When we first covered Claude Mythos and Project Glasswing in April, the story was that Anthropic considered the model so dangerous it refused to release it publicly, restricting it to a small group of vetted partners. That changed on June 9, when Anthropic launched Claude Fable 5, a public, Mythos-class model. Three days later, on the evening of June 12, the U.S. government pulled it.
In what appears to be the first application of export controls to a large language model, the Commerce Department ordered Anthropic to cut off all access to Fable 5 and its unrestricted sibling Mythos 5 for any foreign national anywhere, including Anthropic’s own foreign-national staff. With no way to verify nationality on every request, Anthropic disabled both models globally, for everyone. The episode is messy and unresolved, but for defenders it carries two clear lessons: a new risk to plan for, and a hard confirmation of what we have been flagging all along.
What Actually Happened
The directive arrived at 5:21 p.m. ET on June 12, sent to CEO Dario Amodei and signed by Commerce Secretary Howard Lutnick. It cited national security authorities but, per Anthropic, included no technical detail. The trigger was a jailbreak. According to the Wall Street Journal, Fortune, and TechCrunch, Amazon’s own security researchers found a technique that bypassed Fable 5’s guardrails, the controls meant to separate the consumer model from the Mythos cyber capabilities underneath, and Amazon CEO Andy Jassy flagged it to Treasury Secretary Scott Bessent around June 11. Separately, the red-teamer known as Pliny the Liberatorv had publicly bypassed the same guardrails and extracted working instructions for software exploits and chemical synthesis.
From there, accounts diverge. White House AI advisor David Sacks said a trusted partner found the jailbreak in testing and the administration asked Anthropic to fix it or pull the model, and Anthropic declined, leaving “the ball in Anthropic’s court” for restoration. Anthropic counters that the evidence was only a narrow, verbal jailbreak amounting to asking the model to read a codebase and fix its flaws, that the bugs were already findable by other public models, and that pulling a product used by hundreds of millions over one narrow bypass would halt frontier deployment entirely. Reporting from Semafor adds a wrinkle: the administration reportedly also acted on suspicion that a China-linked group had accessed Mythos, raising the risk of it being reverse-engineered or distilled.
Critically, every other Anthropic model, including Opus 4.8, remained online and unaffected. As of June 23, Fable 5 and Mythos 5 remain suspended and the API string for Fable 5 still returns errors, though Anthropic is in active talks with the Commerce Department and has said it expects access to return within days.
Lesson One: Model Dependency Is Now a Business Risk
Here is what matters most if you have built AI into your operations. Any organization that wired Fable 5 into a product or workflow watched it vanish overnight, for reasons that had nothing to do with them. Not an outage, not a bug, a government fight and a jailbreak the customer could neither see coming nor do anything about.
This is not the first time. When the Defense Department labeled Anthropic a “supply chain risk” earlier this year, contractors lost access across defense supply chains effectively overnight. The pattern is the lesson: a frontier AI model your business depends on can disappear with no notice, and concentration on a single provider is now a real continuity risk. Practically, that means not hard-wiring any one model into something you cannot afford to lose, maintaining a tested fallback, and treating your AI providers as the third-party dependencies they are.
This is exactly the kind of exposure that surfaces in a risk assessment and the kind of question a virtual or fractional CISO is there to ask before a disruption forces it. It also belongs in your continuity and incident response planning: if a core tool goes dark on a Friday evening, your team should already know the play.
Lesson Two: The Security Reality Did Not Change
Pulling one public model does not un-invent the capability behind it. Project Glasswing’s roughly 200 partner organizations still have access to Claude Mythos Preview, the model the directive did not name, and the Financial Times reports Mythos is being used by the NSA for offensive operations. The jailbreak itself proved the offensive capability can be pried out of a model marketed as safe, and the genie is not going back in the bottle because one public interface went dark.
The underlying constraint is also unchanged, and it is the most useful thing to take from this saga. By Anthropic’s own Project Glasswing update, partners have used Mythos to surface more than 10,000 high- or critical-severity vulnerabilities, and the company states plainly that progress is no longer limited by how fast bugs can be found, but by how fast they can be verified, disclosed, and patched. The evidence outside Glasswing agrees: an autonomous agent recently found 21 zero-days in FFmpeg for about $1,000. Discovery is cheap and abundant. Remediation is the bottleneck.
That gap is the whole game, and it is where a risk-based vulnerability management program and penetration testing that validates what is genuinely exploitable do their work. Regulators have reached the same conclusion. On June 10, CISA issued Binding Operational Directive 26-04, which requires a three-day fix for any flaw that is internet-exposed, fully automatable, capable of full takeover, and actively exploited. The directive exists because AI is shrinking the window from discovery to weaponization, and because, per Verizon’s 2026 Data Breach Investigations Report, only 26% of known exploited vulnerabilities were fully remediated last year. The defensive playbook is being rewritten around remediation speed, whether or not any single AI model is online this week.
The Bigger Picture: This Goes Well Beyond One Vendor
It is worth stepping back, because the Fable 5 fight can make this read like an Anthropic story. It is not. The same capability is showing up across models and vendors, and it was reshaping security work well before this month. Mozilla is the clearest case. With Anthropic’s publicly available Opus 4.6, the Firefox team found and fixed 22 bugs in two weeks, 14 high-severity, before the stronger model even arrived. A run with an early version of Mythos then surfaced 271 vulnerabilities in one pass, 180 high-severity, all shipped in Firefox 150, on one of the best-tested open-source codebases anywhere. And the FFmpeg zero-days above came from a different agent entirely. The firehose is real, reproducible, and not the property of any one company.
AI cuts the other way too. The same cheap generation that finds real flaws also produces a flood of plausible junk. In January, the curl project shut down its six-year bug-bounty program after AI-generated “slop” reports buried its small team in unverifiable noise. Organizations are shifting posture in response: in May, NHS England moved its public code repositories private by default, citing the risk that frontier models could ingest and reason over exposed code at scale. The shift hits both sides of the ledger at once, regardless of which model is in the headlines this week.
Takeaways
The first public Mythos-class model lasted three days before the government forced it offline, but the capability behind it is still running for governments and corporate partners, still reproducible with cheaper tools, and still advancing. Two things follow for the organizations we work with: treat access to any frontier model as a dependency that can vanish overnight and plan for it, and keep acting on the fundamentals, because discovery is now commoditized and remediation is the constraint. The model went dark on a Friday. The bugs, and the need to fix them faster than ever, did not.
