Jack Goldsmith is the AI Corporate Governance Specialist at the Human Technology Institute within the University of Technology Sydney (UTS). He is also a Visiting Fellow with the Australian National University's (ANU) School of Regulation and Global Governance and an Associate Fellow with the Social Cyber Institute. Jack also volunteers as Editor-in-Chief for Young Australians in International Affairs and regularly reviews AI policy articles for the East Asia Forum.

Jack's predominant research foci include AI and cyber security governance, having published and presented widely on these topics. In 2025, Jack was awarded first-place in Binding Hook's and Munich Security Conference's inaugural AI-Cybersecurity Essay Competition.

Few actors are as integral to the global technology stack as those which support the development and maintenance of open-source software (OSS). OSS is in some way present within over 90% of modern technology, and is an arterial element of artificial intelligence (AI) and cyber security supply chains. It is through OSS that the most salient AI and cyber security risks can both occur and potentially be mitigated thanks to its community networks of dedicated contributors, volunteers, and hobbyists. Despite this, public and scholarly recognition of OSS communities as increasingly important geopolitical actors and potential participants in global tech regulation and innovation is scarce, and their role in influencing broader security dynamics poorly understood. Closer attention to their motivations and organization, as well as strategy and methods, is urgently needed.

What actor model best reflects OSS communities, and where are they placed within the global digital and geopolitical ecosystem? This paper considers the role of OSS communities as central actors in modern international relations, technology security, and geopolitics. It argues that OSS communities are distinct from comparator actors, such as state-like big tech platforms and non-state cyber threat actors, by virtue of their mostly decentralized, pseudonymous, and transnational nature. They instead comprise twin identities. This includes a public, institutionalized form as represented by open-source foundations and online hubs, which act as surfaces for interaction with and by states. The underside of this identity is a loose, nebulous, and at times pseudonymous collection of individual contributors, universities, big tech companies, and governments, whom perform much of the backend labour that brings OSS to life.

While essentially peer-based and geographically dispersed, OSS groupings are nonetheless capable of collectively exerting considerable political force. The paper exhibits this through an applied case study on the OSS community’s rallying and organized resistance to the EU’s Cyber Resilience Act. It then situates OSS communities within a constellation of modern digital state, semi-state, and non-state-like actors so as to distinguish their key attributes from peer entities. The paper ultimately argues that modern OSS networks defy traditional actor models ascribed to digital entities, and as such necessitate new forms of interaction and governance.

This paper presents one of the first academic studies of OSS communities in the international relations literature. Exploration of this kind is important for building a theoretic base upon which scholars and states can further engage the role of OSS communities in modern geopolitics.