Calling it a distillation attack blurs a normal technique with API abuse

Nathan Lambert is worried about a phrase. When a lab accuses a competitor of a "distillation attack," the wrongdoing being described is usually jailbreaking, identity spoofing, or other terms-of-service abuse of an API. Distillation itself, training a smaller model on the outputs of a stronger one, is ordinary practice across the whole field. Lambert's point in the piece is that fusing the two in one scary label damages a useful technique by association, and that damage is hard to undo once the word has shifted.

He grounds this in concrete cases. olmOCR was built by using synthetic data from a GPT model to train a PDF-to-text converter, whose output then trained further models, so attribution blurs after a step or two. During Musk's litigation with OpenAI, he writes, it came out that AI companies generally distill each other, with xAI conceding partial distillation from OpenAI. The behavior worth policing is the API abuse, not the math.

The argument is narrow and that is its strength. Lambert is not defending data theft; he is asking people to name the actual violation instead of letting a method take the blame.

Why it matters

If you train models, the language your competitors and regulators adopt now will shape what counts as legitimate later: push back on "distillation attack" framing and insist the complaint be about the access violation, or you may find a standard technique quietly treated as suspect.