Anthropic announced on June 12, 2026 that it had to suspend access to its Fable 5 and Mythos 5 models following an export control directive issued the same day by the U.S. government. Officially, the order prohibits access to these two models for any foreign national — whether or not they are on U.S. soil, including Anthropic’s foreign employees. But to ensure compliance, the company says it had no choice but to abruptly cut off Fable 5 and Mythos 5 for all of its customers. Access to Anthropic’s other models is not affected.
The directive was received that same day at 5:21 p.m. ET. Anthropic says the letter did not specify the exact nature of the national security concern cited. Based on its understanding, the government believes it became aware of a bypass method — a “jailbreak” — targeting Fable 5.
The bypass in question: getting a model to read code
Anthropic says it reviewed a demonstration of the technique. That demonstration was used to identify “a small number of minor, already known vulnerabilities,” described as relatively simple — and, the company notes, ones that other public models can discover without any bypass at all.
At this stage, Anthropic says it has only received verbal evidence from the government of a potential, narrow, non-universal jailbreak, essentially consisting of “asking the model to read a specific codebase and fix its software flaws.” The company says it reviewed the report it believes led to the directive, and verified that the capability described is “widely available in other models (including OpenAI’s GPT-5.5)” and used every day by defenders responsible for securing systems. It promises to share more details within 24 hours.
Anthropic’s defense: safeguards “among the most robust”
The company points back to the position it laid out at the launch of Fable. It says it has safeguards “so strong” that many users complained they were too broad, especially for cybersecurity-related use cases. In the weeks leading up to launch, Fable was reportedly subjected to thousands of hours of red-teaming, carried out with the U.S. government, the UK’s AISI, several third-party organizations, and internal teams. Those tests allegedly showed protections “significantly more effective than those of any model deployed to date.”
Most importantly, Anthropic says that “no tester has, so far, found a universal jailbreak” — a bypass capable of broadly disabling the safeguards. The company does acknowledge, however, that perfect resistance is probably unattainable for any provider at present, and that universal jailbreaks will likely eventually emerge — a point it says it made clear from the release of Fable 5.
A “defense in depth” strategy
Since perfect resistance is not possible, Anthropic says it follows a layered approach: make bypasses either narrow (non-universal jailbreaks) or very costly to produce (universal jailbreaks), and combine that with deep monitoring to quickly detect and stop any successful attack. That is also, the company explains, why it imposes a 30-day customer data retention policy with Fable — a measure that carries a real cost for customers, but allows Anthropic to study and fix jailbreaks. The company believes this strategy brings the risks posed by Fable down to a level comparable with models already deployed across the industry.
Anthropic complies, but disputes the decision
While complying with the directive and removing access to both models, Anthropic says it disagrees: the discovery of “a potential, narrow jailbreak” cannot, in its view, justify recalling a commercial model “deployed to hundreds of millions of people.” Applied across the industry, such a standard “would, in practice, freeze any new model deployment” for all frontier labs.
The company says it publicly supports a government’s ability to block deployments deemed dangerous — but only through a legal process that is “transparent, fair, clear, and grounded in technical facts,” principles it believes this action does not meet. Anthropic apologizes for the disruption caused to its customers, says it believes this is a “misunderstanding,” and is working to restore access as quickly as possible.
A geopolitical precedent, not just a regulatory one
Beyond the specific case of Fable 5 and Mythos 5, this episode marks a deeper shift: the United States is no longer controlling only chips, compute capacity, or model weights. It is now asserting the ability to interrupt operational access to a model already sold commercially, in the name of national security.
That is a significant shift. So far, the debate over AI sovereignty has mostly focused upstream: GPUs, data centers, datasets, open or closed models. Here, control is exercised over usage itself. The question is no longer just who can train a frontier model, but who is allowed to query it, under what conditions, and with what nationality.
The order targeting foreign nationals — including when they are on U.S. soil or working for Anthropic — introduces a new fracture in the global AI economy. It turns the nationality of the user, researcher, employee, or customer into an access parameter for cognitive infrastructure. For companies, that creates a risk that is hard to contract around: a service that is legally subscribed to, technically available, and commercially deployed can become inaccessible overnight for administrative reasons outside the customer-supplier relationship.
For U.S. allies, the signal is especially sensitive. Europe, Canada, Japan, South Korea, and Australia are not necessarily the political targets of such a measure. But they are affected by its logic: under a national security regime, access to the most advanced U.S. models can be suspended without fine distinctions between partners, competitors, and adversaries. AI sovereignty then stops being a defensive slogan; it becomes a business continuity issue.
This precedent also gives ammunition to powers that challenge U.S. technological hegemony. Beijing may see it as confirmation that U.S. frontier models are not just cloud products, but revocable strategic capabilities. The more Washington uses access control as an instrument of power, the more it encourages rivals to accelerate their own sovereign, closed, or regional stacks.
The difficulty lies in the very nature of the risk being invoked. An advanced cyber capability is inherently dual-use: the same model can help a defender identify a vulnerability or help an attacker exploit it. If the mere ability to read a codebase and suggest fixes becomes sufficient grounds to remove a model from the market, then the threshold for blocking could quickly end up covering all frontier models. Conversely, if states wait for an unreasonably high proof threshold, they will act too late. It is this in-between space that still lacks any clear public doctrine today.
The Fable 5 case is therefore not just a test for Anthropic. It foreshadows the political regime of frontier models: products sold globally, yet subject to a sovereign recall right; private infrastructures, yet treated as strategic assets; software tools, yet governed by logics close to export control and national security.
The criterion adopted in the coming weeks will be decisive. If a narrow, non-universal jailbreak comparable to capabilities already available elsewhere is enough to justify a global shutdown, frontier model launches will enter a new era: one of conditional, revocable, geopolitically filtered deployments. If, on the contrary, the episode is resolved as an excess of caution or an administrative misunderstanding, it will nonetheless have revealed one thing: access to the most advanced models is no longer just a market question. It is now an attribute of power.