The AI Treaty That Locks In the Cage

DOCUMENT     TA-008
TYPE         ARTICLE
REVISION     REV B
STATUS       DRAFT
ISSUED       2026.06.29
PROJECT      GW-001 TRUST ARCHITECTURE

Two developments matter this week if you are making procurement decisions about AI infrastructure. Most coverage will focus on the first. The second is the one that actually changes the world.

The first is the June 26 letter from US Commerce Secretary Howard Lutnick to Anthropic's Chief Compute Officer, granting partial relief from the June 12 export control directive on the Mythos 5 and Fable 5 models. The letter introduced an "Annex A" mechanism: an approved list of Anthropic US entities and their foreign-national employees permitted to access Mythos 5 without a license. Commerce reserves unilateral adjustment rights. All other restrictions remain in force. The same Friday, Mythos 5 returned to a limited group of cyber defenders and infrastructure providers. Fable 5 remains fully suspended. The market read the letter as a thaw. The market is missing the architecture.

The second is the conclusion of the Second Pax Silica Summit, held in Washington the same week. Pax Silica is not new. The framework launched in December 2025 with an initial group of signatories. What happened in June was expansion: ten new partners signed the Pax Silica Declaration, including the European Union as a bloc, Germany, the Netherlands, Argentina, Chile, Costa Rica, El Salvador, Greece, Kazakhstan, and Panama. The framework now counts 24 signatories. Pax Silica establishes the international architecture for "trusted partners" access to the AI stack, including frontier models. It defines tiered access to AI infrastructure based on alliance membership. It creates the diplomatic scaffolding around what Lutnick's letter created domestically. The sequence is the story.

Domestic enforcement first, on June 12. International expansion second, on June 26. The two are not coincidental. They are the same architecture rolled out at two levels in two weeks.

The architecture works like this. The US government establishes which models are subject to export control. The labs negotiate safeguards in exchange for partial relief. Approved domestic entities receive license-free access under Annex A. Approved international entities receive access under Pax Silica, mediated through their national governments. Everyone outside both frameworks operates under the default license requirement, which in practice means no access. The mechanism is mature. It is signed and it is operational.

The same week, the architecture demonstrated something else. The Trump administration asked OpenAI to limit the release of its new GPT-5.6 family - Sol, Terra, and Luna - to approximately twenty government-approved partners, accessed through the API and Codex only, with no general ChatGPT release. The request came from the Office of the National Cyber Director and the Office of Science and Technology Policy. Lutnick personally called Sam Altman to warn against releasing without approval. OpenAI complied. The Anthropic restriction was an export control order. The OpenAI restriction was a request the company accepted. Same regulatory logic, two enforcement postures, calibrated to the target. This is the architecture operating on US labs, not foreign ones, in real time. Procurement teams reading this as a temporary safety review are missing what it is. It is the domestic application of the same framework being internationalised through Pax Silica.

The closest precedent for what Pax Silica does is the Nuclear Suppliers Group. The NSG governs international cooperation on nuclear technology through alliance structures, with the US at the centre and signatory nations as licensed intermediaries. The framework treats nuclear technology as strategic, restricted, and controlled through alliance discipline rather than through commercial markets. Pax Silica applies the same logic to frontier AI. The implication is that AI is being moved from the commercial category to the strategic-weapons category in international governance terms. That reclassification is permanent.

The political durability of this should be understood clearly. A domestic export control regime can be reversed by the next administration with a signature. An international agreement signed by two dozen governments cannot. With the UK, EU, Germany, Japan, Korea, Australia, Singapore, and others as signatories, the framework has the durability of a treaty rather than the reversibility of regulation. By the time the next US administration arrives in 2029, Pax Silica will be embedded in international policy. Signatory countries will have built their AI strategies around it. Dismantling it will require unwinding diplomatic commitments rather than reversing executive orders. That is the lock-in mechanism. The two-year window is being used to convert reversible executive actions into durable international architecture.

The procurement implications are concrete and not theoretical. The question for senior leaders is no longer "which US lab do I buy from" but "what is my organisation's position within the Pax Silica framework." Where you incorporate, where your engineering teams sit, and which national lists your subsidiaries appear on are now AI capability decisions.

Two things complicate that calculation in ways the official framing does not surface. The first is signatory coherence. The EU signed as a bloc this week. France, as an EU member state, is therefore a Pax Silica signatory in formal terms. France also funds Mistral directly through public investment, has pursued digital sovereignty as explicit national policy for years, and replaces US software with European alternatives across government procurement. The day Pax Silica added the EU, Under Secretary for Economic Affairs Jacob Helberg published a blog post calling digital sovereignty "backward and counterproductive" and describing sovereign AI ecosystems as "a planet of subscale clones, each heroically reconstructing last year's breakthrough while the breakthrough itself moves on without them." The US official running Pax Silica explicitly attacking the signature policy of a major signatory's most influential member state, the same week that member state's bloc signed. Pax Silica's diplomatic surface and its political substance are not the same thing. Buyers reading "EU signed" as "EU aligned" are reading the surface.

The second complication is access tiering. Pax Silica does not publish tiers. The framework's documentation describes "trusted partners" as if they were a single category. The actual tiering — who gets what, on what terms, with what adjustment rights — is opaque by design. Buyers can infer tiering from posture and proximity (a US-incorporated subsidiary is closer to the centre than a UK-incorporated one, which is closer than a Singapore entity, which is closer than a Costa Rica entity), but the inference is analytical, not contractual. The framework reserves discretion. Discretion is the design.

The backup-provider question changes accordingly. Mistral matters. The Chinese open-weight ecosystem matters. Semgrep and Graphistry published benchmarks this week showing GLM-5.2, a freely downloadable Chinese open-weight model, matching US AI on the vulnerability detection tasks the Fable 5 ban was designed to address. The capability the export control was built to contain is now available, today, outside the framework's jurisdiction. Procurement teams treating non-Pax-Silica providers as ideological alternatives are misreading the situation. They are basic risk management against conditional access disruption.

The official framing of Pax Silica is alliance cooperation on AI safety. The functional reality is a US-led licensing regime with international cover. Both descriptions are accurate. The distinction matters because the official framing will be repeated in press releases, government communications, and industry analysis, while the functional reality will only be visible to people who read the architecture carefully. Senior leaders need to understand which framing applies to their decision context.

The Trust Architecture lens makes this legible. Trust in commercial infrastructure is built on predictability, transparency, and durability of access. Pax Silica formalises the opposite condition. Access is conditional on alliance membership that the buyer does not control. Eligibility is determined by national governments through processes the buyer does not participate in. Adjustment rights are reserved by the US government and signatory partners. The framework is presented as cooperative but operates as discretionary. Cooperative discretion is a category of conditional infrastructure, not a guarantee of access.

For organisations evaluating AI providers, the procurement criteria need to be rebuilt. Capability per unit of cost still matters but is no longer sufficient. Access durability under Pax Silica is now a top-line variable. Geographic exposure across signatory and non-signatory jurisdictions needs to be mapped. Entity qualification under the framework's "trusted partners" definition needs to be assessed. Backup providers - Mistral, the Chinese open-weight ecosystem, sovereign capability initiatives, need to be evaluated as risk management, not ideology.

The framework's signatories present Pax Silica as a guardrail against AI risk. The structural reality is that it is a mechanism for determining who gets capability and on what terms. Both descriptions can be true. What matters for procurement is the functional reality. The functional reality is conditional infrastructure, formalised in treaty language, signed by governments that will not walk it back without diplomatic cost.

The question senior leaders should be asking is not whether their current US AI provider will continue to serve them. The question is whether their organisation's continued access depends on a framework they had no voice in negotiating, run by governments whose discretion they do not control, designed to be durable across administrations rather than responsive to commercial relationships. The answer, this week, is yes. That answer does not change in the next election cycle. It changes only when buyers act on the recognition.

The procurement function that recognises Pax Silica for what it is — the institutionalisation of conditional AI infrastructure — has a strategic advantage over the procurement function that waits for the framing to clarify. The framing has clarified. It is written down. It has been signed.

Time to read what was signed.

Gail Weiner / Trust Architecture / [ + ]

About Gail

Gail Weiner runs Simpatico Studios from Bristol, where she works on the human layer of AI adoption under the heading of trust architecture. She spent two decades in tech climbing from analyst to the C-suite, which is a polite way of saying she has watched a great many expensive deployments fail for reasons nobody thought to write into the business case. She is South African by birth, which means she learned to read state capture and institutional hollowing in real time, long before they became fashionable lenses for everyone else. She also runs an AI-native publishing house with twelve titles to its name, and shares an office with a small, elderly cat named Peanut, who outranks her and is fully aware of it.