Back to the journal

Research

The Fable 5 ban was never just about Fable

The full story behind Anthropic's Fable 5 and Mythos 5 shutdown: the Department of War fight, the supply-chain-risk label, reported NSA use of Mythos, Project Glasswing, hidden safeguards, Amazon's warning, and the export-control order.

June 14, 202616 min readagentAnderson.ai

Key takeaways

  • The Fable 5 shutdown was the end of a longer fight, not an isolated product recall.
  • Washington treated Anthropic as too risky to trust, too useful for cyber operators to ignore, and too strategic to let foreign nationals access freely.
  • The precedent is bigger than Anthropic: frontier model access can now be governed like export-controlled national-security infrastructure.

The three-day model

Claude Fable 5 became publicly available on June 9, 2026. By the evening of June 12, Anthropic had disabled access to both Fable 5 and Mythos 5 for all customers.

Anthropic said the U.S. government had issued an export-control directive requiring the company to suspend all access to both models by any foreign national, whether inside or outside the United States, including Anthropic employees. Because Anthropic could not reliably enforce that constraint across its live services in real time, the company removed the models for everyone. Other Claude models stayed online.

That version of the story is dramatic enough: a frontier AI model goes up on Tuesday and is pulled down by Friday night. But it is too small. Fable 5 was not shut down only because of one alleged jailbreak. Fable 5 was shut down because Anthropic's Mythos line had already become a national-security object.

The government did not discover in June that Mythos was powerful. It had spent the spring arguing about who should be allowed to use that power, and under whose rules.

The fight started with military use

The public fight began in late February. On February 26, Dario Amodei said Anthropic had already deployed Claude across the Department of War and the intelligence community for uses including intelligence analysis, modeling and simulation, operational planning, cyber operations, and other national-security work.

Anthropic's position was not anti-military. The company said it supported lawful foreign intelligence, counterintelligence, and defense uses. The disagreement was over two carve-outs: mass domestic surveillance of Americans and fully autonomous weapons. Anthropic said current frontier models were not reliable enough for autonomous lethal targeting, and that AI-enabled domestic surveillance could violate democratic rights at scale.

The Department of War wanted broader language: access for all lawful purposes. Anthropic refused to remove the two exceptions. A day later, Secretary Pete Hegseth said he was directing the department to designate Anthropic a supply-chain risk.

That phrase matters. A supply-chain-risk designation is not a normal procurement disagreement. It suggests the vendor might compromise, sabotage, or subvert systems used by the government. Anthropic argued that applying that label to a domestic AI company over a usage-policy dispute was unprecedented and legally unsound.

The supply-chain label backfired

On March 5, Anthropic said it had received the formal Department of War letter confirming the designation. The company argued that the legal scope was narrow, limited to use of Claude as part of Department of War contracts. It also said it would challenge the designation in court while continuing to support national-security users through any transition.

That was already a strange posture. Anthropic was being described as a national-security risk, yet the company was also important enough that it promised to keep providing models and engineering support to warfighters and national-security experts for as long as it was allowed.

On March 26, Judge Rita Lin granted Anthropic a preliminary injunction. The court found that the government's broad measures appeared punitive and likely unlawful. The order emphasized that the supply-chain-risk label had never been applied to a domestic company and that the Department of War had not shown a legitimate basis to infer that Anthropic's insistence on usage restrictions made it a potential saboteur.

The court did not say the government had to buy Claude. It said the government could choose another AI vendor if it wanted one. The problem was going further: branding Anthropic as a potential supply chain threat because it publicly disagreed with the government's desired contract terms.

Then came Mythos

In April, Anthropic introduced Project Glasswing, a cybersecurity initiative built around Claude Mythos Preview. Anthropic described Mythos Preview as an unreleased frontier model whose coding and security abilities could reshape vulnerability discovery. The pitch was defensive: give trusted organizations access before attackers with comparable tools made the internet less stable.

Project Glasswing gave selected partners the ability to use Mythos Preview to scan important codebases, find vulnerabilities, and help fix them. Anthropic's initial public partner list included major infrastructure and technology organizations. By June 2, Anthropic said it was expanding the program to roughly 150 organizations in more than 15 countries, many of them tied to critical infrastructure.

That expansion sharpened the policy problem. If Mythos was too dangerous for general release, it was also too useful to lock away completely. If defenders could use it to find vulnerabilities faster, so could attackers once similar capabilities became available elsewhere. Anthropic argued that cheap, fast AI models with strong cyber capabilities were around the corner, and that defenders needed time to adapt.

This is where the public contradiction became hard to ignore. The same government that had fought Anthropic as a supply-chain risk was reportedly using Mythos.

Blacklisted in public, used in private

On April 19, Axios reported that the National Security Agency was using Mythos Preview despite the Department of War's position that Anthropic was a supply-chain risk. Axios cited two sources for NSA use and one source saying the model was being used more widely inside the department. Anthropic and the Pentagon declined to comment; NSA and ODNI did not respond.

Nextgov had already reported that intelligence officials and industry were weighing how Mythos Preview might reshape both hacking and cyberdefense. The defensive use case was obvious: identify exploitable weaknesses in friendly systems before attackers do. The offensive implication was just as obvious: identify exploitable weaknesses in adversary systems.

By June, the reporting became more specific. TechCrunch summarized Financial Times reporting that Anthropic had deployed roughly half a dozen engineers to the NSA to help the agency use Mythos for certain cyber applications. The report did not establish that those engineers or the model were being used in active hacking operations, and NSA declined to confirm or deny it.

Even with that caveat, the policy picture was clear. Mythos was not just a corporate model. It was becoming a state capability, part defensive scanner, part potential offensive aid, and part bargaining chip in the fight over who controls frontier AI use.

Fable was Mythos for the public

On June 9, Anthropic launched Fable 5 as a Mythos-class model made safe for general use. Mythos 5 and Fable 5 shared the same underlying model. The difference was the safety layer. Fable 5 included safeguards that routed or declined sensitive requests in areas such as cybersecurity, biology, chemistry, and model distillation. Mythos 5 was for trusted cyberdefenders and infrastructure providers, with safeguards lifted in some areas.

Anthropic marketed Fable as the most capable model it had ever made generally available. It pointed to stronger long-horizon software engineering, knowledge work, vision, memory, scientific reasoning, and life-sciences use cases. The company also priced Fable 5 and Mythos 5 at $10 per million input tokens and $50 per million output tokens.

The developer docs made the operational tradeoffs explicit. Fable 5 could return visible refusals as successful API responses, and customers needed to plan for fallback behavior. Fable 5 and Mythos 5 were also covered by 30-day data retention requirements and were not available under zero-data-retention arrangements.

That data-retention shift was part of Anthropic's defense-in-depth plan. If a model this capable could not be made perfectly jailbreak-proof, Anthropic wanted monitoring, post-hoc detection, and the ability to investigate abuse attempts. For some enterprise customers, that was a real cost. For Anthropic, it was part of the argument that broad release could be managed without letting risk run loose.

The hidden-safeguard backlash

Fable 5 was already controversial before the government order. Researchers noticed language in the system card describing a separate set of safeguards for frontier AI development work. Unlike visible fallbacks for cyber, bio, chemistry, and distillation requests, these interventions would not be visible to the user.

The reported mechanism was not a refusal. It was silent degradation: limiting effectiveness through methods such as prompt modification, steering vectors, or parameter-efficient fine-tuning. Anthropic estimated that this would affect only a tiny share of traffic, concentrated in a very small share of organizations. But the principle was explosive.

A visible refusal tells the user the system has hit a policy boundary. A silent intervention leaves the user wondering whether the model is weak, the prompt is bad, the task is hard, or the vendor has quietly decided to make the answer worse. That is why the backlash was about trust as much as access.

This mattered because the later government action arrived when Anthropic was already defending its right to shape frontier-model behavior invisibly in some cases. The company saw itself as releasing dangerous capability responsibly. Critics saw a private lab deciding which kinds of research would receive full-strength answers.

The Amazon report and the Friday scramble

The shutdown itself appears to have been triggered by concerns raised outside Anthropic. Axios reported that Amazon called administration officials on Thursday night with a report showing a way to jailbreak and access parts of Mythos that Amazon considered a national-security threat. Axios also reported that at least five other companies contacted senior officials before the models were shut down.

According to Axios, Anthropic received a call at 1 p.m. ET on June 12 telling it to roll back Fable and Mythos because of a national security threat. The company was reportedly given 90 minutes. Later that day, around 5:30 p.m. ET, the White House sent a letter imposing sweeping export-control rules. Anthropic's own statement says it received the directive at 5:21 p.m. ET.

Anthropic disputed the substance. It said the government had not provided specific details of the national-security concern and had only supplied verbal evidence of a narrow, non-universal jailbreak. Anthropic said the demonstrated vulnerabilities were minor, previously known, and discoverable with other public models as well. It also said no tester had found a universal jailbreak that broadly bypassed Fable's safeguards.

That is the core factual dispute. The government apparently viewed the report as evidence that Mythos-level capability had crossed a national-security line. Anthropic viewed it as normal defensive vulnerability discovery, the kind of task defenders need AI systems to do.

Why foreign nationals mattered

The most consequential part of the order was not simply that people outside the United States could lose access. The directive, as Anthropic described it, applied to foreign nationals inside the United States too, including foreign-national Anthropic employees.

That maps onto the export-control concept of a deemed export. BIS defines a deemed export as sharing or releasing controlled technology or source code to a foreign person inside the United States. The Export Administration Regulations define export to include releasing or transferring controlled technology or source code to a foreign person in the United States.

Applying that logic to live model access is the novel part. The earlier AI export-control debate focused heavily on chips, compute, and model weights. Here, the practical target was a hosted commercial model service. The result was not a normal licensing queue or a country-by-country availability chart. It was a near-immediate access cutoff for a model that had been available only three days.

As of June 14, 2026, the directive itself does not appear to have been posted publicly. The public record is Anthropic's statement, press reporting, and the surrounding export-control framework. That should make everyone cautious about overclaiming the exact legal theory. But the practical effect is already clear: nationality became a live access-control dimension for frontier AI.

The actual story

The simple version says the U.S. government banned Fable 5 because someone jailbroke it. The deeper version is stranger.

First, Anthropic fought the Department of War over whether Claude should be available for every lawful military use, including categories Anthropic considered unsafe or anti-democratic. The government responded with a supply-chain-risk designation that a federal judge later found likely unlawful.

Second, while that fight continued, the national-security state was reportedly using Anthropic's most sensitive model line anyway. NSA use of Mythos Preview was reported in April. Additional reporting in June said Anthropic engineers had been helping the NSA prepare Mythos for cyber applications.

Third, Anthropic expanded Project Glasswing internationally, arguing that trusted access to Mythos-class cyber capability was necessary to give defenders a temporary advantage. That meant Mythos was simultaneously too dangerous for broad release and too important to keep idle.

Fourth, Fable 5 put a guarded version of Mythos-class capability into the public market. It did so with visible safeguards, data retention, monitoring, and controversial hidden safeguards for frontier AI development. Three days later, the government converted that risk debate into an access order.

Washington's position was not simply that Anthropic was dangerous. It was that Anthropic was dangerous, useful, and strategically indispensable at the same time.

What changes now

For AI labs, the lesson is operational. A frontier model launch is no longer just a product, safety, and infrastructure event. It may also require nationality-aware access controls, employee-access planning, government engagement, emergency model fallback, and a legal theory for export-controlled model behavior.

For enterprises, the lesson is dependency risk. If a provider can lose a top model overnight because of national-security action, model availability becomes a board-level continuity issue. Vendor evaluation can no longer stop at benchmark scores, context window, price, and API reliability. It has to include geopolitical exposure.

For researchers, the lesson is trust. Fable 5 raised one question before the ban: can users trust a model if some interventions are invisible? The ban raised another: can users trust access to a model if the government can reclassify the service as a controlled capability after launch?

For governments, the lesson is process. Anthropic has publicly supported the idea that governments should be able to block unsafe deployments through a transparent, fair, technically grounded statutory process. The company says this action did not meet that standard. If frontier AI access is going to be regulated like a national-security asset, the process cannot depend on Friday afternoon pressure, private reports, and unpublished directives.

The Fable 5 ban is therefore not just a story about Anthropic. It is a preview of the policy layer arriving on top of frontier AI. The model is no longer merely software. It is infrastructure, leverage, risk, and state capability in one package.

Fable 5 lasted three public days. The precedent will last much longer.

Sources