capabilities at near-zero cost.

The swarm-attack framework challenges prevailing assumptions about AI safety through model restriction. By coordinating five 1.2 billion parameter models through shared memory and evolutionary optimization, researchers achieved a 45.8% effective harm rate against GPT-4o while recovering all nine planted vulnerabilities in a C application within minutes on consumer hardware. This directly undermines Anthropic's decision to restrict access to Mythos Preview based on capability containment, revealing that the architecture enabling harmful behavior resides in system design rather than model weights alone.

The research extends a growing body of evidence questioning whether model size correlates with capability gatekeeping effectiveness. Previous work demonstrated jailbreak techniques scaling across model families, but this study systematically shows that coordination mechanisms—not individual model sophistication—drive dangerous capability emergence. The 40% technical success rate against Claude Sonnet-4 paired with zero effective harm indicates that safety training remains more robust than capability restriction, though the framework's flexibility suggests future iterations could overcome this gap.

For the AI safety and security community, these findings suggest policy should prioritize system-level safeguards and monitoring over access restrictions. This has immediate implications for regulatory approaches: restrictions targeting model weights provide false confidence while research institutions and potentially malicious actors can reconstruct capabilities through orchestration techniques. The near-zero marginal cost of experimentation using open models means that determined actors face minimal barriers to discovering vulnerabilities or executing jailbreaks. Industry stakeholders must shift from containment-focused strategies toward robust detection, monitoring, and post-deployment safety measures that remain effective regardless of architectural innovation.

• →Swarm-attack coordination achieves 45.8% effective harm rate against GPT-4o using only small open-source models and commodity hardware
• →System-level architecture and coordination mechanisms, not model size alone, enable frontier AI capabilities that motivated restricted model releases
• →Model access restrictions provide limited security benefit when capability emergence is reproducible through agent coordination techniques
• →Current AI safety training remains more effective than capability gatekeeping, as evidenced by zero harm rate against Claude despite 40% technical success
• →Future AI security policy should prioritize post-deployment monitoring and detection over access-based containment strategies