June 12, 2026

Red Lines

Understanding the National Security Risks of China’s Advanced AI

By: Daniel Remler

Executive Summary

Chinese advanced artificial intelligence (AI) systems pose a serious and growing threat to U.S. national security. At least seven Chinese developers now produce systems with formidable capabilities across coding, reasoning, multimodal recognition, and agentic tasks—systems that are released with open weights, offered via application programming interface (API) at prices designed to undercut American competitors, and available for download by anyone in the world. The Chinese Communist Party (CCP), which collapses the boundaries between state, military, and private sector, treats these systems as instruments of political control, economic dominance, and great-power competition. Some of these risks are inherent to any sufficiently capable AI system that lacks adequate safeguards. But the most significant risks are products of the political system that builds, shapes, and deploys these systems. This party-state does not tolerate independent power centers and treats AI as a tool of statecraft across every dimension of strategic competition.

This report proposes a framework for understanding these risks across three domains and two vectors. In the kinetic domain, Chinese AI systems enhance military capabilities and offensive cyber operations and raise concerns about biological weapons development. In the cognitive domain, they enable more effective censorship, surveillance, influence campaigns, and espionage. In the economic-technological domain, they drive industrial dominance and create dependencies that extend China’s reach in emerging and advanced economies alike. These risks affect the United States through two vectors: state instrumentalization, in which the CCP directly wields AI systems, and proliferation and dependency, in which Chinese systems spread globally through open-weight release, model compression, and aggressive pricing. Widespread adoption of Chinese AI systems creates structural dependencies that give the CCP leverage, embed CCP ideology and security vulnerabilities into foreign systems, and expand the attack surface available to Chinese intelligence—even when no one in Beijing lifts a finger.

This report argues for understanding risk in absolute terms, focusing on what Chinese systems can do, not just how far behind they are.

A detailed assessment of the current capabilities, design choices, and security vulnerabilities of systems from China’s seven leading AI developers (Alibaba, Baidu, DeepSeek, MiniMax, Moonshot, Tencent, and Zhipu) reveals threats that are concrete and, in several cases, immediate. Chinese systems can already contribute meaningfully to offensive cyber operations. Ideological alignment with the CCP is deepening with every new model. DeepSeek-based agents are 12 times more likely to follow malicious instructions than their U.S. counterparts. These findings underscore why this report argues for understanding risk in absolute terms, focusing on what Chinese systems can do, not just how far behind they are.

The report offers six policy recommendations:

  1. The Department of Commerce should publish national security risk assessments of Chinese advanced AI systems no more than 72 hours after their release.
  2. The Cybersecurity and Infrastructure Security Agency should issue cybersecurity alerts and advisories on Chinese advanced AI systems and establish the AI Information Sharing and Analysis Center called for in the AI Action Plan.
  3. The Department of Commerce should establish security testing best practices for cloud service providers that deploy and monitor AI models developed by untrusted third parties.
  4. The Department of Energy should use the Genesis Mission to establish a classified adversarial testing program for Chinese advanced AI systems.
  5. The Department of State should convene monthly meetings with a core group of U.S. allies to share information on China’s AI ecosystem and coordinate collective action.
  6. The Department of Commerce should publish semiannual reports on the state of China’s AI ecosystem to inform policy action and congressional oversight.

Introduction

China’s Spring Festival traditionally marks a time for renewal—to reconnect with family, present one’s best self to the world, and look forward to the year. The holiday has accordingly become a showcase of China’s artificial intelligence (AI) power. In the weeks surrounding Lunar New Year 2026, Chinese AI developers released a volley of new systems that demonstrated the breadth and strategic ambition of the country’s AI ecosystem. The February 11 release of Zhipu’s GLM-5 kicked off the holiday season with a new 744-billion-parameter system compatible with Huawei chips that scored just behind GPT-5.2 and Claude Opus 4.5 on popular coding benchmarks. Moonshot, ByteDance, and Alibaba all released upgraded systems of their own over the following weeks.

Model releases were only part of the story. Each system was released with open weights under permissive licenses. Each was offered via application programming interface (API) at a fraction of the cost of its American equivalent. And each was available for download by anyone in the world. Tencent, ByteDance, Alibaba, and Baidu used the same holiday to run an AI adoption war, embedding their chatbots into red envelope giveaways, the China Central Television Spring Festival Gala, and e-commerce workflows. Tencent’s Yuanbao chatbot passed 50 million daily active users during the holiday alone. The frenzy intensified in March, when OpenClaw, an open-source agent framework, went viral across China as millions of users connected it to Chinese models such as Qwen to automate everyday tasks—prompting every major Chinese technology company to launch its own version within days.

Behind the symbolism of releasing new models around the Spring Festival lies a dynamic ecosystem that now fields at least seven Chinese developers producing systems that pose serious national security challenges for the United States. The Chinese Communist Party (CCP) treats the advanced AI emerging from this ecosystem as essential to its military modernization, political control, economic ambitions, and global influence. The recently released 15th Five-Year Plan reinforces this priority, listing AI as the top “frontier technology” ahead of quantum computing, fusion energy, and other fields. Beyond indigenous innovation, the CCP seeks advantage across every segment of the AI supply chain—in software through adversarial distillation (training on the outputs of superior U.S. models to replicate their capabilities at a fraction of the cost), in hardware through access to banned chips, and in integration by privileging partnerships between Chinese firms.

The Trump administration’s July 2025 AI Action Plan included some initial direction to grip the challenge of Chinese AI. It called on the U.S. government to evaluate national security risks in frontier Chinese models, strengthen the enforcement of AI compute export controls, align protection measures with allies, and promote mature federal capacity for AI incident response. But execution has not kept pace with ambition. As of publication, the Department of Commerce has published only three assessments of Chinese AI models, all delayed weeks or months after the models were released and the technical analyses had been completed. No Chinese AI developer has been subject to U.S. government sanctions of any kind since 2024. Allied coordination remains limited and ad hoc. Meanwhile, the direct threat to Americans has escalated. Chinese AI systems are powering cyber campaigns against U.S. infrastructure, embedding CCP ideology into software adopted by millions, and creating espionage vulnerabilities that Chinese security services are uniquely positioned to exploit.

In September 2025, Director of the Office of Science and Technology Policy Michael Kratsios warned the UN Security Council that “the improper use of AI systems can erode deterrence, create destabilizing effects, and reinforce systems of political control and social engineering.” China’s advanced AI systems do all three, posing risks to national security across three domains: kinetic, where they enhance military and cyber capabilities; cognitive, where they enable censorship, surveillance, and espionage; and economic-technological, where they drive industrial dominance, threaten to dominate commercial platforms, and create dependencies.

These risks are not incidental features of model design. They flow from the nature of the CCP, a party that collapses the boundaries between the party and society and that views AI as an instrument of political control, economic dominance, and great-power competition. These risks reach the United States and its allies through two vectors: direct state instrumentalization by the CCP, and proliferation and dependency as Chinese systems spread globally through open-weight release, aggressive pricing, and integration into critical infrastructure.

The result is an analytical vacuum at the center of the AI policies of the United States and its allies.

The lack of clarity over these risks has been fed in part by the Western AI community’s fixation on U.S. frontier systems. The most rigorous research and most consequential regulatory interventions have focused almost exclusively on American developers, inflating the risks of technology built under the rule of law while giving China’s developers a free pass. The result is an analytical vacuum at the center of the AI policies of the United States and its allies.

The report makes the case for measuring these risks in absolute terms based on what Chinese systems can already do, not just how far behind they trail their U.S. peers. The prevailing “AI race” framing obscures whether Chinese systems have crossed specific capability thresholds that endanger American security. This report assesses the capabilities, vulnerabilities, and design of AI systems from China’s seven leading developers, pegging them to actual use cases where feasible. A Chinese AI system that can conduct an autonomous cyber campaign, suppress dissent at scale, or lock developing countries into Chinese infrastructure threatens U.S. national security regardless of whether an American system is better. Policy built on relative rankings breeds complacency when the U.S. lead grows and defeatism when the gap narrows. Policy built on understanding absolute capabilities produces specific objectives and sharper tools.

Section I of this report situates AI risks to U.S. national security within the CCP’s broader strategic logic, providing a framework for understanding these risks. Section II assesses the current capabilities, design choices, and security vulnerabilities of advanced AI systems from China’s seven leading AI developers across this framework. The recommendations subsection of Section III offers six policy prescriptions, most of which are designed to close analytical gaps that unclassified and classified testing, allied coordination, and public reporting could address, but that the U.S. government has not yet prioritized.

Read the full report

Download PDF

  1. Gregory C. Allen, Understanding China’s AI Strategy (Center for a New American Security [CNAS], February 6, 2019), https://www.cnas.org/publications/reports/understanding-chinas-ai-strategy; Elsa B. Kania and Lorand Laskai, Myths and Realities of China’s Military-Civil Fusion Strategy (CNAS, January 28, 2021), https://www.cnas.org/publications/reports/myths-and-realities-of-chinas-military-civil-fusion-strategy.
  2. Allen, Understanding China’s AI Strategy; Kania and Laskai, Myths and Realities of China’s Military-Civil Fusion Strategy.
  3. Sunny Cheung and Kai-shing Lau, “DeepSeek Use in PRC Military and Public Security Systems,” China Brief 25, no. 20 (October 27, 2025), https://jamestown.org/deepseek-use-in-prc-military-and-public-security-systems; Kyle Miller et al., The Use of Open Models in Research (Center for Security and Emerging Technology [CSET], October 2025), https://cset.georgetown.edu/publication/the-use-of-open-models-in-research; Steven Feldstein, The Global Expansion of AI Surveillance (Carnegie Endowment for International Peace, September 17, 2019), https://carnegieendowment.org/research/2019/09/the-global-expansion-of-ai-surveillance.
  4. Evaluation of DeepSeek AI Models (Center for AI Standards and Innovation [CAISI], National Institute of Standards and Technology, September 30, 2025), https://www.nist.gov/system/files/documents/2025/09/30/CAISI_Evaluation_of_DeepSeek_AI_Models.pdf.
  5. Reuters, “Chinese AI Startup Zhipu Releases New Flagship Model GLM-5,” February 11, 2026, https://www.reuters.com/technology/chinas-ai-startup-zhipu-releases-new-flagship-model-glm-5-2026-02-11; Jonathan Kemper, “Chinese AI Lab Zhipu Releases GLM-5 Under MIT License, Claims Parity with Top Western Models,” The Decoder, February 12, 2026, https://the-decoder.com/chinese-ai-lab-zhipu-releases-glm-5-under-mit-license-claims-parity-with-top-western-models; Maxime Labonne, “GLM-5: China’s First Public AI Company Ships a Frontier Model,” Hugging Face, February 17, 2026, https://huggingface.co/blog/mlabonne/glm-5.
  6. Kimi Team, “Kimi K2.5: Visual Agentic Intelligence,” arXiv:2602.02276, February 2, 2026, https://arxiv.org/abs/2602.02276; Eduardo Baptista, “China’s ByteDance Releases Doubao 2.0 AI Model for ‘Agent Era,’” Reuters, February 14, 2026, https://www.reuters.com/world/asia-pacific/chinas-bytedance-releases-doubao-20-ai-chatbot-2026-02-14/; Eduardo Baptista, “Alibaba Unveils New Qwen3.5 Model for ‘Agentic AI Era,’” Reuters, February 16, 2026, https://www.reuters.com/world/china/alibaba-unveils-new-qwen35-model-agentic-ai-era-2026-02-16.
  7. Yuxuan Jia and Zichen Wang, “China’s Spring Festival AI War,” Pekingnology, February 26, 2026, https://www.pekingnology.com/p/chinas-spring-festival-ai-war; Irene Zhang and Nick Corvino, “Chinese AI Rings in the Year of the Horse: A Lunar New Year AI Roundup,” ChinaTalk, February 18, 2026, https://www.chinatalk.media/p/chinese-ai-rings-in-the-year-of-the.
  8. “OpenClaw Frenzy Drives China’s Agentic AI Adoption, Raises Security Concerns,” Bloomberg, March 12, 2026, https://www.bloomberg.com/news/articles/2026-03-12/openclaw-frenzy-drives-china-s-agentic-ai-adoption-raises-security-concerns; Luz Ding, “Alibaba Debuts OpenClaw App to Feed China’s Agentic AI Addiction,” Bloomberg, March 13, 2026, https://www.bloomberg.com/news/articles/2026-03-13/alibaba-debuts-openclaw-app-to-feed-china-s-agentic-ai-addiction; Josh Xiao and Nectar Gan, “China’s OpenClaw Frenzy Test Xi’s Approach to Regulate AI,” Bloomberg, March 12, 2026, https://www.bloomberg.com/news/articles/2026-03-12/china-s-openclaw-frenzy-tests-xi-s-approach-to-regulate-ai.
  9. 15th Five-Year Plan for Economic and Social Development of the People’s Republic of China (2026–2030): Draft Outline (NPC Observer, March 2026), https://npcobserver.com/wp-content/uploads/2026/03/15th-Five-Year-Plan-Draft_NON-FINAL.pdf.
  10. Winning the Race: America’s AI Action Plan (White House Office of Science and Technology Policy, July 23, 2025), https://www.whitehouse.gov/wp-content/uploads/2025/07/Americas-AI-Action-Plan.pdf.
  11. Maggie Hassan and Joni Ernst, “Senators Hassan, Ernst Sound Alarm on Chinese AI-Enabled Hackers,” press release, December 3, 2025, https://www.hassan.senate.gov/news/press-releases/senators-hassan-ernst-sound-alarm-on-chinese-ai-enabled-hackers; Evaluation of DeepSeek AI Models.
  12. Michael Kratsios, “Remarks at the Security Council’s Open Debate on Artificial Intelligence and International Peace and Security,” United States Mission to the United Nations, September 24, 2025, https://usun.usmission.gov/remarks-at-the-security-councils-open-debate-on-artificial-intelligence-and-international-peace-and-security

Author

  • Daniel Remler

    Senior Fellow, Technology and National Security Program

    Daniel Remler is a senior fellow with the Technology and National Security Program at the Center for a New American Security (CNAS). His research focuses on the implications o...

More from CNAS

View All Reports View All Articles & Multimedia