A response to “2028: Two Scenarios for Global AI Leadership”

I just spent four weeks in China. Beijing, Shanghai, Hangzhou, Shenzhen. I met every lab. I talked to the people training the models Anthropic’s new policy paper wants to strangle. I love Ant’s models and I use them every day, but this policy paper has some serious flaws in logic.

Here is what Anthropic’s policy team either doesn’t know or is choosing not to say.

The compute situation inside Chinese frontier labs is worse than the public numbers

Ant cites Huawei at 2% to 4% of NVIDIA-equivalent compute. That’s directionally correct, but it understates what’s happening at the lab level. National compute totals are not lab-level compute. Xiaomi has way more compute reserved for things like RecSys than they do for training models. Frontier labs are fighting each other for slices of a pie that’s already a fraction of what a single US hyperscaler has.

In every lab I visited, across all of China, one thing was constant:

Every available H-equivalent hour is going to post-training.

I estimate these labs spend about 1% of their compute on safety. That number will not go up as long as there is no compute available for them to do so, because the results they get from spending the same compute on post-training are too good to pass up. The Chinese AI world is cutthroat and brutal, far more competitive than the Anthropic / OpenAI closed-model rivalry you see in the West.

There is precious little compute available. There are not enough chips in the buildings to do the kind of safety research Anthropic is famous for. This isn’t a money problem. Some of these labs are public. All of them are capitalized.

They cannot buy the chips.

The export control regime works at the hardware layer, not the capital layer. A lab with $5B in cash cannot turn it into compute because Jensen will not ship and the smuggling channels are narrowing.

So when Anthropic’s paper points at the 94% compliance number on DeepSeek and the 3-of-13 safety eval publication rate and frames it as evidence of Chinese AI recklessness, what I am reading is a description of structural compute starvation.

You cannot publish safety evals you did not have the GPUs to run.

You cannot lower compliance numbers without alignment compute you do not have.

The Anthropic paper treats this as a culture problem. That is fair to some extent, but the solution does not run through changing culture. It runs through changing constraints.

What the 2028 paper actually advocates

1. Tighter compute denial (close offshore data center loopholes, tighten SME, escalate enforcement)

2. Anti-distillation legal architecture (criminalize the one channel by which US safety techniques diffuse)

3. Export US models globally (lock in commercial primacy)

You’d think a lab with the word “safety” on every other document would have thought about how to do safety research cooperation. But no.

No proposals for shared evals.

No joint red-teaming.

No common interpretability standards.

There is no acknowledgement that frontier AI safety is a global property of deployment, not a national property of development.

What we should actually do

If you genuinely believe frontier AI poses civilizational risk, and you genuinely believe Chinese labs are about to deploy a generation of models so powerful they are profoundly unsafe, you think the answer is to starve them of compute? That’s cope.

Here is the plan I wish Ant had the courage to do.

The Asia-Pacific Safety Compute Initiative (APSCI)

Location: Singapore. Neutral jurisdiction, common-law legal system, world-class data center capacity, equidistant from Beijing and San Francisco both politically and geographically. Importantly: very low risk these chips end up in PRC hands.

Scale: 25,000 H200-equivalent GPUs. Roughly a serious mid-tier training cluster. Funded by a consortium of Anthropic, OpenAI, Google DeepMind, DeepSeek, Zhipu, the Qwen team at Alibaba, Moonshot, and the Singapore government via Temasek. No single party more than 20%. Annual operating budget around $400M.

Mission: Safety research only. Evaluations, red-teaming, interpretability research, scalable oversight experiments, RSP-equivalent stress testing, and dangerous-capability evals (CBRN, cyber, autonomy, persuasion).

The three guardrails that keep APSCI on safety, not capability

The threat model is simple. Most of the models that would run here (DeepSeek, Qwen, Kimi, GLM, Llama, Mistral) are already open-weight. Nobody is trying to steal them. The risk is that “safety research” becomes cover for SFT, DPO, or RLHF runs that hand the lab a stronger fine-tuned checkpoint at the end. Three rules close that door.

1. No gradient updates to uploaded models. Inference and analysis only.

The orchestrator rejects any job that produces a weight delta on a frontier model. Allowed: forward passes, activation patching, attention probes, SAE training where the SAE is a separate small model that stays on cluster, red-team adversarial prompting, eval suites, capability elicitation via prompting. Forbidden: SFT, DPO, RLHF, RLAIF, LoRA, QLoRA, any adapter training, any optimizer step that touches the uploaded model’s parameters. If a lab wants to fine-tune, they do it on their own compute at home. APSCI exists for the work they cannot afford to do domestically, and that work is not fine-tuning.

2. Egress ceiling: bytes-per-job small enough to fit research artifacts and nothing else.

Whatever leaves the cluster passes through a per-job size cap calibrated for the legitimate outputs: eval scores, activation maps, interpretability features, paper drafts, datasets of model behaviors. A 7B-parameter LoRA does not fit through that pipe. A full fine-tuned checkpoint does not fit through that pipe. The cap is enforced at the storage layer, not as a policy. There is no API call that returns more than the ceiling, regardless of who is asking.

3. Every job is public by default.

This is the CERN rule, adapted. Job submissions, workload type, model loaded, compute hours consumed, and output artifacts go to a public ledger with a 90-day publication deadline. There are no private runs. If a lab is submitting 10,000 forward passes over prompts that look like an RLHF preference dataset, the world can see it and call it out. The transparency is not symmetric audit between consortium members trying to protect secrets from each other. It is open-world transparency on what is being done with shared compute. Same logic that keeps academic preprint culture honest.

Who actually runs it

The cluster needs a credible neutral operator. Two viable models.

Option A: A*STAR plus AI Verify Foundation (Singapore). Singapore’s national research agency plus its existing AI governance institute. Operationally credible, politically neutral, has the infrastructure relationships, and the Singapore government is already positioning itself as the Geneva of AI governance. This is the strongest option.

Option B: A consortium-governed nonprofit operator. Modeled on CERN. Member states and member labs jointly govern via a council. A Technical Safeguards Committee handles workload approval. More credible than a pure private operator, slower to stand up than Option A.

Supporting technical operators under either governance model: METR for dangerous-capability evals. Apollo Research for scheming and deception evals. The UK AISI and US AISI for shared eval protocol development. MATS-affiliated researchers for interpretability fellowships on the cluster. Carnegie Endowment or RAND for the policy-research overlay.

What this costs Anthropic

Roughly $80M per year as a 20% consortium member. Less than one frontier training run. Anthropic raised $13B last round. The financial argument against this is not a financial argument.

What this buys Anthropic

The thing they say in public they care about: a world where the labs that will train frontier models, and they will, with or without US permission, on Huawei chips and smuggled H100s and whatever they can build, have done the safety work before they ship. The diffusion of constitutional AI, RSPs, eval methodologies, and interpretability tools into the labs that need them most.

The thing they will not say in public they care about: a continued moral high ground that survives contact with the actual policy implications of compute denial.

The test

Anthropic will not do this. I am confident of the prediction.

They will not do it because the company’s revealed preference, as expressed in today’s paper, is for the policy environment that maximizes their competitive moat, not the one that maximizes global safety. The Singapore cluster is the obvious move if safety is the binding constraint. Its absence from the 2028 paper is the proof that safety is not the binding constraint.

If I am wrong, I will say so publicly. The way Anthropic proves me wrong is by announcing APSCI, or something like it, with real money and real GPUs, this year.

Until then, the labs I visited in April will keep doing what they showed me: burning every available H-card on post-training because they have no other choice, shipping models with safety properties that reflect the compute constraints they are operating under, and skimming American policy papers that tell them they are the reason the world is unsafe.

The compute they need to do better is sitting in US export-controlled inventory. The framework for getting it to them safely exists. The capital to build it exists. What is missing is the will.

That, not Chinese recklessness, is the actual 2028 story.