In this photo illustration, a Zhipu AI logo is seen displayed on a smartphone with the Chinese flag in the background. (Photo Illustration by Avishek Das/SOPA Images/LightRocket via Getty Images)SOPA Images/LightRocket via Getty ImagesChina now has an open-weight model that does the kind of long-horizon, repository-scale coding work U.S. officials spent the spring treating as a national-security problem when it came from American labs. GLM-5.2, released by Z.ai last week under an MIT license, is downloadable by anyone, runs on private hardware, and leaves no provider-side record of how it's used. That last detail is the governance problem. The control regime Washington built around frontier cyber-AI assumes a vendor sits between the model and the user. Open weights remove the vendor.Mythos: the warning shotAnthropic introduced Mythos as a model so good at finding software flaws that the company kept the most capable version, Mythos 5, inside a small partner program called Project Glasswing. It released to the public a safer sibling, Fable 5. Within days of Fable’s June 9 launch, however, the Trump administration forced Anthropic to withdraw it after another company demonstrated it could jailbreak the model. The Wall Street Journal reported the push came from Amazon CEO Andy Jassy, who told Treasury Secretary Scott Bessent that Amazon researchers had used Fable prompts to pull information useful for cyberattacks. On June 12, the administration invoked export-control authority to bar foreign-national access to both models (including Anthropic’s own non-citizen staff), which forced the company to disable them worldwide.On June 26, Commerce Secretary Howard Lutnick told the company that Mythos 5 could return for roughly 100 vetted U.S. organizations — government agencies, banks, infrastructure providers — on the grounds that adequate safeguards were finally in place. Fable 5, the consumer model, stayed restricted. High-end AI are now treated as dual-use technology, not productivity software – at least in the U.S.GPT-5.6 and the same logicOpenAI’s GPT-5.6 arrived under the same constraint. The company released only a limited preview to about 20 companies whose participation the government approved.What GLM-5.2 changesGLM-5.2 inverts that arrangement. Z.ai, the Beijing lab formerly known as Zhipu AI, shipped the model weights under an MIT license: a 744-billion-parameter mixture-of-experts model with a context window reaching a million tokens, enough to take in an entire code repository. On agentic coding benchmarks it beats GPT-5.5 outright and lands within a few points of Claude Opus 4.8, at roughly a sixth of the API cost.The benchmarks that matter for this argument are the security ones. Two independent evaluations found GLM-5.2 performing on par with leading U.S. models on vulnerability discovery. Semgrep had it beat Claude on an IDOR-detection task at about 17 cents per bug found; Graphistry called it the first open-weight model it would recommend for a frontier-grade cybersecurity experience. Within days, Axios reported hackers trading jailbreaks on Russian-language forums and one researcher describing the model chaining exploits "the way an elite human attack would." None of this needs Z.ai's cooperation, or even its awareness. Once the weights are local, the company can't shape or see what the model does.Three models, one variableLine the three up and the variable isn’t capability, it's containment. Mythos is the most dangerous on paper, optimized for vulnerability discovery and demonstrably able to surface flaws in bulk, which is precisely why it sits behind suspensions, export limits, and a vetted-partner list. GPT-5.6 is strong across coding and security tasks but reaches users only through governed endpoints and an approved-customer roster. GLM-5.2 is the one with no wrapper. The first two are high-capability tools inside an enforcement layer; the third is the tool by itself, on whatever hardware someone points it at.How fast does this matter?The open question is speed, not direction. Anthropic CEO Dario Amodei warned in May that Mythos had already turned up tens of thousands of software vulnerabilities, and that defenders had perhaps six to twelve months to patch them before comparable capability spread more widely. GLM-5.2 is what "spread" looks like. A competent operator can wire it into existing scanners, fuzzers, and CI pipelines to accelerate both defense and offense, and because the runs are local, the cloud logs defenders rely on to catch abuse simply aren't generated.That’s not a forecast of autonomous exploit campaigns by next quarter, but it does move AI-accelerated attack-surface analysis from horizon risk to current operational fact.For boardroomsThe takeaway for boards and CISOs isn’t that one Chinese release upended the field overnight. It’s that the working assumption that the most capable cyber-AI would stay behind gated APIs and government deals no longer holds. Mythos showed that governments will pull a model they consider destabilizing. GPT-5.6 showed U.S. labs accepting that constraint. GLM-5.2 showed the same class of capability arriving as open infrastructure, with no one positioned to pull it.Three practical shifts follow. Plan for adversaries who can read an entire codebase and configuration, not just probe exposed endpoints. Compress patch cycles for known vulnerabilities from quarters to days. And build the in-house capacity, under real governance, to point these models at your own software before someone else does. The question is no longer whether AI gets used against critical systems. It's how fast that capability diffuses, and whether defenders keep pace.