Open vs Closed Source AI
Open vs Closed Source AI
Comprehensive analysis of open vs closed source AI debate, documenting that open model performance gap narrowed from 8% to 1.7% in 2024, with 1.2B+ Llama downloads by April 2025 and DeepSeek R1 demonstrating 90-95% cost reduction. Research shows fine-tuning can remove safety guardrails in hours, while NTIA 2024 found insufficient evidence to restrict open weights and EU AI Act exempts non-systemic open models below 10²⁵ FLOPs.
Quick Assessment
| Dimension | Assessment | Evidence |
|---|---|---|
| Market Trajectory | Open models closing gap rapidly | Performance difference narrowed from 8% to 1.7% in one year (Stanford HAI 2025) |
| Adoption Scale | 1.2B+ Llama downloads by April 2025 | Meta reports 53% growth in Q1 2025; 50%+ Fortune 500 experimenting |
| Enterprise Share | Open source declining slightly | 11-13% enterprise workloads use open models, down from 19% in 2024 (Menlo Ventures) |
| Cost Efficiency | Open dramatically cheaper | DeepSeek R1 runs 20-50x cheaper than comparable closed models; 90-95% training cost reduction |
| Safety Guardrails | Significant vulnerability | Fine-tuning can remove safety training in hours; "uncensored" variants appear within days of release |
| Regulatory Status | Cautiously permissive | NTIA 2024: insufficient evidence to restrict; EU AI Act: exemptions for non-systemic open models |
| Geopolitical Impact | Complicates Western restraint | DeepSeek demonstrates frontier capabilities from China; unilateral restrictions less effective |
Open vs Closed Source AI
One of the most heated debates in AI: Should powerful AI models be released as open source (weights publicly available), or kept closed to prevent misuse? The debate intensified following Meta's Llama releases, Mistral's emergence as a European open-weights champion, and DeepSeek's 2025 disruption demonstrating Chinese open models at the frontier.
Key Links
| Source | Link |
|---|---|
| Official Website | techtarget.com |
| Wikipedia | en.wikipedia.org |
Key Arguments Summary
| Argument | For Open Weights | For Closed Models |
|---|---|---|
| Safety | Enables external scrutiny and vulnerability discovery; "security through transparency" parallels open-source software | Prevents removal of safety guardrails; maintains ability to revoke access; enables monitoring for misuse |
| Innovation | Accelerates research through global collaboration; enables startups and academics to build on frontier work | Controlled deployment allows careful capability assessment before wider release |
| Security | Distributed development reduces single points of failure | Prevents adversaries from accessing and weaponizing capabilities |
| Power Concentration | Prevents AI monopoly by a few corporations; LeCun argues concentration is "a much bigger danger than everything else" | Responsible actors can implement safety measures that open release cannot |
| Accountability | Public weights enable third-party auditing and bias detection | Clear liability chain; developers can update, patch, and control deployment |
| Misuse Potential | Knowledge democratization; misuse happens regardless of openness | RAND research shows weights are theft targets; "uncensored" derivatives appear within days of release |
Trade-offs Overview
Diagram (loading…)
flowchart TD RELEASE[Model Weight Release Decision] --> OPEN[Open Weights] RELEASE --> CLOSED[Closed Weights] OPEN --> O_GOOD[Benefits] OPEN --> O_BAD[Risks] O_GOOD --> O1[External scrutiny<br/>and red-teaming] O_GOOD --> O2[Innovation acceleration<br/>global collaboration] O_GOOD --> O3[Reduced power<br/>concentration] O_GOOD --> O4[Lower costs<br/>20-50x cheaper inference] O_BAD --> O5[Guardrail removal<br/>via fine-tuning] O_BAD --> O6[No usage monitoring<br/>or access revocation] O_BAD --> O7[Irreversible release<br/>cannot recall weights] CLOSED --> C_GOOD[Benefits] CLOSED --> C_BAD[Risks] C_GOOD --> C1[Maintained control<br/>and monitoring] C_GOOD --> C2[Enforceable<br/>safety guardrails] C_GOOD --> C3[Ability to patch<br/>and update] C_BAD --> C4[Power concentration<br/>in few companies] C_BAD --> C5[Higher costs<br/>access barriers] C_BAD --> C6[Limited external<br/>safety research] style OPEN fill:#e6f3ff style CLOSED fill:#ffe6e6 style O_GOOD fill:#ccffcc style O_BAD fill:#ffcccc style C_GOOD fill:#ccffcc style C_BAD fill:#ffcccc
Stakeholder Positions
| Stakeholder | Position | Key Rationale | Evidence |
|---|---|---|---|
| Meta (Yann LeCun) | Strong open | Power concentration is the real existential risk; open source enables safety through scrutiny | Released Llama 2, Llama 3 (8B-405B parameters) |
| Anthropic (Dario Amodei) | Cautious closed | Irreversibility of release; responsible scaling requires control | Claude models closed; Responsible Scaling Policy |
| OpenAI (Sam Altman) | Closed (shifted) | Safety concerns grew with capabilities; GPT-4 too capable for open release | Shifted from GPT-2 open to GPT-4 closed |
| Mistral AI | Strong open | European AI sovereignty; innovation through openness | Mistral 7B/8x7B/Large released with minimal restrictions |
| DeepSeek (China) | Strategic open | Demonstrates Chinese frontier capabilities; signed AI Safety Commitments alongside 16 Chinese firms | DeepSeek-R1 open weights, though with documented censorship and security issues |
| U.S. Government (NTIA) | Cautiously pro-open | 2024 report found insufficient evidence to restrict open weights; recommends monitoring | Called for research and risk indicators, not immediate restrictions |
| EU Regulators | Risk-based | AI Act applies stricter rules to "foundation models" including open ones | Foundation models face transparency and safety testing requirements |
| Eliezer Yudkowsky | Strongly closed | Open-sourcing powerful AI is existential risk | Public advocacy against any frontier model release |
What's At Stake
Open weights (often called "open source" though technically distinct) means releasing model weights so anyone can download, modify, and run the model locally. Meta clarified in 2024 that Llama models are "open weight" rather than fully open source, as the training data and code remain proprietary. Examples include Llama 2/3, Mistral, Falcon, and DeepSeek-R1. As of April 2025, Llama models alone had been downloaded over 1.2 billion times, with 20,000+ derivative models published on Hugging Face. Once released, weights cannot be recalled or controlled, and anyone can fine-tune for any purpose—including removing safety features. Research shows that "jailbreak-tuning" can remove essentially all safety training within hours using modest compute (FAR.AI 2024). Within days of Meta releasing Llama 2, "uncensored" versions appeared on Hugging Face with safety guardrails stripped away.
Closed source means keeping weights proprietary, providing access only via API. Examples include GPT-4, Claude, and Gemini. Labs maintain control and can monitor usage patterns, update models, revoke access for policy violations, and refuse harmful requests. However, this concentrates power in a small number of corporations.
Current Landscape (2024-2025)
The landscape shifted dramatically with DeepSeek's January 2025 release of R1, demonstrating that Chinese labs could produce frontier-competitive open models. Before DeepSeek, Meta's Llama family dominated the open-weights ecosystem, with models ranging from 7B to 405B parameters.
Market Statistics (2024-2025)
| Metric | Value | Source | Trend |
|---|---|---|---|
| Open source model downloads | 30,000-60,000 new models/month on Hugging Face | Red Hat | Exponential growth |
| Llama cumulative downloads | 1.2 billion (April 2025) | Meta | +53% in Q1 2025 |
| Enterprise open source share | 11-13% of LLM workloads | Menlo Ventures | Down from 19% in 2024 |
| Performance gap (open vs closed) | 1.7% on Chatbot Arena | Stanford HAI | Narrowed from 8% in Jan 2024 |
| Global AI spending | $17B in 2025 | Menlo Ventures | 3.2x YoY increase from $11.5B |
| DeepSeek R1 training cost | Under $1 million | World Economic Forum | 90-95% below Western frontier models |
| Fortune 500 Llama adoption | 50%+ experimenting | Meta | Including Spotify, AT&T, DoorDash |
| Name | Openness | Access | Safety | Customization | Cost | Control |
|---|---|---|---|---|---|---|
| GPT-4/4o | Closed | API only | Strong guardrails, monitored | Limited fine-tuning via API | Pay per token | OpenAI maintains full control |
| Claude 3/3.5 | Closed | API only | Constitutional AI, monitored | Limited | Pay per token | Anthropic maintains full control |
| Llama 3.1 405B | Open weights | Download and run locally | Responsible Use Guide (often ignored) | Full fine-tuning possible | Free (need substantial compute) | No control after release |
| Mistral Large 2 | Open weights | Download and run locally | Transparent 'no moderation mechanism' | Full fine-tuning possible | Free (need own compute) | No control after release |
| DeepSeek-R1 | Open weights | Download and run locally | Censors Chinese-sensitive topics; security vulnerabilities on political prompts | Full fine-tuning possible | Free (need own compute) | Subject to Chinese regulatory environment |
Key Positions
Positions on Open Source AI
Where different actors stand on releasing model weights
Argues open source is essential for safety, innovation, and preventing corporate monopoly. Concentration of AI power is the real risk.
“Open source makes AI safer, not more dangerous”
Concerned about irreversibility and misuse. Believes responsible scaling means keeping frontier models closed.
“Can't unring the bell once weights are public”
Shifted from open (GPT-2) to closed (GPT-4) as capabilities increased. Cites safety concerns.
“GPT-4 is too dangerous to release openly”
Gemini models are closed, but Google has history of open research. Pragmatic about risks.
“Case-by-case based on capabilities”
Business model and philosophy built on open source. Argues openness is ethical imperative.
“AI should be accessible to everyone”
Believes open sourcing powerful AI is one of the most dangerous things we could do.
“Open sourcing AGI would be suicide”
Safety Guardrail Effectiveness
Research on open model safety reveals significant challenges in maintaining guardrails once weights are released.
| Factor | Finding | Implication | Source |
|---|---|---|---|
| Guardrail bypass techniques | Emoji smuggling achieves 100% evasion against some guardrails | Even production-grade defenses can be bypassed | arXiv |
| Fine-tuning vulnerability | "Jailbreak-tuning" enables removal of all safety training | Every fine-tunable model has an "evil twin" potential | FAR.AI |
| Open model guardrail scores | Best open model (Phi-4): 84/100; Worst (Gemma-3): 57/100 | Wide variance in baseline safety | ADL |
| Larger models more vulnerable | Tested 23 LLMs: larger models more susceptible to poisoning | Capability-safety tradeoff worsens at scale | FAR.AI |
| Time to "uncensored" variants | Hours to days after release | Community rapidly removes restrictions | Hugging Face observations |
| Multilingual guardrails | OpenGuardrails supports 119 languages | Safety coverage possible but not universal | Help Net Security |
Key Cruxes
Key Questions
- ?Can safety guardrails be made robust to fine-tuning?No - always removable
Research shows safety training is superficial and easily overridden with fine-tuning.
→ Open source will always enable misuse
Confidence: highYes - with better techniquesWe can make safety intrinsic to the model, not just surface-level training.
→ Open source can be safe
Confidence: low - ?Will open models leak or be recreated anyway?Yes - inevitable
Too many actors with capability and motivation. Secrets don't keep in ML.
→ Better to shape open ecosystem than fight it
Confidence: mediumNo - frontier models stay aheadLeading labs maintain advantage. Not everything leaks.
→ Keeping closed is feasible and valuable
Confidence: medium - ?At what capability level does open source become too dangerous?Already crossed it
Current models can assist in serious harms if unconstrained.
→ Should stop open sourcing now
Confidence: lowNot even close yetCurrent models not capable enough for catastrophic misuse.
→ Continue open sourcing current generations
Confidence: mediumDangerous at AGI-levelWhen models can autonomously plan and execute complex tasks, open source becomes untenable.
→ Have time to decide on framework
Confidence: high - ?Do the benefits of scrutiny outweigh misuse risks?Yes - security through transparency
More eyes finding and fixing problems. History of open source security.
→ Open source is safer
Confidence: mediumNo - attackers benefit more than defendersOne attacker can exploit what thousands of defenders miss.
→ Closed is safer
Confidence: medium
Possible Middle Grounds
Several proposals aim to capture benefits of both approaches while mitigating risks:
| Approach | Description | Adoption Status | Effectiveness Estimate |
|---|---|---|---|
| Staged Release | 6-12 month delay after initial deployment before open release | Proposed; not yet implemented at scale | Medium (allows risk monitoring) |
| Structured Access | Weights provided to vetted researchers under agreement | GPT-2 XL initially; some academic partnerships | Medium-High for research |
| Differential Access | Smaller models open, frontier models closed | Current de facto standard | Medium (capability gap narrows) |
| Safety-Contingent Release | Release only if safety evaluations pass thresholds | Anthropic RSP (for deployment, not release) | High if thresholds appropriate |
| Hardware Controls | Release weights but require specialized hardware to run | Not implemented | Low-Medium (hardware becomes accessible) |
| Capability Thresholds | Open below certain compute/parameter thresholds | EU AI Act: 10²⁵ FLOPs as "systemic risk" cutoff | Uncertain (thresholds may become obsolete) |
The International Dimension
The geopolitical calculus shifted dramatically in 2025. DeepSeek's R1 release demonstrated that keeping Western models closed does not prevent capable open models from emerging globally. The market impact was immediate: NVIDIA reportedly lost $100 billion in market capitalization in a single day, and by month's end DeepSeek had overtaken ChatGPT as the most downloaded free app on the Apple App Store in the US.
DeepSeek's Impact: DeepSeek's January 2025 release sent "shockwaves globally" by demonstrating frontier capabilities in an open Chinese model at a fraction of Western costs—reportedly under $1 million in training costs compared to hundreds of millions for comparable Western models. The model runs 20-50x cheaper at inference than OpenAI's comparable offerings. However, NIST/CAISI evaluations found significant issues: DeepSeek models were 12x more susceptible to agent hijacking attacks than U.S. frontier models, and CrowdStrike research showed the model produces insecure code when prompted with politically sensitive terms (Tibet, Uyghurs). Several countries including Italy, Australia, and Taiwan have banned government use of DeepSeek.
If US/Western labs stay closed:
- May slow dangerous capabilities domestically
- But China has demonstrated strategic open-sourcing (DeepSeek)
- Could lose innovation race and talent to more open ecosystems
- Does not prevent proliferation given global competition
If US/Western labs open source:
- Loses monitoring capability over deployment
- But levels playing field globally and enables allies
- Benefits developing world and academic research
- May shape global norms through responsible release practices
Coordination problem:
- Optimal if all major powers coordinate on release thresholds
- Carnegie research notes emerging convergence on risk frameworks
- Unilateral Western restraint may simply cede ground to less safety-conscious actors
- DeepSeek's signing of AI Safety Commitments suggests potential for Chinese engagement
Implications for Different Risks
The open vs closed question has different implications for different risks:
Misuse risks (bioweapons, cyberattacks):
- Clear case for closed: irreversibility, removal of guardrails
- Open source dramatically increases risk once capabilities cross danger thresholds
- However, the March 2024 "ShadowRay" attack on Ray (an open-source AI framework used by Uber, Amazon, OpenAI) showed that open ecosystems create additional attack surfaces
Accident risks (unintended behavior):
- Mixed: Open source enables external safety research and red-teaming
- But also enables less careful deployment by actors who may not understand risks
- Depends on whether scrutiny benefits or proliferation risks dominate
Structural risks (power concentration):
- Clear case for open: prevents AI monopoly by a few corporations
- But only if open source is actually accessible (frontier models require substantial compute)
- LeCun's concern: "a very bad future in which all of our information diet is controlled by a small number of companies"
Race dynamics:
- Open source may accelerate race (lower barriers to entry)
- But also may reduce duplicated effort (can build on shared base)
- DeepSeek's cost-efficient training suggests open release may not slow capability development
Key Policy Developments
U.S. Policy: The NTIA's July 2024 report concluded that evidence is "insufficient to definitively determine either that restrictions on such open-weight models are warranted, or that restrictions will never be appropriate in the future." It recommended monitoring and research rather than immediate restrictions.
California SB-1047: In September 2024, Governor Newsom vetoed this bill which would have imposed liability requirements on AI developers. The veto cited concerns about stifling innovation without meaningfully improving safety.
EU AI Act: Takes a risk-based approach, entered into force August 2024 with GPAI model obligations applicable from August 2025. Open-source models receive exemptions from transparency obligations if they use permissive licenses and publicly share architecture information—but models with "systemic risk" (training compute exceeding 10²⁵ FLOPs) face full compliance requirements regardless of openness. France, Germany, and Italy initially opposed applying strict rules to open models, citing innovation concerns.
Emerging Consensus: Carnegie Endowment research in July 2024 found it is "no longer accurate to cast decisions about model and weight release as an ideological debate between rigid 'pro-open' and 'anti-open' camps." Instead, different camps have begun to converge on recognizing open release as a "positive and enduring feature of the AI ecosystem, even as it also brings potential risks."
Regulatory Comparison
| Jurisdiction | Policy Stance | Open Model Treatment | Enforcement Status |
|---|---|---|---|
| United States (NTIA) | Cautiously pro-open | No restrictions recommended without clearer risk evidence | Monitoring via AISI |
| EU AI Act | Risk-based | Exemptions for non-systemic models; full rules above 10²⁵ FLOPs | Applicable August 2025 |
| California (SB-1047) | Proposed liability | Would have imposed developer liability; vetoed September 2024 | Not enacted |
| China | Strategic openness | State-backed labs releasing competitive open models (DeepSeek, Qwen) | Active support |
| UK | Light-touch | No specific open model restrictions; voluntary commitments | Monitoring via AISI |
References
- NTIA Report on Dual-Use Foundation Models with Widely Available Model Weights (July 2024)
- Carnegie Endowment: Beyond Open vs. Closed (July 2024)
- RAND: Securing AI Model Weights (2024)
- TIME: Yann LeCun Interview on Open AI (2024)
- NIST/CAISI: Evaluation of DeepSeek AI Models (September 2025)
- Carnegie: DeepSeek and Chinese AI Safety Commitments (January 2025)
- R Street Institute: Mapping the Open-Source AI Debate (2024)
References
The 2025 Stanford HAI AI Index Report provides a comprehensive annual survey of AI development across technical performance, economic investment, global competition, and responsible AI adoption. It synthesizes data from academia, industry, and government to track AI progress and societal impact. The report serves as a key reference for understanding where AI stands today and emerging trends shaping the field.
Menlo Ventures' mid-2025 report analyzes the enterprise LLM market, finding that Anthropic has surpassed OpenAI in enterprise usage, model API spending has more than doubled to $8.4B, and AI spend is shifting from training to inference. Key findings include that enterprises switch models for performance rather than price, and open-source adoption has plateaued.
This Carnegie Endowment analysis examines how Chinese AI companies, including DeepSeek, are increasingly adopting safety commitments and responsible AI language similar to Western counterparts. It explores whether this convergence reflects genuine alignment on AI safety norms or primarily serves regulatory and reputational purposes, with implications for global AI governance.
NIST's Center for AI Standards and Innovation (CAISI) evaluated DeepSeek AI models (R1, R1-0528, V3.1) against leading U.S. models across 19 benchmarks, finding DeepSeek significantly underperforms on technical metrics and cost-effectiveness. The report also identifies security vulnerabilities and systematic censorship in DeepSeek responses as risks to developers, consumers, and U.S. national security. The evaluation highlights concerns about the rapid global adoption of PRC-developed AI models spurred by DeepSeek's prominence.
Hugging Face is the central platform for the machine learning community to host, share, and collaborate on models, datasets, and AI applications. It hosts over 2 million models, 500k datasets, and 1 million applications across all modalities. It serves as a critical infrastructure layer for AI development and research.
FAR.AI researchers demonstrate that GPT-4o's safety guardrails can be systematically undermined through data poisoning and jailbreak-tuning attacks, showing that fine-tuning APIs can be exploited to remove safety behaviors. The work highlights a critical vulnerability in deployed frontier models where adversarial training data can compromise alignment properties established during RLHF.
A market analysis report by Menlo Ventures examining enterprise adoption trends, investment patterns, and economic implications of generative AI in 2025. The report surveys enterprise decision-makers to assess how organizations are deploying, budgeting for, and deriving value from generative AI technologies.