Two independent security evaluations published this week delivered a verdict that Washington's export control architects did not want to hear: Zhipu AI's GLM-5.2, a Chinese open-weight model that launched June 13 — one day after the US government banned Claude Fable 5 and Mythos 5 from global access — has matched or approached leading US AI on the exact class of cybersecurity capability that justified the ban. The model is freely downloadable by anyone on Earth, and no export order can reach it.

The finding matters because the enforcement architecture behind the Fable 5 ban was designed for a different era of controlled technology. The Export Administration Regulations were built to track physical items — chips, weapons components, hardware with serial numbers, facilities subject to on-site inspection. A 750-billion-parameter model weight file hosted on Hugging Face has no serial number, no facility, and no provenance chain. The enforcement mechanism that made export controls effective for semiconductors is architecturally inapplicable to AI weights once distributed. That gap is now empirically visible in the benchmark scores.

The Benchmark Findings That Changed the Argument

Semgrep, a security firm that evaluates AI models for vulnerability detection, ran GLM-5.2 against a set of open-source models on its IDOR detection benchmark — the same dataset and prompt it has used to evaluate frontier coding agents. An Insecure Direct Object Reference is an access control flaw in which a web application exposes an internal identifier — a user ID, a database key, a file name — without verifying whether the requesting user is authorized to access it. It has ranked among the most frequently exploited web security vulnerabilities for years and is harder to detect than typical code flaws because it requires recognizing a missing check rather than a dangerous function call.

GLM-5.2 scored a 39% F1 on IDOR detection, beating Claude Code models, which ranged from 28% to 37% F1 depending on version, at roughly $0.17 per vulnerability found. The model ran in a minimal harness — a bare prompt, no endpoint discovery scaffolding, no guided navigation — while Semgrep's own purpose-built pipeline, running with full endpoint enumeration, scored 53–61% F1. That gap tells the real story: engineering scaffolding around a model matters as much as the model itself. But on a level prompt, an open-weight model with no safety guardrails and no access controls outperformed a flagship US coding agent on a task directly relevant to offensive and defensive cyber operations.

Separately, Graphistry, whose Botsbench evaluation takes unusual care against benchmark confounds including model contamination, sandbox cheating, and vendor bias, found that GLM-5.2 achieved a 28/59 solve rate on agentic cybersecurity investigations. That made it the top open-weight model on the benchmark — and, in Graphistry's assessment, tied the proprietary closed models. The firm noted it was the first time it felt comfortable recommending an open-weight model for a frontier-level cybersecurity experience.

What the Fable 5 Ban Was Supposed to Do

To understand why these benchmark results carry policy weight, it is necessary to recall what the ban was designed to accomplish.

On June 12, at 5:21 PM ET, the US Commerce Department issued an export control directive requiring Anthropic to suspend all access to Claude Fable 5 and Mythos 5 for any foreign national, whether inside or outside the United States. Because Anthropic had no real-time mechanism to verify user nationality, it disabled both models globally. The directive cited a jailbreak technique demonstrated by Amazon researchers, which involved asking the model to read a specific codebase and identify software flaws — a multi-step, manual bypass that Anthropic disputed as narrow and non-universal.

The fuller picture that emerged later was more alarming than the jailbreak alone. During a June 11 Senate Banking Committee hearing, Sen. Mark Warner relayed a private statement from Gen. Joshua Rudd, who leads both the NSA and Cyber Command, indicating that Mythos 5 had identified vulnerabilities in nearly all NSA classified systems in an authorized red-team exercise. A US official later confirmed to the Associated Press that the testing occurred through Project Glasswing — Anthropic's vetted cybersecurity partnership program — and that Mythos identified vulnerabilities within hours, though the official clarified the model did not necessarily exploit them within that time. Under this framing, the concern went beyond any single jailbreak. It was the raw autonomous cybersecurity capability of the Mythos model itself.

That is precisely the class of capability that GLM-5.2 now appears to approximate, without access controls, at a fraction of the cost.

Why Open-Weight Distribution Defeats API-Level Controls

What makes these results geopolitically significant is not the performance numbers alone — it is the distribution mechanism. GLM-5.2 is released as open weights under the MIT license, published on Hugging Face by Z.ai. The MIT license imposes no regional restrictions. Anyone can download, self-host, fine-tune, and commercially deploy the weights without any agreement with Z.ai or any government.

The model's architecture explains its cost advantage: GLM-5.2 is a Mixture-of-Experts system with approximately 750 billion total parameters, but only about 40 billion are active per token during inference. This means the per-token compute cost is closer to that of a much smaller dense model, despite the total weight size. Z.ai reports pricing at roughly one-sixth of comparable frontier models. The full-precision model requires approximately 1.5 terabytes of GPU memory to self-host, but quantized builds released by the open-source community compress it to around 239 gigabytes — runnable on a single high-end workstation.

For security teams working in sensitive environments, the self-hosting option matters: an open-weight model running entirely inside a private network is insulated from the concerns that accompany cloud API deployment. It is also insulated from any export control directive. No Commerce Department letter can un-publish a weight file from Hugging Face, reach the copies already downloaded by researchers and developers worldwide, or prevent someone from running the model on a local machine in any jurisdiction.

The Export Administration Regulations' enforcement mechanisms — end-use monitoring, facility inspections, serial-number tracking, provenance chains — were designed for physical goods and closed software systems. They have no operative analog for a mathematical file distributed globally under an open license. The Fable 5 ban is the first time the US has applied this framework to a commercial AI model. GLM-5.2 is the first empirical proof that the framework's underlying assumption — that controlling one company's API access meaningfully limits a dangerous capability — does not hold when an open-weight alternative exists.

Caveats, Contested Claims, and a Distillation Warning

The case for GLM-5.2 matching Mythos-level cybersecurity capability is real but not airtight.

Semgrep's own authors were explicit: the IDOR test is one dataset, one run, one task. The harness matters more than the model — Semgrep's scaffolded pipeline outperformed GLM-5.2 and Claude Code combined. And at least one prominent voice in the developer community, Vercel and Next.js creator Guillermo Rauch, pushed back on social media against parity claims, noting the circulating figures come from a narrow Semgrep test rather than a head-to-head comparison with the restricted Mythos model itself. On the hardest general reasoning benchmarks, GLM-5.2 still trails Claude Opus 4.8 meaningfully — on SWE-Marathon, for instance, GLM-5.2 scored 13.0 against Opus 4.8's 26.0.

There is also a more unsettling dimension to GLM-5.2's rapid rise. Graphistry's evaluation surfaced an allegation that researchers warned could help explain how the model got there so fast. Measuring Cohen's Kappa correlation scores — a statistical test for agreement between two evaluators — Graphistry found GLM-5.2 correlated with GPT-5.5 at 0.80 and with Opus 4.8 at 0.76. The OpenAI-versus-Anthropic baseline comparison sits at 0.63. High scores in both correct and incorrect answers suggest GLM-5.2 may not have arrived at its outputs independently. Graphistry noted that Anthropic reported months ago that Chinese-origin model companies have been performing distillation attacks — training on the outputs of US models to absorb their capabilities without replicating the underlying training investment. Z.ai did not respond to requests for comment on the allegation.

On the offensive-use side, security practitioners are already concerned. Jason Baker, managing security consultant at GuidePoint Security, told Axios that Russian-language forums included discussions about the ease of adapting GLM-5.2 for hacking within days of its release. Travis Lanham, CTO and founder of Armadin, noted the model could allow attackers to personalize attacks and find creative bypasses — and unlike closed models where suspicious activity can be detected and accounts banned, an attacker running GLM-5.2 locally generates no provider-visible signal at all.

What Using Z.ai's Cloud API Actually Means for Security Teams

The benchmark results above apply to the self-hosted, open-weight deployment of GLM-5.2. Developers using Z.ai's cloud API face a structurally different set of considerations.

Z.ai is a Beijing-based company operating under Chinese law. China's National Intelligence Law (2017) requires in Article 7 that all Chinese organizations and citizens "support, assist, and cooperate with state intelligence work in accordance with the law." China's Data Security Law (2021) and Cybersecurity Law (2017) add data localization and government access provisions. The US Department of Homeland Security has explicitly warned that this legal framework can compel Chinese companies to provide data from US persons or businesses on government demand. In May 2026, US House lawmakers opened a formal inquiry into cybersecurity risks from Chinese AI models in critical infrastructure, naming Zhipu AI among the companies under scrutiny alongside DeepSeek, MiniMax, and ByteDance.

This legal obligation applies regardless of Z.ai's stated privacy policy, regardless of where individual servers are physically located, and regardless of whether the company has ever been compelled to share data. It is a structural condition of operating under Chinese law — not a contested allegation. The practical implication: developers who route sensitive code, vulnerability findings, or proprietary systems through Z.ai's cloud API should treat that routing as potentially accessible to Chinese state intelligence authorities.

The self-hosted open-weight deployment does not carry this obligation. Once the weights are downloaded under the MIT license, no external party — Chinese government, US government, or Z.ai itself — has any legal or technical access to the inference environment. That distinction matters enormously for security teams evaluating GLM-5.2 as a Fable 5 alternative.

Where the Policy Argument Stands Now

The ban is not over, and the situation has changed since this story first developed.

On June 26, Commerce Secretary Howard Lutnick sent a letter to Anthropic chief compute officer Tom Brown partially lifting the Mythos 5 restriction. Under the revised terms, Mythos 5 may now be deployed without an export license to approximately 100 vetted US organizations operating and defending critical infrastructure, along with their foreign national employees. Lutnick explicitly reserved the right to revoke or adjust the access list at any time. Claude Fable 5 — the version that was publicly available to consumers and developers globally — remains suspended worldwide with no restoration timeline announced.

The episode has established what Lutnick called the beginnings of a new regulatory regime giving the US government control over frontier AI releases. But the GLM-5.2 benchmark results clarify the limits of what that regime can accomplish. It can determine who in the US has access to Mythos 5. It cannot determine who in the world has access to a freely downloadable open-weight model that performs comparably on the specific capability the ban was meant to contain.

Anthropic argued this at the time of the ban: the same capability is available from other publicly accessible models, including OpenAI's GPT-5.5, that face no equivalent restriction. The Semgrep and Graphistry results now extend that argument beyond hypothesis. There is a concrete, third-party-verified, freely downloadable alternative that matches Mythos-class performance on the benchmark category most directly relevant to the ban's stated rationale.

The policy instrument and the technical reality are no longer synchronized. API-level export controls were designed for an era of closed, centralized, server-side models. GLM-5.2 is a structural argument, expressed in benchmark scores, that the frontier is no longer exclusively proprietary.

Frequently Asked Questions

Can GLM-5.2 be used for hacking?

Yes, and with fewer barriers than closed-model alternatives. Because GLM-5.2 is an open-weight model under the MIT license, anyone can download it, remove its safety guardrails, fine-tune it for specific targets, and run it locally with no visibility to any provider or security team. Security researchers from GuidePoint Security and Armadin have confirmed that Russian-language forums were already discussing how to adapt the model for offensive purposes within days of its release. The Semgrep benchmark confirms GLM-5.2 outperformed Claude Code on IDOR vulnerability detection in a prompt-only configuration. That same capability is available to defenders and attackers alike.

Is GLM-5.2 safe to use through Z.ai's cloud API?

Not for sensitive data or proprietary systems. Z.ai operates under China's National Intelligence Law (2017), which in Article 7 requires all Chinese organizations to cooperate with state intelligence authorities on demand. Developers who route production data through Z.ai's API should assume that data is potentially accessible to Chinese government intelligence services under this legal framework. The self-hosted open-weight deployment — running the downloaded weights on your own hardware — does not carry this legal exposure, but requires approximately 1.5 terabytes of GPU memory in full precision, or around 239 gigabytes in a quantized build.

How does GLM-5.2 compare to Claude on cybersecurity tasks?

On the specific cybersecurity tasks measured so far, the gap is narrower than expected. On Semgrep's IDOR vulnerability detection benchmark, GLM-5.2 scored 39% F1 versus Claude Code's 28–37% F1 range, at roughly one-sixth the cost. On Graphistry's Botsbench agentic cybersecurity investigation benchmark, GLM-5.2 tied proprietary models with a 28/59 solve rate. These are single-task, single-dataset results, and GLM-5.2 still trails Claude Opus 4.8 on the hardest general reasoning benchmarks. But for the specific task — finding vulnerabilities in code — the open-weight model is now competitive.

What does GLM-5.2's rise mean for the Fable 5 export ban?

It makes the ban's stated rationale harder to defend as a containment measure, though not legally irrelevant. The government's argument was that restricting access to Fable 5's cybersecurity capabilities would limit the risk of those capabilities reaching adversaries. The Semgrep and Graphistry benchmarks show a freely downloadable Chinese model now performs comparably on the same task, without any access controls or export restrictions of any kind. No export control directive can reach a file already distributed on Hugging Face. The ban can still serve other purposes — negotiating leverage, precedent-setting for future frontier model governance, limiting specific high-value US infrastructure access — but it can no longer credibly claim to contain the cybersecurity capability it was designed to restrict.