In the first half of 2026, major AI companies such as Google, Microsoft, and Meta began restricting each other’s use of AI tools. Google limited Meta’s access to Gemini due to capacity constraints and prohibited most employees from using competing tools like Claude Code and Codex. Microsoft revoked internal licenses for Claude Code and restricted use of Claude Fable 5. Meta restricted employees from using Claude and Codex in AI model development. As AI becomes a core production asset, these companies have shifted from “unrestricted use” to establishing three layers of defense: resource allocation, data security, and prohibition of model outputs being used to train competitors. Limited compute capacity, data security, and preventing model outputs from training rival systems have become primary concerns. The era of free trial access to AI tools has ended, and the industry has entered a new phase of competition and cooperation.Article author and source: Letter AI
Even the most powerful AI tools shouldn't be used lightly.
Previously, AI tools were like a free buffet at a tech company—whichever model worked best was served first; whichever coding tools were easiest to use were grabbed right away; if you weren’t sure how to eat, you’d start with a few plates of “lobster” to whet your appetite. Tokens were scooped out like french fries, by the handful.
By the first half of 2026, the buffet began checking vouchers.
Around March this year, Google restricted Meta’s use of Gemini due to capacity constraints. Meta sought to purchase additional computing resources related to Gemini, but Google was unable to meet all of its demands.
On April 22, most Google employees were prohibited from using competitor tools such as Claude Code and Codex for security reasons, though exceptions could be requested; meanwhile, certain DeepMind teams, including those related to Gemini, internal applications, and open-source models, continue to use Claude Code.
On May 14, The Verge reported that Microsoft began revoking most internal licenses for Claude Code, directing developers toward its own GitHub Copilot CLI.
On June 10, Microsoft restricted employees from using Claude 3.5 due to Anthropic's data retention requirements.
On June 28, the Financial Times revealed details of Google restricting Meta’s access to Gemini, bringing to light the previously hidden compute shortages in the form of limited model capacity among major tech companies.
On June 29, The Information revealed internal Meta documents showing that the company is restricting employees from using Claude and Codex in AI model development.
As models become more advanced, AI has become a core production asset for major tech companies, making the relationships between AI giants increasingly delicate.
AI giants are both customers and competitors to each other—they need to leverage each other’s most powerful models, yet fear having their data, code, workflows, and model strategies siphoned off.
The free trial for AI has ended. Major AI companies are building barriers against each other.

Image generated by AI
Major AI companies are beginning to restrict each other.
Looking only at incidents reported this year, Google was among the first major companies observed to have set up gates on both internal and external fronts.
As early as March, Google had already begun restricting Meta's use of Gemini.
From the reporting perspective, it wasn’t that Google didn’t want to sell; rather, the computing capacity Meta wanted to purchase for Gemini exceeded what Google could currently provide.
In other words, Meta wants more Gemini, but Google’s “kitchen” can’t keep up, so supply is limited.
Large model calls differ from traditional software licensing; even if a customer is willing to pay, they may not be able to secure sufficient capacity. Each call represents actual computational demand.
While Google imposes restrictions on Meta externally, it also imposes internal limits, preventing its own employees from using competitors' AI programming tools.
On April 22, the Los Angeles Times reported that most Google employees have been prohibited from using competing tools such as Claude Code and Codex due to "security concerns," though exceptions may be requested with a valid business justification.
Meanwhile, certain DeepMind teams, including those related to Gemini, internal applications, and open-source models, continue to use Claude Code.
This issue created what insiders at Google called a “Claude haves and have-nots” dilemma: whether to use it or not.
Google appears highly inconsistent in this situation: on one hand, the company is encouraging employees to use AI more actively, with some engineers even given specific AI usage targets that may affect their performance evaluations; on the other hand, different teams have access to different AI tools.
It was reported that some employees believed Google’s internal model was inferior to Claude in coding ability, making “Can we use Claude?” not just a matter of tool preference, but a direct difference in efficiency.
From Google’s perspective, it’s not unaware that Claude Code and Codex are effective—the key AI team continues to use these external tools, which at least indicates that external AI programming tools still hold undeniable value in Google’s frontline development (even Google itself has acknowledged falling behind in coding).
Public reports have not disclosed specific details of Google's security concerns, but based on internal corporate use of AI programming tools, such concerns typically involve code, internal documents, product information, and workflow data entering external models.
After Google, Microsoft has similar concerns.
On May 14, The Verge reported that Microsoft has begun canceling most internal licenses for Claude Code, directing developers toward its own GitHub Copilot CLI.
According to reports, Claude Code is popular within Microsoft, but it is ultimately an Anthropic tool. Redirecting employees to the GitHub Copilot CLI helps control costs while also bringing internal AI-powered programming workflows back into Microsoft and GitHub’s own ecosystem.
Shortly after, Microsoft began restricting Claude Fable 5.
On June 10, Microsoft restricted employees from using Claude Opus 5 due to Anthropic's data retention requirements.
Reports indicate that Microsoft’s legal team is evaluating whether employees can use this model internally, with primary concerns centered on customer data, internal code, and confidential information.
By the end of June, Meta also began implementing restrictions on external models.
Information revealed on June 29 that internal documents from Meta show the company is restricting employees from using Claude and Codex in AI model development.
The headline directly states the reason: Meta is concerned that outputs from competitors' models could enter its own training data, triggering risks related to distillation, legal issues, and competition.
Anthropic’s terms explicitly prohibit users from using Claude’s outputs to train models that compete with Anthropic, as well as from supporting third parties in doing so; OpenAI’s terms also state that users may not use outputs from OpenAI services to develop models that compete with OpenAI.
These major companies are not subject to the same restrictions, but they collectively illustrate one thing: AI tools are no longer casual efficiency plugins that can be freely tested.
It consumes computing power, flows through code, accesses customer data, impacts product entry points, and may even become raw material for training the next generation of models.
Big companies aren't not using each other's models—they're just afraid to use them casually anymore.
The Three Lines of Defense Large Companies Provide for AI
An employee installing an additional software, opening another webpage, or trying another tool typically does not affect the company’s underlying resource allocation.
But AI is different—behind every model invocation lies computing power, tokens, code, data, permissions, and output assets.
When AI became the core productive asset of a company, the company’s attitude toward it naturally changed.
Looking at the information from this period together, major companies are beginning to set three gates for AI tools.
The first gate is resources.
Computing power and tokens cannot be used indefinitely.
Large models are not traditional software. Once traditional software is sold, its marginal cost is very low, but each invocation of a large model incurs real computational costs. Tasks involving long contexts, code generation, or agent workflows consume significantly more resources than standard Q&A.
The problem is that AI competition has entered a phase of severe compute resource scarcity.
Reuters has mentioned multiple times this year that tech giants such as Microsoft, Amazon, Alphabet, and Meta are projected to spend hundreds of billions of dollars on AI-related capital expenditures by 2026; a February report cited approximately $600 billion, while a March report referencing S&P Global Visible Alpha put the figure at around $635 billion. This represents a historic level of capital spending, yet the market continues to debate when this investment will translate into sufficient usable computing power.

The recent increase in storage and memory prices is also a very clear signal.
In June, Reuters cited a Morgan Stanley report stating that memory chip prices have risen approximately sixfold over the past year, driven by investments in AI infrastructure by major tech companies. Morgan Stanley has labeled this phenomenon “chipflation”: what began as a bottleneck in AI infrastructure has now spilled over into hardware profit margins, device prices, cloud costs, capital expenditures, and supply chain delays.
Google's restrictions on Meta's use of Gemini represent the most direct resource-based limitation. According to Reuters, this shortage has impacted and delayed some of Meta’s internal AI projects, with other Google customers also affected, albeit to a lesser extent. Meanwhile, Meta has asked its employees to use AI tokens more efficiently.
In other words, even major clients like Meta are willing to pay but still can’t secure enough model capacity; even giants like Google, with their cloud and AI infrastructure, must allocate computing power among their customers.
The second gate is data.
Code, customer information, and internal secrets must not be freely accessed by external models.
This isn't an overreaction by big companies—they've had firsthand experience with this before.
As early as 2023, employees in Samsung’s semiconductor division were found to have repeatedly entered sensitive information into ChatGPT, including source code used for troubleshooting and internal meeting content. In response, Samsung temporarily banned employees from using generative AI tools like ChatGPT on company devices.
Once employees input code, meeting notes, or internal materials into external models, the data has already left the company’s controlled boundaries.
This behavior is not an isolated case. Early monitoring by Cyberhaven showed that after ChatGPT’s launch, 4.7% of employees pasted sensitive company data into ChatGPT at least once; approximately 11% of the content employees pasted into ChatGPT consisted of sensitive data.
Data risks are greater in AI development scenarios; developers know it’s a basic practice to check for accidental commits of API keys before releasing code. In contexts involving AI datasets, model training, and open-source sample sharing, this issue is significantly amplified.
In 2023, Microsoft’s AI research team inadvertently exposed 38 TB of private data, including private keys, passwords, internal Teams messages, and employee workstation backups, due to a misconfigured Azure storage access token while sharing open-source training data.
As AI coding has become a trend, employees at large companies must pay even greater attention to data boundaries when using AI.
On-premises deployment keeps data within your company’s own environment, reducing the risk of code, logs, and customer information entering external models. For high-security scenarios such as internal code reviews, log analysis, customer service data processing, and compliance document management, on-premises models or private cloud deployments will become increasingly important.
However, when model capabilities are tied to productivity, employees don’t just want “a working model”—they want the most powerful, most intuitive, and most proficient coding tool available today. While deploying an open-source model locally may address some data boundary issues, it’s difficult to replicate the full experience and capabilities of external tools.
This is also why Google restricted most employees from using Claude Code and Codex due to security concerns, and why Microsoft restricted Claude Fable 5 due to Anthropic’s data retention requirements.
Essentially, this restriction is a protection of the company's data.
The third gate is assets.
Model outputs cannot be arbitrarily accessed by competitors' development pipelines.
The asset gate has two switches, one on each side—the model provider and the model user.
For model providers, they must guard against distillation: Anthropic’s terms prohibit users from using Claude’s outputs to train models that compete with Anthropic; OpenAI also prohibits users from using outputs from OpenAI services to develop models that compete with OpenAI.
In other words, the model can be invoked, but its output cannot be freely used to train a competing model.
The core assets of large model companies are not just model weights, but also the capabilities demonstrated in the model’s outputs: coding ability, reasoning methods, task decomposition, synthetic data, evaluation samples, and standard solutions for specific types of problems. If competitors can extensively invoke a powerful model and then curate these outputs into training data, they are essentially using others’ capabilities to train their own models.
Therefore, the model provider must close this loophole in the terms. This safeguard is outlined in the terms.
For model users, they must prove their own innocence.
The first gate and the second gate are essentially two sides of the same coin: the data gate is concerned with whether my data might leak into external models, while the asset gate is concerned with whether external models’ outputs might affect me. The former prevents my data from going out, while the latter prevents others’ capabilities from coming in.
Compliance issues are a necessary consideration.
Meta restricts Claude and Codex in terms of model-building scenarios. According to internal Meta documents revealed by The Information, the company is concerned that outputs from Claude or Codex could enter its own model-building processes, such as training data, synthetic data generation, evaluation, model optimization, or code infrastructure.
Because once these outputs enter the R&D pipeline, the other party may interpret it as you using their model's capabilities to train or improve your own model.
Furthermore, if such calls become large-scale and systematic scraping, they may be regarded by model providers as distillation attacks.
Reuters reported on June 24 that Anthropic, in a letter to U.S. senators, alleged that operators associated with Alibaba and the Qwen AI lab used nearly 250,000 fake accounts to interact with Claude 28.8 million times between April 22 and June 5, 2026, attempting to extract Claude’s capabilities through distillation. Although this is not yet a formal lawsuit, it has entered the policy and regulatory discourse.
Ironically, according to a June 29 report by Wired, a contractor project at Meta enlisted hundreds of outsourced workers to pose as minors to test rival chatbots such as ChatGPT, Gemini, and Character.AI. The project, managed by Meta contractor Covalen and internally codenamed Cannes, was still active as of April 21, 2026.These contractors were required to create fake minor accounts, ask various high-risk questions to competitors' chatbots, sometimes send images, and then copy the responses into spreadsheets.
Meta claims this is a standard security test and benchmarking. However, objectively speaking, it is difficult to argue that this does not encroach upon the model's competitive boundaries.
The asset gate can be seen as a compliance buffer that large companies build into their model development processes.
Otherwise, should disputes arise in the future regarding model capabilities, contract issues, or regulatory scrutiny, the company will struggle to prove that its model did not rely on competitors' outputs.
The AI industry has entered a new phase of competition and cooperation.
The number three is fascinating—allow me to briefly stray from the topic: in Greek mythology, the number three is everywhere, from the order of the world and the course of fate, to the powers of the gods and the destinies of heroes.
In Greek mythology, entering the underworld requires passing through three checkpoints: first, crossing the River Styx guided by the ferryman Charon; then encountering the gatekeeper Cerberus, a three-headed dog; and finally, entering the system of judgment. Cerberus sits at the crossroads, where the three judges of the underworld preside, and even the underworld itself is divided into three levels.
Now, AI giants have added three more layers of defense:
Resources cannot be used indefinitely, data cannot flow freely, and outputs cannot be arbitrarily used for training.
Through these three lines of defense, we can see that the AI industry is entering a new phase of competition and collaboration.
At this stage, each company has two identities simultaneously.
On one hand, they are model providers and naturally want their models to be used by more people, integrated into more products, and incorporated into more enterprise workflows.
On the other hand, they are also users of these models. No company can develop everything in isolation; the most powerful models, the best programming tools, the most mature cloud infrastructure, and the richest enterprise entry points are often held by different companies.
These large companies consider many factors: they want others to use their models, but cannot allow others to use their outputs to train competitors; they want to use others’ models to improve efficiency, but cannot lose control over their own data, code, and R&D processes.
Collaboration will continue, but AI partnerships between major companies will no longer be the all-encompassing relationships of the past.
In the era of cloud computing, even major companies serve as each other’s customers. Netflix can run on AWS, Apple can use Google Cloud, and Microsoft’s software can serve its competitors. At that time, the boundary between infrastructure and applications was relatively clear: you rent my servers, and I provide computing power, storage, and networking; your data, product logic, and business processes remain within your own systems.
Of course, the cloud era also brings issues around security, compliance, and vendor lock-in, but overall, it still resembles an infrastructure leasing arrangement.
But this logic no longer applies to large models, as large models are not just infrastructure—they are the capability itself.
When you invoke my model, you are essentially paying to use my model's capabilities; integrating my output into your workflow is not just about obtaining a result—you may also be embedding my capabilities into your system.
This connection will bring efficiency, as well as risk.
Connections between major companies have thus become more sensitive. What used to be mere process details are now preconditions for collaboration: who can use it, how much can be used, how data enters and exits, and whether outputs can be reused...
In earlier years, when AI was merely an efficiency plugin, people used whatever worked best. But now that AI has become a core production asset, it must be governed with access controls, quotas, auditing, and defined boundaries.
The free trial period for the AI tool has ended.
