UK’s National Health Service gave itself one week to hide all public code. AI was the justification, not the reason.
UK's National Health Service was one of the strongest champions of open source in government. During the pandemic, they open-sourced their contact tracing app. Millions of installs. Hostile states actively targeting it. Zero critical security breaches.
Now, the same organization, 56 million patients, one of the largest employers on the planet, ordered every team to make their public code private. The deadline: May 11th. One week.
Their justification: AI can now scan open codebases and find security flaws faster than humans can patch them.
There is a problem with this logic. The AI does not need the source code to find the flaws.
Most AI models today can probe live systems and map vulnerabilities without source code. And every public NHS repository has already been scraped and archived. Taking down the GitHub page is a gesture, not a defense.
What changed is not the technology. What changed is the institutional willingness to be transparent.
In December 2025, months before Anthropic claimed their new frontier AI model Mythos could find thousands of zero-day vulnerabilities in production software, NHS England quietly deleted its open-source policy pages. When asked, a spokesperson called it a "regular clean-up exercise." Five months later, the clean-up turned out to be preparation.
Neither the UK's AI Safety Institute nor the National Cyber Security Centre recommended this. The UK government's own rules still mandate that publicly funded code should be open by default. Twenty-five thousand public repositories remain untouched. This is not a coordinated government response. It is one organization, acting alone, in a panic.
But here is what makes the NHS case worth paying attention to.
A company closing its code is a business decision. When a government does it, the question changes.
Reports from inside NHS England revealed that the deeper reason was not just AI, it was a belief that the organization lacked the capacity to maintain open-source software at all. AI made the problem visible, but the weakness was already there. Open-source advocates and security experts called the response ill-founded. The announcement gave them cover to finish what they had quietly started months earlier.
When a public healthcare system, funded by taxpayers, serving 56 million people, decides that transparency is too expensive to maintain, that is not a security decision. That is a democratic one.
Security through obscurity has never worked. It is unlikely to start working now.
The rest of Europe looked at the same threat and reached the opposite conclusion.
The EU's Cyber Resilience Act forces companies that profit from open source to take responsibility for its security, shifting the burden from unpaid volunteers to funded organizations. And digital rights groups across Europe are pushing a simpler principle: if public money built the software, the public should see it.
