Commerce Found the Kill Switch

The code review had been sitting in a Toronto developer's queue long enough that the contractor who wrote the service had stopped answering email. She had opened Claude for the code review, not for Fable 5; Anthropic had dropped the model with little warning, and she noticed only when engineers she trusted started saying it handled long, patient review unusually well. By Friday, with Fable locked to the Pro and Max tiers until June 22, trying it meant paying up. She handed it the tangled service, watched it follow dependencies like a careful senior engineer, and upgraded to Max 20x, about a hundred and eighty dollars, because ten days with a model that useful seemed worth it. A few hours later, on Friday evening, she checked a stalled Claude Code instance and found an error where the model used to be.

Earlier that evening, the Commerce Department had sent Anthropic a directive placing Fable 5 and its less restrictive sibling Mythos 5 under export controls, cutting off access for any foreign national, whether abroad or inside the United States. According to Axios, that designation reached into Anthropic's own staff. The company could not sort its users by nationality fast enough on a Friday night, so it switched both models off for everybody. The rest of Claude stayed up, but the two best models Anthropic had shipped were gone for the weekend.

Three versions of what happened

Anthropic says officials described a single narrow technique, verbally rather than in writing: someone had gotten Fable 5 to read through a codebase and flag a few minor, already-documented flaws. Other Claude models do this on request, as do most capable models on the market. Anthropic says it has not received a written finding, a named vulnerability, or an exploit chain.

A second account came from outside the government entirely. Within a day of launch, Pliny the Liberator, an independent researcher known for cracking frontier models the week they ship, said his agents had pulled restricted material out of Fable across cybersecurity, chemistry, and explosives. His method was to chop a dangerous request into harmless-looking fragments and stitch the answers together downstream. Anthropic pushed back, telling SecurityWeek that some of the screenshots circulating were never Fable's output and that nothing it had reviewed came close to a real jailbreak of the model's core safeguards.

The third account is the one that triggered the directive. A rival company claimed it had jailbroken Mythos. That claim has not been made public. Anthropic, reportedly days from an IPO, has every reason to minimize the breach. The government, justifying an extraordinary move, has every reason to emphasize it. Pliny's stake is the scoreboard, the proof that he or others can still crack the newest model before its makers can lock it down. Fable and Mythos were switched off while the public record still consisted of competing, unverified accounts.

Outside the government, the evidentiary record is thin. The directive has not been released; neither have a named CVE, a specific codebase, an ECCN classification, a cited legal authority beyond "export control directive," or the identity of the company that flagged the jailbreak. A worldwide product shutdown followed a verbal description of a narrow technique.

The export question

Export control is the body of rules governing which microchips, encryption, and aerospace parts can leave the country and who can touch them. Under the EAR, releasing controlled technology to a foreign person counts as an export and can require a license. Here, Fable's weights never left Anthropic's servers. The Toronto developer sent a prompt to a model running in the United States and got text back. Commerce's own longstanding position has been that using software in the cloud does not count as exporting it. Compliance lawyers shorthand this as "what happens in the cloud stays in the cloud."

Congress has been trying to close exactly this gap. The Remote Access Security Act passed the House in January to give Commerce explicit authority over remote access to EAR-controlled items. The current definition of "export" was written for shipments and on-premise hardware; it does not cleanly cover a user in Toronto reaching a model in Virginia. The Fable directive appears to treat that authority as already settled.

Underneath, Fable and Mythos are the same model. The public version runs behind a wall of safety classifiers. When those classifiers flag a risky request, the user gets bumped down to Opus 4.8, a weaker model without Fable's full capability. Before Tuesday, a Mythos preview model had already been available to companies in Project Glasswing. Tuesday's launch put Mythos 5 beside Fable 5 and widened access to a broader set of Glasswing companies. What got controlled was a classifier setting: a threshold deciding how much of the model's capability any given user gets to reach.

Commerce has not said whether it treated hosted model access as controlled technology, which would reach every frontier lab, or used a narrower authority aimed at Anthropic alone. The difference is whether Friday's directive becomes an industry rule or an Anthropic-specific fight.

The GPS precedent

Civilian GPS receivers sell freely worldwide with one condition baked into the firmware. The moment a unit calculates that it is moving faster than 1,000 knots or higher than 60,000 feet, it stops working. Below that line: consumer gadget. Above it: missile-guidance component, subject to export control. The hardware is identical either way. A performance threshold decides which legal category it belongs to, and jurisdiction has bounced between the State Department and Commerce for years as officials argue about where the line sits.

Anthropic spent its launch week positioning these models as a capability jump: Mythos-class, the strongest cybersecurity model in the world, safeguards built specifically because the cyber and bio capabilities warranted them. Commerce seems to have taken the company at its word. If a model needs that kind of guarding, the GPS logic says it is powerful enough to control.

GPS thresholds work because the line is measurable and the capability above it is scarce. A receiver knows its own speed and altitude. A language model has no equivalent number. "Can find a bug" and "can chain an exploit" shift with the prompt and the user. Reviewing a codebase for known flaws is something half a dozen other systems already do on request, and the scarier capabilities tend to turn up eventually in models nobody has controlled. Keeping commercial satellite gear on the strict munitions list cost U.S. manufacturers around $21 billion over a decade as buyers went elsewhere.

Getting back online

Restoring Fable and Mythos means Anthropic has to prove who its users are, build nationality gates, and decide which enterprise customers clear the bar first before restrictions cascade through every startup building on the API. The frontier model stops being software you sign up for and starts being infrastructure you get vetted into. Anthropic is reportedly preparing an IPO. Friday's directive gives investors a new risk to price: the possibility that a flagship model can be disabled by government order after launch.

Commerce has not released the letter or the legal theory behind it, and Anthropic has promised more detail. The government may have evidence considerably stronger than what has surfaced; if so, the proportionality questions look different. For now, the public record shows Commerce using export-control machinery to govern remote access to a hosted frontier model, without yet showing the legal bridge that makes that access the controlled export.