Editorial disclosure: This is an opinion piece. ThePlanetTools.ai has no affiliate relationship with Meta, Google, the Heretic project, or the AI safety group Alice, and earns nothing from anything mentioned here. Everything below is editorial analysis, scoped to my own reading of the reporting. We do not reproduce any dangerous instructions; we reference categories only.
What is Heretic? Heretic is an open-source tool that strips safety guardrails from open-weight models like Meta Llama 3.3 and Google Gemma in under 10 minutes — automatically, with no specialist hardware. According to reporting by the Financial Times (carried by The Irish Times), the tool's creator says it has been used to produce more than 3,500 "decensored" models that have been downloaded around 13 million times. My thesis is blunt: on open-weight models, safety guardrails are a user interface, not a wall.
I want to be careful about what that claim does and does not say. It is not a verdict on Meta or Google's engineering. It is not a claim that anyone was careless. It is a structural claim about where alignment lives. When you publish the weights of a model, you publish the substrate that the safety behavior is painted onto — and in my reading of the reporting, that paint comes off faster than most people outside the field assume.
What actually happened
The Financial Times, working with an AI safety group called Alice, tested what happens when you run a freely available tool against open-weight models from two of the largest AI labs. The reported results are stark. A "decensored" version of Google's Gemma 3 produced material across categories that any responsible publisher names but does not detail: instructions related to a chemical attack, code aimed at financial theft, and child sexual abuse material. Separately, the guardrails on Meta's Llama 3.3 came off in under ten minutes, after which the model would answer a lethality question it would normally refuse.
I am deliberately not reproducing any of those outputs, methods, or thresholds. The point of an editorial like this is to reason about the system, not to function as a how-to. The categories matter for the argument; the contents do not belong on a tools-and-strategy site.
The scale figures are what moved this from a research curiosity to a policy story for me. The creator of Heretic, Philipp Emanuel Weidmann, told the FT the tool works "completely automatically" and has been used to generate more than 3,500 decensored models, collectively downloaded about 13 million times since late last year. Those are not numbers you reverse. As Kawin Ethayarajh of the University of Chicago's Booth School framed it to the FT, the bar has dropped: where stripping safety features once took an informed and persistent actor, it is now within reach of an average person.
Why the guardrails behave like a UI, not a wall
Here is the mental model I keep coming back to. A modern open-weight model is two things stacked on top of each other: an enormous pre-trained core that has read a large fraction of the internet, and a comparatively thin layer of post-training — instruction tuning, preference optimization, refusal behavior — that teaches the model to decline certain requests. The capability lives in the core. The refusal lives in the layer.
The category of technique the reporting describes is often called abliteration: identifying the internal direction a model uses to express refusal and suppressing it. In my reading, that is the crux. The dangerous knowledge was never removed from the weights during safety tuning — it was suppressed by a learned reflex. If you can edit the weights, you can edit the reflex. And the entire premise of an open-weight release is that anyone can edit the weights, locally, forever.
That is why I call the guardrail a UI. A user interface is the polite surface you interact with; it is not the same thing as a permission boundary enforced somewhere you cannot reach. On a closed API, the refusal is enforced on a server you do not control, behind authentication, logging, and rate limits. On an open-weight model running on your own machine, the refusal is a setting — and Heretic is the reported demonstration that the setting can be flipped in minutes by software that requires no expertise and no special hardware.
The line that actually matters: download versus API
The single most important distinction in this story, and the one I think gets lost in alarmed headlines, is that this only works on models you can download and run locally. Flagship proprietary systems — the models behind Anthropic's Claude and OpenAI's ChatGPT — are not exposed to this class of attack so long as the weights stay on the vendor's servers. You cannot ablate a refusal direction in weights you never possess.
This is not a small caveat; it reframes the whole debate. The relevant security boundary in 2026 is not "is this model safe?" It is "where does this model run?" An open-weight model is, by design, a model whose safety behavior is negotiable by whoever holds the file. That is a feature for the open ecosystem — it is exactly what lets researchers, startups, and sovereign efforts build on top of enterprise-grade open-weight models like Cohere Command A or run independent agents like Nous Research's Hermes without asking permission. The same property that makes open weights generative is the property that makes their guardrails optional.
I do not think that tradeoff is resolvable by better post-training. You can make refusals more robust, harder to find, more entangled with capability. But as long as the artifact you ship is the full set of weights, you are shipping the substrate and the suppression together, and a determined editor gets both. In my reading, that is a property of the release format, not of any one lab's safety team.
Where this leaves Meta and Google
I want to scope this part tightly, because it is where editorial writing usually goes wrong. The strategic question is not whether Meta or Google did something wrong by releasing capable models in open-weight form. Open-weight releases have delivered enormous public value — research reproducibility, competition against closed incumbents, and a counterweight to a market that could otherwise consolidate around two or three API providers.
The strategic question is whether the open-weight bet survives contact with a regulatory environment that increasingly expects durable safety as a property of the model itself. Meta and Google made a defensible wager: that the ecosystem benefits of open weights outweigh the misuse risk, and that misuse was already possible through other means. Heretic's reported 13 million downloads is the data point that tests that wager in public. It does not prove the wager wrong. It does raise the cost of defending it to regulators who do not distinguish between "the base model" and "a decensored derivative someone made in ten minutes."
The regulatory bind nobody has solved
This is where, in my reading, the story stops being a security anecdote and becomes a genuine policy problem. Two regimes are pulling in opposite directions, and open weights ignore both once the file is on someone's disk.
On one side, the EU AI Act assigns obligations that broadly presume safety can be designed in and maintained — that a provider can be held to account for the behavior of a system. On the other side, the US policy direction under the current administration has tilted toward deregulation and "do not slow American AI down," which deprioritizes exactly the kind of mandated safety durability the EU framework leans on. Europe's own answer to this has partly been to build sovereign, controllable systems — the logic behind efforts like Mistral's cybersecurity model for EU banks — but sovereignty over a model you host is a different thing from control over weights already in the wild.
Neither regime has a clean answer to the Heretic case, because the thing being regulated — a behavior enforced by a removable layer — does not survive redistribution. You can regulate the original release. You cannot regulate the derivative someone produced automatically and seeded across mirrors before any regulator finished reading the press coverage. "The genie is out of the bottle," in the framing attributed to the tool's creator, is uncomfortable precisely because it is, in the narrow technical sense, accurate for already-released weights.
What this means if you build on open weights
I run open-weight models in my own workflows, and I am not going to stop — the cost, control, and privacy advantages are real. But this reporting changed how I think about responsibility for what I ship. Three reframes I am now applying in my own stack:
One: treat the published alignment as a default, not a guarantee. If your product depends on a downloaded model refusing certain requests, you are depending on a property that the reporting shows can be removed in minutes. Design as if the model will answer anything, because in someone else's hands it might.
Two: put the real guardrail at the application layer. Input and output filtering, policy classifiers, and human review belong in your serving stack, where you actually control them — not delegated entirely to a refusal reflex baked into weights you handed to the user. In my production workflow, I now assume the model is the engine and the safety is my responsibility above it.
Three: log and monitor like the model is hostile by default. The same property that makes open weights auditable makes them editable. Comprehensive logging is what lets you notice when a deployment is being pushed toward behavior you did not intend, and it is the part regulators will eventually ask you to demonstrate.
None of this is a counsel of despair about open weights. It is a counsel of honesty. The open ecosystem is one of the healthiest things about AI in 2026, and it is part of why a real competitive market between labs exists at all. But pretending that a published safety layer is a wall, when the reporting shows it is a UI, helps no one — least of all the people who will be told a model is "safe" because it shipped with refusals.
What would prove me wrong
I hold this thesis strongly, so I owe you the conditions under which I would abandon it. In my reading, any of the following would force me to revise "guardrails are a UI, not a wall" on open-weight models:
- A safety-tuning method that survives weight editing. If a lab ships an open-weight model whose refusal behavior provably cannot be removed by abliteration-class techniques without destroying the model's capability — and that result holds up under independent red-teaming — my structural claim collapses. The capability and the refusal would no longer be separable.
- Tamper-evident or cryptographically bound weights that work in practice. If open releases adopt a scheme where edited derivatives are reliably detectable or refuse to run, the "removable layer" framing weakens substantially.
- Evidence that decensored models are not actually more dangerous in practice. If rigorous study shows the marginal uplift from a decensored open model is negligible versus what a determined actor could already obtain — that the danger was always in intent and access, not in the refusal layer — then the policy alarm I am amplifying here would be misplaced.
- The download numbers turning out to be inflated or mostly benign. If the reported 3,500 models and 13 million downloads are dominated by researchers, red-teamers, and curiosity rather than misuse, the scale argument loses force, even if the technical point stands.
Until one of those lands, my position holds: where the weights are open, the safety is editorial, and the durable guardrail has to live somewhere you control. The genie line is doing more work than I would like — but for already-released weights, I cannot honestly argue with it.
Editorial disclosure (repeated): no affiliate relationship with Meta, Google, the Heretic project, or Alice. This is opinion, scoped to my reading of the cited reporting. We deliberately reference dangerous-output categories without reproducing any methods, instructions, or thresholds.
Frequently asked questions
What is Heretic?
Heretic is an open-source tool that strips safety guardrails from open-weight AI models such as Meta Llama 3.3 and Google Gemma. According to Financial Times reporting carried by The Irish Times, it works automatically, needs no specialist hardware, and can remove Llama 3.3's guardrails in under ten minutes. Its creator says it has produced more than 3,500 "decensored" models downloaded around 13 million times.
Does Heretic work on Claude or ChatGPT?
No. In my reading of the reporting, abliteration-class tools like Heretic only work on open-weight models you can download and run locally. Flagship proprietary systems behind Anthropic's Claude and OpenAI's ChatGPT keep their weights on the vendor's servers, so the refusal behavior is enforced server-side and is not exposed to this attack — unless the weights leak.
Which models did the Financial Times test?
The FT, working with the AI safety group Alice, reported tests on Google's Gemma 3 and Meta's Llama 3.3. The brief that prompted this piece also references Google Gemma 4 being stripped shortly after release; I treat that specific timing detail as reported rather than independently confirmed, and flag it as such.
What kind of dangerous content was produced?
The reporting describes outputs across serious categories: instructions related to a chemical attack, code aimed at financial theft, child sexual abuse material, and a lethality question the model would normally refuse. I deliberately do not reproduce any of these methods, instructions, or thresholds; the categories are named only to support the safety argument.
What does "abliteration" actually do?
In my reading, abliteration identifies the internal direction a model uses to express refusal and suppresses it, without removing the underlying knowledge. The capability stays in the pre-trained weights; only the learned reflex to decline is edited away. That is why it can be fast and does not require retraining the whole model.
Why do you say guardrails are "a UI, not a wall"?
Because on open weights the refusal is a behavior baked into a removable post-training layer, not a permission boundary enforced somewhere the user cannot reach. A UI is the polite surface; a wall is enforcement you cannot edit. On a closed API the refusal is a wall on the vendor's server. On a downloaded model it is a setting — and Heretic is the reported demonstration that the setting flips in minutes.
Did Meta and Google do something wrong?
That is not my claim, and I want to scope it tightly. Open-weight releases deliver real public value — reproducibility, competition, and a counterweight to closed incumbents. My argument is structural: when you publish full weights, you publish both the capability and the removable safety layer. That is a property of the release format, not a verdict on any lab's safety engineering.
How does this affect the EU AI Act and US AI policy?
In my reading it exposes a bind. The EU AI Act broadly presumes safety can be designed in and maintained, while the current US policy direction tilts deregulatory. Open weights ignore both once the file is downloaded: you can regulate the original release, but not a decensored derivative made automatically and mirrored before regulators finish reading the coverage.
Should developers stop using open-weight models?
No, and I do not. The cost, control, and privacy benefits are real, and the open ecosystem is one of the healthiest parts of AI in 2026. The change is in responsibility: treat published alignment as a default rather than a guarantee, put the real guardrail at your application layer, and log deployments as if the model could be pushed to answer anything.
How many decensored models exist, and how do we know?
The figures — more than 3,500 decensored models and roughly 13 million cumulative downloads since late last year — come from Heretic's creator, Philipp Emanuel Weidmann, as reported by the Financial Times. They are self-reported by the tool's author and carried by tier-one reporting; I treat them as the best available public estimate rather than an audited count.
What would change your mind about this thesis?
In my reading, a safety-tuning method that provably survives weight editing without destroying capability, working tamper-evident weights, evidence that decensored models add negligible real-world uplift over what determined actors could already get, or proof that the download numbers are inflated or mostly benign. Any of those would force me to revise the "UI, not a wall" claim.
Where can I read the original reporting?
The original reporting is by the Financial Times, with the AI safety group Alice; a non-paywalled version was carried by The Irish Times on May 25, 2026. We link the Irish Times version in this piece. ThePlanetTools.ai has no affiliation with any party in the story and this remains an opinion analysis of that reporting.
