[computably]

I'm curious as to what you mean by

> as an open protocol, they literally cannot do that.

From a cursory search, it seems the AT Protocol is solely maintained by Bluesky. Also, AFAICT, Bluesky operates the only sizable/relevant servers. i.e. Neither the governance nor the technical operation are decentralized. (edit: Although the OP call for projects includes options which would probably lead to further decentralization, that doesn't speak to the present state.)

Note that I find it reasonably credible that Bluesky won't do that. I just don't see why they cannot. If there is a massive incentive to make backwards-incompatible protocol changes, say a fundamental security flaw, wouldn't the expected outcome be that Bluesky unilaterally makes those changes?

[steveklabnik]

Virtually all of the code is open source. There are also alternative implementations. So yes, right now, it’s run by them, but they can’t hold the community hostage: if they start doing bad stuff, the community can easily fork.

[computably]

Ah. I thought (perhaps hoped) you were referring to something more. I think decentralization of the actual data and infrastructure is the key. OSS is necessary but not sufficient. If Twitter were open sourced and widely forked tomorrow, not much would change, since Twitter still holds all the tweets and hundreds of millions of users.