--- title: "Anthropic, the Export Control Directive, and the Anatomy of a Fable 5 Pull: A Deep Dive" description: "On June 12, 2026, the US government ordered Anthropic to suspend Fable 5 and Mythos 5 for every foreign national worldwide. The directive did not target a country, and it did not target a capability. It targeted a class of person. This long read unpacks the legal mechanism, the 'US person' concept that decides who keeps access, why Anthropic chose to disable for everyone, what Project Glasswing loses, and what precedent this sets for the rest of the frontier model industry." date: 2026-06-13 image: "/images/heroes/2026-06-13--fable-mythos-export-control-deep-dive.png" author: lschvn tags: ["security", "ai", "ecosystem"] tldr: - "The US government issued an export control directive on June 12 at 5:21pm ET requiring Anthropic to suspend Fable 5 and Mythos 5 for 'any foreign national, whether inside or outside the United States, including foreign national Anthropic employees.' It is a person-based restriction, not a country-based one, so a US citizen in Paris keeps access while a French citizen in San Francisco does not." - "Anthropic complied by disabling the models for 'all our customers' rather than attempt nationality-based gating at the API edge, because the model is served centrally and the cost of a leak to a foreign national is severe. The same logic is why every other US-hosted frontier model faces the same structural exposure." - "The cited concern is a 'narrow, non-universal jailbreak' that amounts to asking the model to read a codebase and flag flaws, a capability Anthropic says OpenAI's GPT-5.5 and other public models already have and that defenders use every day. Anthropic's core legal argument is that pulling a commercial model on this class of finding 'would essentially halt all new model deployments for all frontier model providers.'" - "Project Glasswing's thirteen US partners (Apple, Microsoft, Google, AWS, Broadcom, Cisco, CrowdStrike, JPMorganChase, the Linux Foundation, NVIDIA, Palo Alto Networks, and Anthropic itself) keep their institutional access, but every foreign national on their teams loses their seat. For a coalition built on co-located red-teaming, that is a meaningful operational cut." faq: - question: "Is Fable 5 really only for US citizens now, or is it more complicated than that?" answer: "It is more complicated. The directive targets 'any foreign national, whether inside or outside the United States,' which in US export control law is a person-based concept, not a citizenship-based one. US persons (citizens, permanent residents, certain asylees and refugees, and US-organized corporations) keep access. Foreign nationals, even foreign nationals living in the United States on H-1B or F-1 visas, do not. Tourists, business visitors, and students also do not. Green card holders are a gray area that the order does not explicitly resolve. The 'citizens only' framing is a useful shorthand but it is not legally precise." - question: "Why did Anthropic disable the model for everyone, not just for foreign nationals?" answer: "Three reasons stack up. First, Fable 5 and Mythos 5 are served from a central API, and Anthropic does not currently do per-user nationality attestation, so the simplest compliant path is to remove the surface entirely. Second, the legal cost of leaking a frontier model to a single foreign national is severe enough that 'almost compliant' is not a defensible posture. Third, disabling for everyone is reversible the moment the order is rescinded, while a granular nationality-gating system would be hard to roll back and easy to challenge. The choice is a compliance optimization, not a technical limit, and other US-hosted frontier providers will face the same arithmetic." - question: "What is a 'narrow, non-universal jailbreak' and why does Anthropic say it does not matter?" answer: "The order cites a technique that, in Anthropic's reading, consists of asking Fable 5 to read a specific codebase and identify software flaws. The technique is narrow in that it does not generalize across prompts and it does not unlock broad cyber capabilities. It is non-universal in that no other jailbreak has been shown to work the same way. Anthropic's argument is that this class of finding is a normal, expected outcome of operating a frontier model: the Fable launch post itself said 'perfect jailbreak resistance is not currently possible for any model provider.' They reviewed the underlying report and concluded the capability shown is widely available from GPT-5.5 and other public models and is the same capability defenders use every day. Pulling a commercial model on that bar is, in their view, an industry-halting precedent." - question: "Does this affect Project Glasswing?" answer: "Indirectly, and operationally rather than legally. Project Glasswing's thirteen partner organizations are all US-headquartered companies, so the directive does not remove the institutional access the program grants. But every foreign national working at a Glasswing partner loses their seat, and the program was built around co-located red-teaming where engineers from multiple companies work the same model in the same sessions. The Mythos 5 surface that Glasswing participants use is the same surface the order targets, so the coalition's working model changes for the duration of the suspension even though its membership does not." - question: "How is this different from a typical export control on a piece of software or hardware?" answer: "Traditional export controls (the EAR and ITAR regimes) treat source code and dual-use goods as items that cross borders, with licensing based on the destination country, the end user, and the end use. They were written before the cloud existed. A frontier AI model served from a US data center to a customer with a browser does not cross a border in the physical sense, but the export control regime has been extended to cover 'items' subject to the EAR regardless of how they are transmitted, including intangible transfers such as software downloads. The interesting legal question is whether a US-hosted API call that returns model output to a foreign national counts as a 'release' of controlled technology to that national. The Fable directive appears to take the position that it does, and Anthropic is not contesting that position; they are contesting the technical justification for the order." - question: "Could another country do the same thing to OpenAI or Google?" answer: "In principle, yes. The EU's dual-use export control regulation, China's export control law, and the UK's strategic export control regime all have analogues that could be used to restrict a model served from within their jurisdiction from being made available to specific categories of users. The interesting asymmetry is that most non-US jurisdictions have weaker tooling for export control enforcement at the API edge, because they do not have the same concentration of frontier model providers on their territory. The US is uniquely positioned to issue this kind of order, and the Fable directive will be studied by every other major jurisdiction as a test case." - question: "What should a TypeScript or JavaScript team using Claude Code or Cursor do today?" answer: "Audit which model identifier your tools have been routing to. Claude Code, Cursor, Aider, Continue, Cline, and the other coding surfaces were not directly affected (Opus 4.8, Sonnet, and Haiku are unaffected by the order), but a handful of advanced surfaces (long-horizon refactors, autonomous agent loops) had been silently falling back to Fable 5 in the background. The Fable 5 identifier is no longer the right default. The mid-tier Claude surface is the safe fallback for now. The 30-day data retention policy that shipped with Fable 5 also stops applying, which removes a privacy point some enterprise buyers had flagged. If your tool exposes a model picker, you should not see Fable 5 or Mythos 5 in it any longer." - question: "What is the precedent risk Anthropic is worried about?" answer: "Anthropic's published position is that pulling a commercial model for a narrow, non-universal jailbreak sets a bar the entire frontier industry cannot meet, because the company itself said at launch that perfect jailbreak resistance is not currently possible. If the bar becomes 'a single, narrow, non-universal finding of any kind is grounds for recall,' every model provider is in permanent recall territory. Anthropic has framed the dispute as procedural rather than substantive: they are not arguing that the government lacks the legal authority to block a deployment, they are arguing that the order should have followed a 'statutory process that is transparent, fair, clear, and grounded in technical facts.' The next 24 hours, during which Anthropic has promised more details, will be the first signal of whether the dispute goes legal, regulatory, or political." --- On June 12, 2026 at 5:21pm ET, Anthropic received a letter from the US government that disabled the strongest commercially available AI model in the world for almost everyone on Earth. The [statement the company published the same evening](https://www.anthropic.com/news/fable-mythos-access) was six paragraphs long, but the legal mechanism it describes is older than the internet and stranger than most readers will recognize. The directive targets a category of person rather than a category of capability, which means the people who lose access depend on their passport, not their prompt. This long read unpacks what the order actually does, who actually loses access, and why the answer to "is [Fable 5](/articles/2026-06-12-fable-5-distillation-guardrails) only for Americans" is yes for citizens and no for permanent residents and the answer is mostly no for the thirteen [Glasswing](/articles/2026-04-07-anthropic-project-glasswing-ai-finds-zero-days-faster-than-humans) partners and the answer is "ask your lawyer" for green card holders, in roughly that order. ## What the order says, in plain English The Anthropic statement quotes the operative language: "the US government, citing national security authorities, has issued an [export control directive](/articles/2026-06-13-anthropic-fable-mythos-suspended-us-government) to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees." The phrase to notice is "by any foreign national," not "to any country" and not "of any capability." The order is a person-based restriction enforced through an export control mechanism, which is an unusual combination but not an unprecedented one. The same paragraph then explains the practical effect: "the net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance." The company is not making a claim that the order requires disabling for everyone. It is saying that, given the architecture of the product and the cost of getting it wrong, disabling for everyone is the only path it is willing to take. That distinction is going to matter in a moment. The statement also confirms that "access to all other Anthropic models will not be affected." Claude Opus 4.8, Claude Sonnet, Claude Haiku, Claude Code, Claude Cowork, Claude for Chrome, Claude for Slack, and the rest of the production surface continue to operate. The order is targeted at two specific model versions and does not extend to the rest of Anthropic's product line. ## The "foreign national" concept, and why it is not the same as "non-citizen" US export control law, codified primarily in the Export Administration Regulations (EAR) administered by the Bureau of Industry and Security (BIS) in the Department of Commerce, defines a "US person" as a citizen of the United States, a lawful permanent resident of the United States (a green card holder), a person who has been granted asylum in the United States, a person who has been admitted as a refugee to the United States, or a corporation or other entity organized under the laws of the United States or any US state or territory. Everything that is not a US person is, in the export control sense, a "foreign person" or "foreign national." The order language uses the latter term, which is the more common phrasing in national security directives. The consequence of this definition is that a French citizen who has lived in San Francisco for twenty years on a green card is, for the purposes of this order, a US person. A French citizen who has lived in San Francisco for twenty years on an H-1B visa is, for the purposes of this order, a foreign national. Both of them are equally French, equally resident in California, and equally subject to US tax law, but the order treats them very differently. This is the part of the directive that often gets lost in the "for US citizens only" shorthand. The order is, in practice, more permissive than the shorthand suggests for permanent residents and asylees, and significantly more restrictive than the shorthand suggests for US citizens abroad, who keep their access regardless of where they are physically located. A US citizen working remotely from Berlin, Tokyo, or Buenos Aires is still a US person for export control purposes, and the order does not require Anthropic to disable their access based on geography alone. The legal gray area, which Anthropic's statement does not resolve and which the order itself does not address, is what to do about access by foreign nationals who are physically inside the United States. The order covers them ("any foreign national, whether inside or outside the United States"), but the practical mechanics of distinguishing them from US persons at the API edge is the reason Anthropic chose to disable for everyone. The point is not that the order is impossible to comply with on a per-user basis. The point is that the cost of being wrong is severe enough that the only defensible compliance posture is to remove the surface. ## Why "disable for everyone" is a compliance choice, not a technical limit The choice Anthropic made is the most interesting part of the order, because it tells you something about how the company expects export control law to apply to frontier models over the next several years. Three reasons stack up. First, Fable 5 and Mythos 5 are served from a central API. There is no per-user model sharding that would let Anthropic serve a US-person-only version and a foreign-national-only version from the same model weights. The product architecture does not currently include a nationality attestation layer, and adding one would itself be a significant change to the product, not a switch to flip. Second, the legal cost of a leak is asymmetric. Export control violations under the EAR carry civil penalties up to roughly $360,000 per violation or twice the value of the transaction, whichever is greater, and criminal penalties up to $1 million per violation and 20 years in prison for individuals. "Almost compliant" is not a defensible posture when the marginal cost of going from "almost compliant" to "fully compliant" is to disable the model for a few thousand additional users, including the customers who were going to use the model most aggressively. Third, disabling for everyone is reversible in a way that granular gating is not. The day the order is rescinded, Anthropic can flip the model back on for all users with no migration path required. A per-user gating system, once built, would be hard to roll back and easy to challenge from either side: foreign nationals would challenge the existence of the gate, and the US government would challenge the precision of its implementation. The choice is not an admission of technical limitation. It is a compliance optimization that other US-hosted frontier model providers will be studying closely. If OpenAI, Google, or xAI received a comparable directive tomorrow, the same three pressures would push them to the same answer. ## What the order does not do The directive is also notable for what it leaves alone. It does not, despite the breathless framing in some early coverage, restrict Claude Code, Cursor, Aider, or any other developer tool that uses Claude as its default model. Those tools fall back to Opus 4.8, Sonnet, or Haiku, all of which are unaffected. The order is targeted at the two model versions, not at the ecosystem around them, and the practical impact on a typical TypeScript or JavaScript developer is minimal unless their tool had been silently routing to Fable 5 for the hardest long-horizon refactors. The order also does not block Anthropic from training or releasing future model versions. The Mythos 6 announcement, if it materializes, is not directly affected. The order is a deployment suspension, not a development prohibition, and the company continues to work on its frontier model roadmap in the same way it did before the directive landed. The order does not, finally, require any change to Anthropic's data retention policy for the affected models. The 30-day retention requirement that shipped with Fable 5 was part of the product, not a condition of the order, and it stops applying the moment the model is removed from the surface. This is a small but real privacy win for enterprise buyers who had flagged the 30-day retention as a procurement blocker. ## The technical question: what is a "narrow, non-universal jailbreak" The most consequential part of the order, and the part Anthropic is contesting most loudly, is the technical characterization. The order's stated concern is a "method of bypassing, or 'jailbreaking' Fable 5." Anthropic's reading of the underlying finding, which the government shared verbally rather than in writing, is that the technique is narrow: it does not generalize across prompts, it does not unlock broad cyber capabilities, and it requires the model to be asked to do something that is also possible with OpenAI's GPT-5.5 and other public models without any bypass at all. The non-universal qualifier is the operative one. A universal jailbreak is a technique that works across a wide range of prompts and unlocks a wide range of capabilities, which is what the Fable launch post described as the threat model the company designed against. A non-universal jailbreak is a technique that works in narrow circumstances and unlocks narrow capabilities, which is the class of finding that the Fable launch post itself said was an expected outcome of operating a frontier model. The exact language from the launch post, quoted in Anthropic's statement, is that "perfect jailbreak resistance is not currently possible for any model provider" and that "every safeguard used in the industry is vulnerable to non-universal jailbreaks." The technique Anthropic describes, in the same statement, is "essentially consists of asking the model to read a specific codebase and fix any software flaws." That is, the order is about a way of using the model that is functionally indistinguishable from the way a defender would use it to harden a system, and that is also a capability available without any jailbreak in other public models. The order is, in Anthropic's framing, pulling a model for being usable in the way it was designed to be usable, on the basis of a finding that the same use case is widely available elsewhere. Anthropic is not contesting the government's legal authority to block a deployment. The company is contesting the technical characterization. The position is that pulling a commercial model for this class of finding sets a bar the entire industry cannot meet, because the Fable launch post itself said the bar was unmeetable. The position is also procedural: the company is asking for a "statutory process that is transparent, fair, clear, and grounded in technical facts" before the standard is applied industry-wide. ## Project Glasswing, and the cost of pulling a model out from under a coalition The part of the story that has gotten the least coverage is what the order does to Project Glasswing, the thirteen-company coalition that Anthropic announced on April 7 and that uses Mythos 5 as its working model. The thirteen partners are AWS, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, and the program was built around co-located red-teaming where engineers from multiple companies work the same model in the same sessions on the same vulnerability reports. The order does not remove the institutional access the program grants. The thirteen partners are all US-headquartered entities, and as such they are US persons under the export control definition. Their access to the model, at the corporate level, continues. What changes is who, within those institutions, can actually use it. Every foreign national on a Glasswing engineer's team, and there are many of them at companies with the global headcount of Microsoft, Google, AWS, Apple, or JPMorganChase, loses their seat. For a coalition built on co-located red-teaming, that is a meaningful operational cut even though the membership list is unchanged. The order also does not, for now, affect the broader Mythos Preview access pathway that some Glasswing participants had been using for the three months between Mythos Preview's release and Fable 5's launch. That surface continues to operate, and the work that was being done on it before June 9 continues in the same form. The affected surface is specifically the Fable 5 and Mythos 5 model versions, not the wider Mythos product family. ## The export control mechanism, in one paragraph The legal authority the order relies on is the same authority that governs the export of dual-use software, encryption technology, and certain categories of artificial intelligence. The Export Administration Regulations (EAR) cover items subject to the Export Control Reform Act of 2018, including software and technology that can be transmitted electronically. A "release" of controlled technology to a foreign national located anywhere in the world, including inside the United States, is treated as an export to that person's country of nationality under what is called the "de minimis" rule. The order is invoking this framework to require Anthropic to ensure that Fable 5 and Mythos 5 are not released to any foreign national, regardless of where that person is sitting when they make the API call. The interesting legal question, which the order does not resolve and which is likely to be litigated if the suspension is extended, is whether a US-hosted API call that returns model output to a foreign national counts as a release of controlled technology in the first place. The EAR was written before the cloud existed, and the application of its framework to API-based AI services is genuinely novel. The Fable directive will be studied by every other major jurisdiction as a test case for how export control law applies to frontier model deployments, and the answer will shape how OpenAI, Google, xAI, Mistral, and every other provider with a US-hosted API surface plans their own compliance posture. ## What Anthropic is asking for, and what happens next The dispute is mostly procedural. Anthropic's position, carefully stated, is that the government should have the ability to block unsafe deployments but that the blocking should happen "as part of a statutory process that is transparent, fair, clear, and grounded in technical facts." The company is not arguing that the order is unconstitutional or that the government lacks the legal authority to issue it. It is arguing that the order should have followed a process, and that the technical finding on which the order is based is not, on the company's own review, the kind of finding that justifies the action taken. The next 24 hours, which the statement flagged as a window for more detail, will be the first signal of where the dispute goes. Three paths are open. First, the government and Anthropic could negotiate a narrower directive that targets a specific capability or a specific user category rather than a class of person, which would let Anthropic bring the model back online for the bulk of its customer base. Second, the order could be extended or modified, with the dispute moving into the courts or into a regulatory process. Third, the order could simply lapse, with the suspension continuing in practice but without a formal extension, leaving the model in a state of indefinite limbo. The most likely outcome, based on how similar disputes have played out in other regulated industries, is some combination of the first and the third. A negotiated narrowing is faster and cheaper for both sides than a court fight, and an indefinite limbo is the default state for any regulatory action that neither party has an incentive to resolve quickly. The clock is, in a real sense, in the hands of the US government, and the next 24 hours will tell us whether the clock is short or long. ## What to watch For the next week, the most important signals are: whether Anthropic publishes the additional technical details it has promised; whether the order is contested in court or in a regulatory forum; whether other US-hosted frontier model providers receive comparable directives; whether the EU, UK, or China issues a response or a reciprocal action; and whether Glasswing partners make any public statement about the operational impact on their teams. The story is not over, and the next 24 hours are the first window in which the trajectory will become clear. For a typical TypeScript or JavaScript developer, the practical impact is, for now, the same as it was before the deep dive. Claude Code, Cursor, Aider, Continue, Cline, and the other coding surfaces are unaffected. The strongest Claude models, Fable 5 and Mythos 5, are gone for the duration of the suspension. The mid-tier Claude surface is the safe fallback. The 30-day data retention policy is no longer in effect for the affected models. And the frontier model industry is, for the first time, learning in real time what it looks like when the export control regime catches up with the cloud.