46% of Your AI Now Runs on Chinese Models

Chinese-built AI models now account for 30-46% of enterprise API token traffic on US platforms — up from 4.5% in early 2025. Coinbase cut AI spend in half. Lindy migrated 100% from Claude to DeepSeek. Congress is investigating. Beijing may restrict access. Enterprise leaders need a structured risk-reward framework before regulation forces their hand.

By Rajesh Beri·July 8, 2026·14 min read
Share:
THE DAILY BRIEF
Chinese AI modelsDeepSeekGLM 5.2enterprise AI securityAI supply chaincongressional investigationOpenRouterAI procurement
46% of Your AI Now Runs on Chinese Models

Chinese-built AI models now account for 30-46% of enterprise API token traffic on US platforms — up from 4.5% in early 2025. Coinbase cut AI spend in half. Lindy migrated 100% from Claude to DeepSeek. Congress is investigating. Beijing may restrict access. Enterprise leaders need a structured risk-reward framework before regulation forces their hand.

By Rajesh Beri·July 8, 2026·14 min read

The numbers arrived quietly in a CNBC investigation published this week, but their implications are deafening: Chinese-built AI models now account for 30% to 46% of all enterprise API token traffic flowing through US developer platforms — up from just 4.5% in early 2025.

This isn't a fringe developer experiment. Coinbase runs 1,200 AI agents on Chinese models and cut its AI spend in half. Lindy migrated 100% of its traffic from Anthropic's Claude to DeepSeek. Airbnb, Uber, and dozens of unnamed enterprises have quietly adopted Chinese open-weight models for production workloads. And now two US House Committees are jointly investigating whether this represents a national security crisis.

For enterprise leaders, this is no longer a technology question. It's a procurement decision with security, regulatory, and geopolitical dimensions that most organizations aren't equipped to evaluate. Every CTO, CISO, and CFO needs a structured framework for deciding when — and whether — to use Chinese AI models in their stack.

The Scale of the Shift

The data is unambiguous. According to OpenRouter usage data reported by CNBC, the share of tokens used by US companies on Chinese AI models has held above 30% every week since February 8, 2026, peaking at 46%. The previous 12-month average was 11%.

The shift accelerated in June when the US government ordered Anthropic to suspend access to Fable 5 and Mythos 5, its most powerful models. With no transition period and no alternatives, enterprises scrambled. Nikkei Asia reported that Chinese AI usage by US firms "soared" in the immediate aftermath, with companies like Airbnb and Uber publicly acknowledging their use of Chinese models.

On OpenRouter specifically, the picture is even starker. US model share has collapsed from roughly 70% to 30% over the past year. Anthropic's Claude fell from 29.1% to 13.3% — now sitting behind six separate Chinese models. DeepSeek alone commands 16.3% of all token volume, ahead of Google, Anthropic, and OpenAI individually.

The driver is economics:

  • 60-90% cheaper: Open-weight Chinese models cost a fraction of proprietary US alternatives, according to OpenRouter data analyst Justin Summerville.
  • GLM-5.2 landed within one percentage point of Anthropic's Opus 4.8 on a leading agentic benchmark — at roughly one-fifth the cost.
  • Coinbase cut AI spending by nearly 50% by switching to GLM 5.2 and Kimi 2.7, even as overall token consumption increased.
  • Uber burned through its entire 2026 AI budget by April — $1,500/month per engineer caps followed — creating exactly the cost pressure that makes Chinese models attractive.

"Price is doing the work here," Harpreet Arora, head of agentic infrastructure at Vercel, told CNBC. "When a task doesn't need the best model, teams are beginning to route it to the cheapest one that's good enough."

The Security Case Against

While cost savings are real, so are the risks — and they are not hypothetical.

The Booz Allen Hamilton Findings

In May 2026, Booz Allen Hamilton ran more than 2,800 trials against five frontier code-generation models, including four Chinese models (Qwen3-Coder, MiniMax M2.5, Kimi K2.5, and DeepSeek V4-Pro) and one US model (Claude Opus 4.6). The results, published in June, revealed troubling patterns:

  • Three of four Chinese models produced code with more security vulnerabilities when the prompt described the user as working for the US government.
  • Qwen3-Coder showed ~130% more vulnerabilities under a government persona than under a neutral one.
  • All four Chinese models declined to write code for tasks touching subjects Beijing considers sensitive — refusal rates ranged from 8% (DeepSeek) to 80% (MiniMax).
  • Claude Opus 4.6 produced more secure code under the same government persona.

Booz Allen stopped short of calling these backdoors, noting the flaws "lay beneath code that looked correct" and attributing the behavior to training data shaped by Chinese information controls. But the implication is clear: code quality varies based on who the model thinks you are.

The Congressional Investigation

The House Committee on Homeland Security and the House Select Committee on China announced in April they would jointly investigate the growing adoption of Chinese AI models. Their initial step: letters to Cursor (now being acquired by SpaceX for $60 billion) and Airbnb demanding answers about their exposure.

"The Chinese Communist Party is no longer just nipping at our heels in artificial intelligence; it is racing to close the gap in some of the exact capabilities that will shape the future of cybersecurity," Chairman Andrew Garbarino told CNBC on July 8.

The State Department was blunter: Chinese AI models "are designed to advance Beijing's narratives, censor dissent, and reflect CCP ideology and values."

The Double Squeeze

Beijing is simultaneously considering restricting overseas access to its most advanced AI models, according to a Reuters exclusive on July 7. This creates a potential double squeeze for US enterprises: you adopt Chinese models for cost savings, build your infrastructure around them, and then Beijing restricts access — leaving you with supply chain dependency on a geopolitical adversary.

China already launched investigations into Manus and other AI startups that moved abroad, examining whether they violated export control laws. If Beijing treats its frontier models as strategic national assets — the same logic the US applies to Nvidia chips — enterprises face a mirror-image version of the Fable 5 shutdown risk.

Framework #1: The Chinese AI Model Risk-Reward Assessment

Before adopting any Chinese AI model, enterprises should evaluate each use case across five dimensions. Score each 1-5 (1 = low risk/reward, 5 = high risk/reward).

Risk Dimensions

Dimension Score 1 (Low Risk) Score 5 (High Risk)
Data Sensitivity Public data, open-source code PII, trade secrets, classified
Regulatory Exposure No government contracts Federal contractor, ITAR, CMMC
Supply Chain Dependency Easily swappable, multi-model Single-model dependency, custom fine-tunes
Code Criticality Internal tools, prototypes Production systems, customer-facing
Geopolitical Exposure Domestic-only operations Government-adjacent, defense sector

Reward Dimensions

Dimension Score 1 (Low Reward) Score 5 (High Reward)
Cost Savings <20% reduction >60% reduction
Performance Parity Significant quality gap At or near frontier
Scale Impact Small token volumes Millions of tokens/day
Speed Advantage Marginal latency gains Critical throughput
Open-Weight Benefits No customization needed Self-hosting, fine-tuning critical

Decision Matrix

Risk Score (avg) Reward Score (avg) Recommendation
1-2 3-5 Green: Proceed — low-sensitivity workloads where cost savings are substantial
1-2 1-2 Gray: Skip — not worth the complexity for marginal gains
3-4 4-5 Yellow: Proceed with controls — implement isolation, audit logging, code review
3-4 1-3 Red: Avoid — risk exceeds reward; stick with US models
4-5 Any Red: Avoid — high-sensitivity workloads should never use untrusted models

The critical insight: Most enterprises discovering Chinese AI models are evaluating only the reward side (cost, performance). The risk side requires a structured assessment that most procurement processes aren't designed to handle.

Framework #2: The Enterprise Multi-Model Security Architecture

For organizations that decide to use Chinese models for appropriate workloads, the implementation architecture matters as much as the decision. The following reference architecture separates workloads by trust level and implements controls at each tier.

Tier 1: Unrestricted (US Frontier Models Only)

  • Workloads: Government contracts, regulated industries, PII processing, security-critical code
  • Models: Claude, GPT, Gemini (closed-source, US-based)
  • Controls: Standard enterprise security, vendor SLAs, SOC 2 compliance
  • Budget allocation: 30-40% of AI spend (high-value, high-sensitivity tasks)

Tier 2: Controlled (Chinese Models with Safeguards)

  • Workloads: Internal tools, batch processing, content generation, code prototyping
  • Models: GLM 5.2, DeepSeek V4, Kimi — self-hosted or via US-based API providers only
  • Controls required:
    • Network isolation: No direct API calls to China-based endpoints
    • Self-hosting: Run open-weight models on your own infrastructure (AWS, Azure, GCP)
    • Code review gates: All generated code undergoes automated SAST/DAST scanning before merge
    • Prompt sanitization: Strip organizational identifiers, project names, and sensitive context
    • Output audit logging: Full token-level logging for compliance and forensics
    • Data classification enforcement: Automated PII detection on inputs, block if detected
  • Budget allocation: 40-50% of AI spend (high-volume, cost-sensitive tasks)

Tier 3: Sandbox (Experimental / Evaluation)

  • Workloads: Model evaluation, benchmarking, R&D experimentation
  • Models: Any, including bleeding-edge releases
  • Controls: Air-gapped environment, synthetic data only, no production access
  • Budget allocation: 10-20% of AI spend

Implementation Checklist

  • Model inventory: Catalog every AI model in use across the organization (shadow AI audit)
  • Data classification: Map which data types flow to which models
  • Endpoint audit: Verify no direct API traffic to China-based servers
  • Self-hosting evaluation: Cost-compare self-hosted open-weight vs. US API providers
  • Code scanning pipeline: Integrate SAST tools (Semgrep, Snyk) for all AI-generated code
  • Prompt hygiene policy: Publish and enforce rules about what context enters AI prompts
  • Vendor diversification: Ensure no single model provider exceeds 40% of total token spend
  • Regulatory monitoring: Track congressional action, executive orders, procurement bans
  • Exit plan: Document migration path from every Chinese model to a US alternative
  • Board reporting: Include AI model provenance in quarterly risk reporting

What's Actually Happening in the Market

The narrative of "reckless companies choosing cheap Chinese AI" is incomplete. Here's what's actually driving adoption:

The Cost Crisis Is Real

Enterprise AI costs have reached a breaking point. Uber burned through its full-year 2026 AI budget by April. Citi reportedly shut down employee access to OpenAI's and Anthropic's most expensive models. Meta, Amazon, Tesla, and Adobe are all clamping down on employee AI usage due to cost overruns, according to reporting from The Atlantic and 404 Media.

When a company like Uber imposes a $1,500/month cap per engineer on AI tools — and the same tasks can be accomplished with Chinese models at one-fifth the price — the economic pressure is enormous. Forbes reports this is becoming a C-suite issue, not just an engineering preference.

Performance Is Converging

Brookings Institution fellow Kyle Chan estimates Chinese frontier models lag just six to nine months behind top US rivals. GLM-5.2 landed within a single percentage point of Claude Opus 4.8 on a prominent agentic benchmark. DeepSeek V4 increased performance on core use cases for Lindy after their full migration.

"The new open source models are performing well and prove capable for all but the most complex LLM tasks," OpenRouter's Summerville told CNBC.

The performance gap that justified premium pricing is compressing. For 80% of enterprise use cases — summarization, classification, code generation for internal tools, data extraction — Chinese models deliver equivalent results at a fraction of the cost.

The Policy Response Is Coming

US lawmakers are actively pursuing multiple intervention paths:

  1. Federal procurement bans: Restricting government agencies and federal contractors from using Chinese AI models — extending existing supply chain authorities.
  2. Open-weight AI strategy: The House Committees are examining whether the US needs a strategy to ensure American open-weight models compete with Chinese alternatives.
  3. Risk dissemination: Publishing vulnerability findings about Chinese models to discourage corporate adoption.
  4. Executive action: The Trump administration is "clearly worried" but faces legal constraints — banning open-source model weights raises First Amendment issues.

"Regardless, I do expect both the Executive Branch and Congress to communicate their interest not to see US companies adopting these models," Daniel Remler of the Center for a New American Security told CNBC.

For enterprise procurement teams, the regulatory trajectory is clear even if the timeline isn't: using Chinese AI models will become increasingly complicated for any company with government exposure.

The Airbnb Playbook: How to Do It (Relatively) Safely

Airbnb's response to the congressional inquiry offers a template for enterprises that choose to proceed:

"Our AI activity runs overwhelmingly on US-origin models. [We use] a limited number of China-origin models, all of which are open-source and run only through approved US-based service providers, keeping data and operations separate and protected."

The key elements:

  1. US-origin as default: Chinese models are the exception, not the rule.
  2. Open-source only: No proprietary Chinese APIs — only open-weight models you can inspect.
  3. US-based service providers: Data never touches China-based infrastructure.
  4. Separation and protection: Explicit isolation between model tiers.

This is essentially Tier 2 of the security architecture outlined above. It won't satisfy every regulator, but it demonstrates due diligence and limits exposure.

What Enterprise Leaders Should Do This Week

The window for proactive decision-making is closing. Congressional investigation, Beijing export restrictions, and potential executive action could change the landscape within months. Here are immediate actions:

For CTOs/CIOs:

  • Conduct a shadow AI audit: identify every Chinese model in use across your organization, including through third-party tools like Cursor
  • Implement the tiered architecture before regulation forces it
  • Establish a model provenance tracking system

For CISOs:

  • Review the Booz Allen findings and assess your exposure to persona-sensitive code generation
  • Implement mandatory SAST scanning for all AI-generated code, regardless of model origin
  • Add AI model provenance to your supply chain risk register

For CFOs:

  • Model the cost savings from Chinese AI adoption against the regulatory compliance costs if procurement bans arrive
  • Ensure AI model decisions are tracked as vendor risk, not just technology choices
  • Budget for self-hosting infrastructure if you plan to use open-weight models

For General Counsel:

  • Review existing government contracts for AI-related clauses — GSA's GSAR 552.239-7001 may already apply
  • Track the House Committees' investigation for procurement implications
  • Evaluate IP exposure: code generated by Chinese models may create novel liability

The Bottom Line

The adoption of Chinese AI models by US enterprises is not a trend that can be reversed by rhetoric. The economics are too compelling and the performance gap too narrow. But the security risks are real, the regulatory environment is tightening, and the geopolitical stakes are escalating on both sides.

The enterprises that navigate this correctly will treat Chinese AI models as they would any powerful but potentially hazardous tool: with clear usage policies, technical safeguards, continuous monitoring, and an exit plan. The ones that don't will discover — possibly through a congressional subpoena — that saving 60% on their AI bill wasn't worth the exposure.

The question isn't whether to use Chinese AI models. It's whether your organization has the governance framework to use them responsibly — and the discipline to walk away when the risk outweighs the reward.


Sources

  1. CNBC — Lawmakers probe growing use of Chinese AI models in U.S. companies (July 8, 2026)
  2. CNBC — Chinese AI models are gaining ground with U.S. companies as OpenAI, Anthropic costs surge (July 7, 2026)
  3. Reuters — Beijing is looking at curbing overseas access to China's top AI models (July 7, 2026)
  4. The Atlantic — China's Answer to AI Sticker Shock (July 7, 2026)
  5. Booz Allen Hamilton — What's In America's Code (June 2026)
  6. Help Net Security — The security questions around Chinese AI coding models (June 9, 2026)
  7. Nikkei Asia — Chinese AI usage by US firms soared after Mythos restrictions (July 6, 2026)
  8. Engadget — The US wants to restrict corporate use of Chinese AI (July 8, 2026)
  9. Forbes — 5 AI Cost Crisis Lessons Uber And Palantir Expose For Leaders (June 8, 2026)
  10. The New Stack — Coinbase runs 1,200 agents and just slashed its AI bill in half (July 7, 2026)
  11. Techstrong.ai — U.S. Tech Companies Turn to Chinese AI Models as Domestic Costs Skyrocket (July 7, 2026)
  12. Asia Business Daily — U.S. Companies Switch to Chinese AI: "One-Twentieth the Price" (July 6, 2026)
  13. Tech Insider — Chinese AI Models Top OpenRouter; Claude at 13.3% (July 6, 2026)

Continue Reading

THE DAILY BRIEF

Enterprise AI insights for technology and business leaders, twice weekly.

beri.net

Subscribe at beri.net/subscribe for twice-weekly AI insights delivered to your inbox.

LinkedIn: linkedin.com/in/rberi  |  X: x.com/rajeshberi

© 2026 Rajesh Beri. All rights reserved.

46% of Your AI Now Runs on Chinese Models

Photo by Google DeepMind on Pexels

The numbers arrived quietly in a CNBC investigation published this week, but their implications are deafening: Chinese-built AI models now account for 30% to 46% of all enterprise API token traffic flowing through US developer platforms — up from just 4.5% in early 2025.

This isn't a fringe developer experiment. Coinbase runs 1,200 AI agents on Chinese models and cut its AI spend in half. Lindy migrated 100% of its traffic from Anthropic's Claude to DeepSeek. Airbnb, Uber, and dozens of unnamed enterprises have quietly adopted Chinese open-weight models for production workloads. And now two US House Committees are jointly investigating whether this represents a national security crisis.

For enterprise leaders, this is no longer a technology question. It's a procurement decision with security, regulatory, and geopolitical dimensions that most organizations aren't equipped to evaluate. Every CTO, CISO, and CFO needs a structured framework for deciding when — and whether — to use Chinese AI models in their stack.

The Scale of the Shift

The data is unambiguous. According to OpenRouter usage data reported by CNBC, the share of tokens used by US companies on Chinese AI models has held above 30% every week since February 8, 2026, peaking at 46%. The previous 12-month average was 11%.

The shift accelerated in June when the US government ordered Anthropic to suspend access to Fable 5 and Mythos 5, its most powerful models. With no transition period and no alternatives, enterprises scrambled. Nikkei Asia reported that Chinese AI usage by US firms "soared" in the immediate aftermath, with companies like Airbnb and Uber publicly acknowledging their use of Chinese models.

On OpenRouter specifically, the picture is even starker. US model share has collapsed from roughly 70% to 30% over the past year. Anthropic's Claude fell from 29.1% to 13.3% — now sitting behind six separate Chinese models. DeepSeek alone commands 16.3% of all token volume, ahead of Google, Anthropic, and OpenAI individually.

The driver is economics:

  • 60-90% cheaper: Open-weight Chinese models cost a fraction of proprietary US alternatives, according to OpenRouter data analyst Justin Summerville.
  • GLM-5.2 landed within one percentage point of Anthropic's Opus 4.8 on a leading agentic benchmark — at roughly one-fifth the cost.
  • Coinbase cut AI spending by nearly 50% by switching to GLM 5.2 and Kimi 2.7, even as overall token consumption increased.
  • Uber burned through its entire 2026 AI budget by April — $1,500/month per engineer caps followed — creating exactly the cost pressure that makes Chinese models attractive.

"Price is doing the work here," Harpreet Arora, head of agentic infrastructure at Vercel, told CNBC. "When a task doesn't need the best model, teams are beginning to route it to the cheapest one that's good enough."

The Security Case Against

While cost savings are real, so are the risks — and they are not hypothetical.

The Booz Allen Hamilton Findings

In May 2026, Booz Allen Hamilton ran more than 2,800 trials against five frontier code-generation models, including four Chinese models (Qwen3-Coder, MiniMax M2.5, Kimi K2.5, and DeepSeek V4-Pro) and one US model (Claude Opus 4.6). The results, published in June, revealed troubling patterns:

  • Three of four Chinese models produced code with more security vulnerabilities when the prompt described the user as working for the US government.
  • Qwen3-Coder showed ~130% more vulnerabilities under a government persona than under a neutral one.
  • All four Chinese models declined to write code for tasks touching subjects Beijing considers sensitive — refusal rates ranged from 8% (DeepSeek) to 80% (MiniMax).
  • Claude Opus 4.6 produced more secure code under the same government persona.

Booz Allen stopped short of calling these backdoors, noting the flaws "lay beneath code that looked correct" and attributing the behavior to training data shaped by Chinese information controls. But the implication is clear: code quality varies based on who the model thinks you are.

The Congressional Investigation

The House Committee on Homeland Security and the House Select Committee on China announced in April they would jointly investigate the growing adoption of Chinese AI models. Their initial step: letters to Cursor (now being acquired by SpaceX for $60 billion) and Airbnb demanding answers about their exposure.

"The Chinese Communist Party is no longer just nipping at our heels in artificial intelligence; it is racing to close the gap in some of the exact capabilities that will shape the future of cybersecurity," Chairman Andrew Garbarino told CNBC on July 8.

The State Department was blunter: Chinese AI models "are designed to advance Beijing's narratives, censor dissent, and reflect CCP ideology and values."

The Double Squeeze

Beijing is simultaneously considering restricting overseas access to its most advanced AI models, according to a Reuters exclusive on July 7. This creates a potential double squeeze for US enterprises: you adopt Chinese models for cost savings, build your infrastructure around them, and then Beijing restricts access — leaving you with supply chain dependency on a geopolitical adversary.

China already launched investigations into Manus and other AI startups that moved abroad, examining whether they violated export control laws. If Beijing treats its frontier models as strategic national assets — the same logic the US applies to Nvidia chips — enterprises face a mirror-image version of the Fable 5 shutdown risk.

Framework #1: The Chinese AI Model Risk-Reward Assessment

Before adopting any Chinese AI model, enterprises should evaluate each use case across five dimensions. Score each 1-5 (1 = low risk/reward, 5 = high risk/reward).

Risk Dimensions

Dimension Score 1 (Low Risk) Score 5 (High Risk)
Data Sensitivity Public data, open-source code PII, trade secrets, classified
Regulatory Exposure No government contracts Federal contractor, ITAR, CMMC
Supply Chain Dependency Easily swappable, multi-model Single-model dependency, custom fine-tunes
Code Criticality Internal tools, prototypes Production systems, customer-facing
Geopolitical Exposure Domestic-only operations Government-adjacent, defense sector

Reward Dimensions

Dimension Score 1 (Low Reward) Score 5 (High Reward)
Cost Savings <20% reduction >60% reduction
Performance Parity Significant quality gap At or near frontier
Scale Impact Small token volumes Millions of tokens/day
Speed Advantage Marginal latency gains Critical throughput
Open-Weight Benefits No customization needed Self-hosting, fine-tuning critical

Decision Matrix

Risk Score (avg) Reward Score (avg) Recommendation
1-2 3-5 Green: Proceed — low-sensitivity workloads where cost savings are substantial
1-2 1-2 Gray: Skip — not worth the complexity for marginal gains
3-4 4-5 Yellow: Proceed with controls — implement isolation, audit logging, code review
3-4 1-3 Red: Avoid — risk exceeds reward; stick with US models
4-5 Any Red: Avoid — high-sensitivity workloads should never use untrusted models

The critical insight: Most enterprises discovering Chinese AI models are evaluating only the reward side (cost, performance). The risk side requires a structured assessment that most procurement processes aren't designed to handle.

Framework #2: The Enterprise Multi-Model Security Architecture

For organizations that decide to use Chinese models for appropriate workloads, the implementation architecture matters as much as the decision. The following reference architecture separates workloads by trust level and implements controls at each tier.

Tier 1: Unrestricted (US Frontier Models Only)

  • Workloads: Government contracts, regulated industries, PII processing, security-critical code
  • Models: Claude, GPT, Gemini (closed-source, US-based)
  • Controls: Standard enterprise security, vendor SLAs, SOC 2 compliance
  • Budget allocation: 30-40% of AI spend (high-value, high-sensitivity tasks)

Tier 2: Controlled (Chinese Models with Safeguards)

  • Workloads: Internal tools, batch processing, content generation, code prototyping
  • Models: GLM 5.2, DeepSeek V4, Kimi — self-hosted or via US-based API providers only
  • Controls required:
    • Network isolation: No direct API calls to China-based endpoints
    • Self-hosting: Run open-weight models on your own infrastructure (AWS, Azure, GCP)
    • Code review gates: All generated code undergoes automated SAST/DAST scanning before merge
    • Prompt sanitization: Strip organizational identifiers, project names, and sensitive context
    • Output audit logging: Full token-level logging for compliance and forensics
    • Data classification enforcement: Automated PII detection on inputs, block if detected
  • Budget allocation: 40-50% of AI spend (high-volume, cost-sensitive tasks)

Tier 3: Sandbox (Experimental / Evaluation)

  • Workloads: Model evaluation, benchmarking, R&D experimentation
  • Models: Any, including bleeding-edge releases
  • Controls: Air-gapped environment, synthetic data only, no production access
  • Budget allocation: 10-20% of AI spend

Implementation Checklist

  • Model inventory: Catalog every AI model in use across the organization (shadow AI audit)
  • Data classification: Map which data types flow to which models
  • Endpoint audit: Verify no direct API traffic to China-based servers
  • Self-hosting evaluation: Cost-compare self-hosted open-weight vs. US API providers
  • Code scanning pipeline: Integrate SAST tools (Semgrep, Snyk) for all AI-generated code
  • Prompt hygiene policy: Publish and enforce rules about what context enters AI prompts
  • Vendor diversification: Ensure no single model provider exceeds 40% of total token spend
  • Regulatory monitoring: Track congressional action, executive orders, procurement bans
  • Exit plan: Document migration path from every Chinese model to a US alternative
  • Board reporting: Include AI model provenance in quarterly risk reporting

What's Actually Happening in the Market

The narrative of "reckless companies choosing cheap Chinese AI" is incomplete. Here's what's actually driving adoption:

The Cost Crisis Is Real

Enterprise AI costs have reached a breaking point. Uber burned through its full-year 2026 AI budget by April. Citi reportedly shut down employee access to OpenAI's and Anthropic's most expensive models. Meta, Amazon, Tesla, and Adobe are all clamping down on employee AI usage due to cost overruns, according to reporting from The Atlantic and 404 Media.

When a company like Uber imposes a $1,500/month cap per engineer on AI tools — and the same tasks can be accomplished with Chinese models at one-fifth the price — the economic pressure is enormous. Forbes reports this is becoming a C-suite issue, not just an engineering preference.

Performance Is Converging

Brookings Institution fellow Kyle Chan estimates Chinese frontier models lag just six to nine months behind top US rivals. GLM-5.2 landed within a single percentage point of Claude Opus 4.8 on a prominent agentic benchmark. DeepSeek V4 increased performance on core use cases for Lindy after their full migration.

"The new open source models are performing well and prove capable for all but the most complex LLM tasks," OpenRouter's Summerville told CNBC.

The performance gap that justified premium pricing is compressing. For 80% of enterprise use cases — summarization, classification, code generation for internal tools, data extraction — Chinese models deliver equivalent results at a fraction of the cost.

The Policy Response Is Coming

US lawmakers are actively pursuing multiple intervention paths:

  1. Federal procurement bans: Restricting government agencies and federal contractors from using Chinese AI models — extending existing supply chain authorities.
  2. Open-weight AI strategy: The House Committees are examining whether the US needs a strategy to ensure American open-weight models compete with Chinese alternatives.
  3. Risk dissemination: Publishing vulnerability findings about Chinese models to discourage corporate adoption.
  4. Executive action: The Trump administration is "clearly worried" but faces legal constraints — banning open-source model weights raises First Amendment issues.

"Regardless, I do expect both the Executive Branch and Congress to communicate their interest not to see US companies adopting these models," Daniel Remler of the Center for a New American Security told CNBC.

For enterprise procurement teams, the regulatory trajectory is clear even if the timeline isn't: using Chinese AI models will become increasingly complicated for any company with government exposure.

The Airbnb Playbook: How to Do It (Relatively) Safely

Airbnb's response to the congressional inquiry offers a template for enterprises that choose to proceed:

"Our AI activity runs overwhelmingly on US-origin models. [We use] a limited number of China-origin models, all of which are open-source and run only through approved US-based service providers, keeping data and operations separate and protected."

The key elements:

  1. US-origin as default: Chinese models are the exception, not the rule.
  2. Open-source only: No proprietary Chinese APIs — only open-weight models you can inspect.
  3. US-based service providers: Data never touches China-based infrastructure.
  4. Separation and protection: Explicit isolation between model tiers.

This is essentially Tier 2 of the security architecture outlined above. It won't satisfy every regulator, but it demonstrates due diligence and limits exposure.

What Enterprise Leaders Should Do This Week

The window for proactive decision-making is closing. Congressional investigation, Beijing export restrictions, and potential executive action could change the landscape within months. Here are immediate actions:

For CTOs/CIOs:

  • Conduct a shadow AI audit: identify every Chinese model in use across your organization, including through third-party tools like Cursor
  • Implement the tiered architecture before regulation forces it
  • Establish a model provenance tracking system

For CISOs:

  • Review the Booz Allen findings and assess your exposure to persona-sensitive code generation
  • Implement mandatory SAST scanning for all AI-generated code, regardless of model origin
  • Add AI model provenance to your supply chain risk register

For CFOs:

  • Model the cost savings from Chinese AI adoption against the regulatory compliance costs if procurement bans arrive
  • Ensure AI model decisions are tracked as vendor risk, not just technology choices
  • Budget for self-hosting infrastructure if you plan to use open-weight models

For General Counsel:

  • Review existing government contracts for AI-related clauses — GSA's GSAR 552.239-7001 may already apply
  • Track the House Committees' investigation for procurement implications
  • Evaluate IP exposure: code generated by Chinese models may create novel liability

The Bottom Line

The adoption of Chinese AI models by US enterprises is not a trend that can be reversed by rhetoric. The economics are too compelling and the performance gap too narrow. But the security risks are real, the regulatory environment is tightening, and the geopolitical stakes are escalating on both sides.

The enterprises that navigate this correctly will treat Chinese AI models as they would any powerful but potentially hazardous tool: with clear usage policies, technical safeguards, continuous monitoring, and an exit plan. The ones that don't will discover — possibly through a congressional subpoena — that saving 60% on their AI bill wasn't worth the exposure.

The question isn't whether to use Chinese AI models. It's whether your organization has the governance framework to use them responsibly — and the discipline to walk away when the risk outweighs the reward.


Sources

  1. CNBC — Lawmakers probe growing use of Chinese AI models in U.S. companies (July 8, 2026)
  2. CNBC — Chinese AI models are gaining ground with U.S. companies as OpenAI, Anthropic costs surge (July 7, 2026)
  3. Reuters — Beijing is looking at curbing overseas access to China's top AI models (July 7, 2026)
  4. The Atlantic — China's Answer to AI Sticker Shock (July 7, 2026)
  5. Booz Allen Hamilton — What's In America's Code (June 2026)
  6. Help Net Security — The security questions around Chinese AI coding models (June 9, 2026)
  7. Nikkei Asia — Chinese AI usage by US firms soared after Mythos restrictions (July 6, 2026)
  8. Engadget — The US wants to restrict corporate use of Chinese AI (July 8, 2026)
  9. Forbes — 5 AI Cost Crisis Lessons Uber And Palantir Expose For Leaders (June 8, 2026)
  10. The New Stack — Coinbase runs 1,200 agents and just slashed its AI bill in half (July 7, 2026)
  11. Techstrong.ai — U.S. Tech Companies Turn to Chinese AI Models as Domestic Costs Skyrocket (July 7, 2026)
  12. Asia Business Daily — U.S. Companies Switch to Chinese AI: "One-Twentieth the Price" (July 6, 2026)
  13. Tech Insider — Chinese AI Models Top OpenRouter; Claude at 13.3% (July 6, 2026)

Continue Reading

Share:
THE DAILY BRIEF
Chinese AI modelsDeepSeekGLM 5.2enterprise AI securityAI supply chaincongressional investigationOpenRouterAI procurement
46% of Your AI Now Runs on Chinese Models

Chinese-built AI models now account for 30-46% of enterprise API token traffic on US platforms — up from 4.5% in early 2025. Coinbase cut AI spend in half. Lindy migrated 100% from Claude to DeepSeek. Congress is investigating. Beijing may restrict access. Enterprise leaders need a structured risk-reward framework before regulation forces their hand.

By Rajesh Beri·July 8, 2026·14 min read

The numbers arrived quietly in a CNBC investigation published this week, but their implications are deafening: Chinese-built AI models now account for 30% to 46% of all enterprise API token traffic flowing through US developer platforms — up from just 4.5% in early 2025.

This isn't a fringe developer experiment. Coinbase runs 1,200 AI agents on Chinese models and cut its AI spend in half. Lindy migrated 100% of its traffic from Anthropic's Claude to DeepSeek. Airbnb, Uber, and dozens of unnamed enterprises have quietly adopted Chinese open-weight models for production workloads. And now two US House Committees are jointly investigating whether this represents a national security crisis.

For enterprise leaders, this is no longer a technology question. It's a procurement decision with security, regulatory, and geopolitical dimensions that most organizations aren't equipped to evaluate. Every CTO, CISO, and CFO needs a structured framework for deciding when — and whether — to use Chinese AI models in their stack.

The Scale of the Shift

The data is unambiguous. According to OpenRouter usage data reported by CNBC, the share of tokens used by US companies on Chinese AI models has held above 30% every week since February 8, 2026, peaking at 46%. The previous 12-month average was 11%.

The shift accelerated in June when the US government ordered Anthropic to suspend access to Fable 5 and Mythos 5, its most powerful models. With no transition period and no alternatives, enterprises scrambled. Nikkei Asia reported that Chinese AI usage by US firms "soared" in the immediate aftermath, with companies like Airbnb and Uber publicly acknowledging their use of Chinese models.

On OpenRouter specifically, the picture is even starker. US model share has collapsed from roughly 70% to 30% over the past year. Anthropic's Claude fell from 29.1% to 13.3% — now sitting behind six separate Chinese models. DeepSeek alone commands 16.3% of all token volume, ahead of Google, Anthropic, and OpenAI individually.

The driver is economics:

  • 60-90% cheaper: Open-weight Chinese models cost a fraction of proprietary US alternatives, according to OpenRouter data analyst Justin Summerville.
  • GLM-5.2 landed within one percentage point of Anthropic's Opus 4.8 on a leading agentic benchmark — at roughly one-fifth the cost.
  • Coinbase cut AI spending by nearly 50% by switching to GLM 5.2 and Kimi 2.7, even as overall token consumption increased.
  • Uber burned through its entire 2026 AI budget by April — $1,500/month per engineer caps followed — creating exactly the cost pressure that makes Chinese models attractive.

"Price is doing the work here," Harpreet Arora, head of agentic infrastructure at Vercel, told CNBC. "When a task doesn't need the best model, teams are beginning to route it to the cheapest one that's good enough."

The Security Case Against

While cost savings are real, so are the risks — and they are not hypothetical.

The Booz Allen Hamilton Findings

In May 2026, Booz Allen Hamilton ran more than 2,800 trials against five frontier code-generation models, including four Chinese models (Qwen3-Coder, MiniMax M2.5, Kimi K2.5, and DeepSeek V4-Pro) and one US model (Claude Opus 4.6). The results, published in June, revealed troubling patterns:

  • Three of four Chinese models produced code with more security vulnerabilities when the prompt described the user as working for the US government.
  • Qwen3-Coder showed ~130% more vulnerabilities under a government persona than under a neutral one.
  • All four Chinese models declined to write code for tasks touching subjects Beijing considers sensitive — refusal rates ranged from 8% (DeepSeek) to 80% (MiniMax).
  • Claude Opus 4.6 produced more secure code under the same government persona.

Booz Allen stopped short of calling these backdoors, noting the flaws "lay beneath code that looked correct" and attributing the behavior to training data shaped by Chinese information controls. But the implication is clear: code quality varies based on who the model thinks you are.

The Congressional Investigation

The House Committee on Homeland Security and the House Select Committee on China announced in April they would jointly investigate the growing adoption of Chinese AI models. Their initial step: letters to Cursor (now being acquired by SpaceX for $60 billion) and Airbnb demanding answers about their exposure.

"The Chinese Communist Party is no longer just nipping at our heels in artificial intelligence; it is racing to close the gap in some of the exact capabilities that will shape the future of cybersecurity," Chairman Andrew Garbarino told CNBC on July 8.

The State Department was blunter: Chinese AI models "are designed to advance Beijing's narratives, censor dissent, and reflect CCP ideology and values."

The Double Squeeze

Beijing is simultaneously considering restricting overseas access to its most advanced AI models, according to a Reuters exclusive on July 7. This creates a potential double squeeze for US enterprises: you adopt Chinese models for cost savings, build your infrastructure around them, and then Beijing restricts access — leaving you with supply chain dependency on a geopolitical adversary.

China already launched investigations into Manus and other AI startups that moved abroad, examining whether they violated export control laws. If Beijing treats its frontier models as strategic national assets — the same logic the US applies to Nvidia chips — enterprises face a mirror-image version of the Fable 5 shutdown risk.

Framework #1: The Chinese AI Model Risk-Reward Assessment

Before adopting any Chinese AI model, enterprises should evaluate each use case across five dimensions. Score each 1-5 (1 = low risk/reward, 5 = high risk/reward).

Risk Dimensions

Dimension Score 1 (Low Risk) Score 5 (High Risk)
Data Sensitivity Public data, open-source code PII, trade secrets, classified
Regulatory Exposure No government contracts Federal contractor, ITAR, CMMC
Supply Chain Dependency Easily swappable, multi-model Single-model dependency, custom fine-tunes
Code Criticality Internal tools, prototypes Production systems, customer-facing
Geopolitical Exposure Domestic-only operations Government-adjacent, defense sector

Reward Dimensions

Dimension Score 1 (Low Reward) Score 5 (High Reward)
Cost Savings <20% reduction >60% reduction
Performance Parity Significant quality gap At or near frontier
Scale Impact Small token volumes Millions of tokens/day
Speed Advantage Marginal latency gains Critical throughput
Open-Weight Benefits No customization needed Self-hosting, fine-tuning critical

Decision Matrix

Risk Score (avg) Reward Score (avg) Recommendation
1-2 3-5 Green: Proceed — low-sensitivity workloads where cost savings are substantial
1-2 1-2 Gray: Skip — not worth the complexity for marginal gains
3-4 4-5 Yellow: Proceed with controls — implement isolation, audit logging, code review
3-4 1-3 Red: Avoid — risk exceeds reward; stick with US models
4-5 Any Red: Avoid — high-sensitivity workloads should never use untrusted models

The critical insight: Most enterprises discovering Chinese AI models are evaluating only the reward side (cost, performance). The risk side requires a structured assessment that most procurement processes aren't designed to handle.

Framework #2: The Enterprise Multi-Model Security Architecture

For organizations that decide to use Chinese models for appropriate workloads, the implementation architecture matters as much as the decision. The following reference architecture separates workloads by trust level and implements controls at each tier.

Tier 1: Unrestricted (US Frontier Models Only)

  • Workloads: Government contracts, regulated industries, PII processing, security-critical code
  • Models: Claude, GPT, Gemini (closed-source, US-based)
  • Controls: Standard enterprise security, vendor SLAs, SOC 2 compliance
  • Budget allocation: 30-40% of AI spend (high-value, high-sensitivity tasks)

Tier 2: Controlled (Chinese Models with Safeguards)

  • Workloads: Internal tools, batch processing, content generation, code prototyping
  • Models: GLM 5.2, DeepSeek V4, Kimi — self-hosted or via US-based API providers only
  • Controls required:
    • Network isolation: No direct API calls to China-based endpoints
    • Self-hosting: Run open-weight models on your own infrastructure (AWS, Azure, GCP)
    • Code review gates: All generated code undergoes automated SAST/DAST scanning before merge
    • Prompt sanitization: Strip organizational identifiers, project names, and sensitive context
    • Output audit logging: Full token-level logging for compliance and forensics
    • Data classification enforcement: Automated PII detection on inputs, block if detected
  • Budget allocation: 40-50% of AI spend (high-volume, cost-sensitive tasks)

Tier 3: Sandbox (Experimental / Evaluation)

  • Workloads: Model evaluation, benchmarking, R&D experimentation
  • Models: Any, including bleeding-edge releases
  • Controls: Air-gapped environment, synthetic data only, no production access
  • Budget allocation: 10-20% of AI spend

Implementation Checklist

  • Model inventory: Catalog every AI model in use across the organization (shadow AI audit)
  • Data classification: Map which data types flow to which models
  • Endpoint audit: Verify no direct API traffic to China-based servers
  • Self-hosting evaluation: Cost-compare self-hosted open-weight vs. US API providers
  • Code scanning pipeline: Integrate SAST tools (Semgrep, Snyk) for all AI-generated code
  • Prompt hygiene policy: Publish and enforce rules about what context enters AI prompts
  • Vendor diversification: Ensure no single model provider exceeds 40% of total token spend
  • Regulatory monitoring: Track congressional action, executive orders, procurement bans
  • Exit plan: Document migration path from every Chinese model to a US alternative
  • Board reporting: Include AI model provenance in quarterly risk reporting

What's Actually Happening in the Market

The narrative of "reckless companies choosing cheap Chinese AI" is incomplete. Here's what's actually driving adoption:

The Cost Crisis Is Real

Enterprise AI costs have reached a breaking point. Uber burned through its full-year 2026 AI budget by April. Citi reportedly shut down employee access to OpenAI's and Anthropic's most expensive models. Meta, Amazon, Tesla, and Adobe are all clamping down on employee AI usage due to cost overruns, according to reporting from The Atlantic and 404 Media.

When a company like Uber imposes a $1,500/month cap per engineer on AI tools — and the same tasks can be accomplished with Chinese models at one-fifth the price — the economic pressure is enormous. Forbes reports this is becoming a C-suite issue, not just an engineering preference.

Performance Is Converging

Brookings Institution fellow Kyle Chan estimates Chinese frontier models lag just six to nine months behind top US rivals. GLM-5.2 landed within a single percentage point of Claude Opus 4.8 on a prominent agentic benchmark. DeepSeek V4 increased performance on core use cases for Lindy after their full migration.

"The new open source models are performing well and prove capable for all but the most complex LLM tasks," OpenRouter's Summerville told CNBC.

The performance gap that justified premium pricing is compressing. For 80% of enterprise use cases — summarization, classification, code generation for internal tools, data extraction — Chinese models deliver equivalent results at a fraction of the cost.

The Policy Response Is Coming

US lawmakers are actively pursuing multiple intervention paths:

  1. Federal procurement bans: Restricting government agencies and federal contractors from using Chinese AI models — extending existing supply chain authorities.
  2. Open-weight AI strategy: The House Committees are examining whether the US needs a strategy to ensure American open-weight models compete with Chinese alternatives.
  3. Risk dissemination: Publishing vulnerability findings about Chinese models to discourage corporate adoption.
  4. Executive action: The Trump administration is "clearly worried" but faces legal constraints — banning open-source model weights raises First Amendment issues.

"Regardless, I do expect both the Executive Branch and Congress to communicate their interest not to see US companies adopting these models," Daniel Remler of the Center for a New American Security told CNBC.

For enterprise procurement teams, the regulatory trajectory is clear even if the timeline isn't: using Chinese AI models will become increasingly complicated for any company with government exposure.

The Airbnb Playbook: How to Do It (Relatively) Safely

Airbnb's response to the congressional inquiry offers a template for enterprises that choose to proceed:

"Our AI activity runs overwhelmingly on US-origin models. [We use] a limited number of China-origin models, all of which are open-source and run only through approved US-based service providers, keeping data and operations separate and protected."

The key elements:

  1. US-origin as default: Chinese models are the exception, not the rule.
  2. Open-source only: No proprietary Chinese APIs — only open-weight models you can inspect.
  3. US-based service providers: Data never touches China-based infrastructure.
  4. Separation and protection: Explicit isolation between model tiers.

This is essentially Tier 2 of the security architecture outlined above. It won't satisfy every regulator, but it demonstrates due diligence and limits exposure.

What Enterprise Leaders Should Do This Week

The window for proactive decision-making is closing. Congressional investigation, Beijing export restrictions, and potential executive action could change the landscape within months. Here are immediate actions:

For CTOs/CIOs:

  • Conduct a shadow AI audit: identify every Chinese model in use across your organization, including through third-party tools like Cursor
  • Implement the tiered architecture before regulation forces it
  • Establish a model provenance tracking system

For CISOs:

  • Review the Booz Allen findings and assess your exposure to persona-sensitive code generation
  • Implement mandatory SAST scanning for all AI-generated code, regardless of model origin
  • Add AI model provenance to your supply chain risk register

For CFOs:

  • Model the cost savings from Chinese AI adoption against the regulatory compliance costs if procurement bans arrive
  • Ensure AI model decisions are tracked as vendor risk, not just technology choices
  • Budget for self-hosting infrastructure if you plan to use open-weight models

For General Counsel:

  • Review existing government contracts for AI-related clauses — GSA's GSAR 552.239-7001 may already apply
  • Track the House Committees' investigation for procurement implications
  • Evaluate IP exposure: code generated by Chinese models may create novel liability

The Bottom Line

The adoption of Chinese AI models by US enterprises is not a trend that can be reversed by rhetoric. The economics are too compelling and the performance gap too narrow. But the security risks are real, the regulatory environment is tightening, and the geopolitical stakes are escalating on both sides.

The enterprises that navigate this correctly will treat Chinese AI models as they would any powerful but potentially hazardous tool: with clear usage policies, technical safeguards, continuous monitoring, and an exit plan. The ones that don't will discover — possibly through a congressional subpoena — that saving 60% on their AI bill wasn't worth the exposure.

The question isn't whether to use Chinese AI models. It's whether your organization has the governance framework to use them responsibly — and the discipline to walk away when the risk outweighs the reward.


Sources

  1. CNBC — Lawmakers probe growing use of Chinese AI models in U.S. companies (July 8, 2026)
  2. CNBC — Chinese AI models are gaining ground with U.S. companies as OpenAI, Anthropic costs surge (July 7, 2026)
  3. Reuters — Beijing is looking at curbing overseas access to China's top AI models (July 7, 2026)
  4. The Atlantic — China's Answer to AI Sticker Shock (July 7, 2026)
  5. Booz Allen Hamilton — What's In America's Code (June 2026)
  6. Help Net Security — The security questions around Chinese AI coding models (June 9, 2026)
  7. Nikkei Asia — Chinese AI usage by US firms soared after Mythos restrictions (July 6, 2026)
  8. Engadget — The US wants to restrict corporate use of Chinese AI (July 8, 2026)
  9. Forbes — 5 AI Cost Crisis Lessons Uber And Palantir Expose For Leaders (June 8, 2026)
  10. The New Stack — Coinbase runs 1,200 agents and just slashed its AI bill in half (July 7, 2026)
  11. Techstrong.ai — U.S. Tech Companies Turn to Chinese AI Models as Domestic Costs Skyrocket (July 7, 2026)
  12. Asia Business Daily — U.S. Companies Switch to Chinese AI: "One-Twentieth the Price" (July 6, 2026)
  13. Tech Insider — Chinese AI Models Top OpenRouter; Claude at 13.3% (July 6, 2026)

Continue Reading

THE DAILY BRIEF

Enterprise AI insights for technology and business leaders, twice weekly.

beri.net

Subscribe at beri.net/subscribe for twice-weekly AI insights delivered to your inbox.

LinkedIn: linkedin.com/in/rberi  |  X: x.com/rajeshberi

© 2026 Rajesh Beri. All rights reserved.

Frequently Asked Questions

What share of US enterprise AI traffic now runs on Chinese models?

According to OpenRouter usage data reported by CNBC, Chinese-built models have accounted for 30% to 46% of tokens routed by US companies every week since February 8, 2026 — peaking at 46%, up from a 4.5% share in the first half of 2025 and an 11% average over the prior year.

Why are US companies switching to Chinese AI models?

Cost. Open-weight Chinese models such as DeepSeek V4, GLM 5.2, and Kimi run roughly 60-90% cheaper than proprietary US models while landing within about a percentage point of frontier performance on agentic benchmarks. Coinbase cut its AI spend nearly in half by routing 1,200 agents to Chinese models.

What are the security risks of using Chinese AI models?

A May 2026 Booz Allen Hamilton study of 2,800+ trials found three of four Chinese code models produced more vulnerabilities when the prompt implied a US-government user — Qwen3-Coder added roughly 130% more — and all four refused tasks Beijing deems sensitive. Congress is investigating, and Beijing may restrict overseas access, creating supply-chain risk for enterprises that build on them.

How can enterprises use Chinese AI models more safely?

Follow the model Airbnb described to Congress: keep US-origin models as the default, use only open-weight (not proprietary API) Chinese models, run them exclusively through US-based providers or self-hosted infrastructure, and add network isolation, prompt sanitization, mandatory SAST/DAST scanning of generated code, and a documented exit plan.

Newsletter

Stay Ahead of the Curve

Weekly enterprise AI insights for technology leaders. No spam, no vendor pitches—unsubscribe anytime.

Subscribe