The debate over open weights vs. API-only access is at the heart of AI regulation. Proponents of closed source argue it prevents bad actors from misusing powerful models. Open source advocates argue that "security through obscurity" is a failed strategy.

This article analyzes historical parallels in cybersecurity, where open source software eventually became the standard for secure infrastructure because "given enough eyeballs, all bugs are shallow."

Closed models are not immune to attacks. Prompt injection and jailbreaking work effectively on API-protected models. The difference is that with open weights, defenders can analyze the failure modes directly.

Ultimately, we argue that a hybrid approach—controlled release for frontier models, open release for established architectures—may be the only viable path forward.