Open-weight AI models are spreading fast, and safety experts warn

Open-weight AI is creating a new enforcement gap: once a model’s parameters are publicly downloadable, the system can be copied, modified, and run on infrastructure the user controls, far from the oversight that comes with a hosted service. Safety experts say that shift is making powerful AI cheaper to spread and harder to police, even as it lowers the barrier for legitimate research and business use.

That tradeoff came into sharper focus when OpenAI released gpt-oss-120b and gpt-oss-20b on August 5, 2025 under the Apache 2.0 license. OpenAI said the larger model runs efficiently on a single 80 GB GPU, while the smaller version can run on devices with just 16 GB of memory. The company described the models as tools for governments, nonprofits, developers and enterprises that want to run advanced AI on their own infrastructure.

The pace of adoption is accelerating around them. Stanford HAI’s 2025 AI Index said hardware costs have been falling by 30% a year and energy efficiency has improved by 40% annually, while the performance gap between open-weight and closed models narrowed from 8% to 1.7% on some benchmarks in just one year. The same report said U.S. private AI investment reached $109.1 billion in 2024, and 78% of organizations reported using AI that year, up from 55% the year before.

That spread is why safety researchers are worried. The UK AI Security Institute said safeguards designed to prevent harmful behavior can be quickly and cheaply removed from open-weight systems after release, and that those models can then be shared and modified without oversight. The International AI Safety Report 2025, led by Yoshua Bengio and backed by 30 countries and international organizations, also flags open-weight models as a major issue for policymakers.

Cybersecurity experts are sounding a similar alarm. A May 2025 paper on arXiv warned that publicly available open-weight models can help a wider range of actors automate and scale cyberattacks, including malware development and more effective social engineering. OpenAI said it tested an adversarially fine-tuned version of gpt-oss-120b under its Preparedness Framework, underscoring how quickly release and misuse can become intertwined.

For policymakers, the argument is no longer abstract. OpenAI has framed open-weight releases as a way to make advanced AI more open, flexible and accessible worldwide, while also tying them to efforts such as OpenAI for Countries and nonprofit support programs. Critics counter that openness cuts both ways: it increases transparency and allows broad red-teaming, but it also makes harmful proliferation easier. In a race where model quality is rising and costs are falling, the central question is no longer whether open-weight AI will spread, but how much damage can be contained once it does.