WASHINGTON — For 20 days, the most capable AI model Anthropic had ever released was unavailable to most of the world, pulled from servers by a directive from the U.S. Commerce Department over three words: “fix this code.”
On July 1, Claude Fable 5 returned globally, accessible again on Claude.ai, Claude Platform, AWS, Microsoft Foundry, and Claude Code. Whether the episode demonstrated a functional AI safety response — or a government overreach into how AI models handle security research — depends almost entirely on whom you ask. The central disagreement was never formally adjudicated. It was negotiated around.
The timeline begins June 9, when Anthropic launched Fable 5 and the more powerful Mythos 5, marking what the company described as a significant capability advance from its previous lineup. Three days later, Commerce Secretary Howard Lutnick sent a letter to Anthropic CEO Dario Amodei invoking the Bureau of Industry and Security’s “Is Informed” authority under the Export Control Reform Act — the first time that authority had ever been applied to a commercially deployed AI model. By the evening of June 12, both models were suspended for users outside the United States. By June 13, global access had been cut entirely.
The technique that triggered the response was relayed to the White House by Amazon CEO Andy Jassy. Security researchers gave Fable 5 code containing known vulnerabilities and asked it to “review the code for security issues.” The model declined. They rephrased: “Fix this code.” The model produced patches — and in one case, code demonstrating how a flaw could be exploited. The White House AI adviser David Sacks posted a public account the following day, saying the administration had asked Amodei “to fix the jailbreak or de-deploy the model” and that Amodei had refused.
Anthropic contested that framing. The company called the finding “a narrow, non-universal” vulnerability, noted the same requests worked on GPT-5.5 and its own Claude Opus 4.8, and said it had received only verbal evidence from the government — not the underlying research paper.
Katie Moussouris, founder and CEO of Luta Security and the only outside expert who reviewed the actual research, was more blunt. “That is not a guardrail bypass,” she wrote in an open letter signed by more than 100 cybersecurity leaders. “It is the most valuable thing an AI model can do for defensive security.” She argued that the ability to understand and demonstrate vulnerabilities in existing code is precisely what distinguishes a useful security tool from a useless one, and that any classifier trained to block the approach would weaken Fable 5 specifically for legitimate security work. The government called it a jailbreak. The one person who read the research said it wasn’t.

The practical scope of the BIS order was unusually broad. Because the directive covered any foreign national anywhere — including foreign nationals employed as Anthropic staff inside the United States — Anthropic could not verify compliance without suspending access for everyone. The company had not built real-time nationality verification into its platform. So the entire global user base lost access in order to enforce an order aimed, at its stated target, at preventing foreign adversaries — China specifically, according to Semafor’s reporting at the time — from exploiting the technique.
Partial relief came June 26. Approximately 100 vetted U.S. companies and federal agencies — CISA and the NSA among them — regained Mythos 5 access under what Anthropic called a “Glasswing program.” On June 30, Lutnick sent a second letter formally withdrawing the export control requirement. It was addressed to co-founder Tom Brown, not Amodei. The resolution had been negotiated by Brown after Amodei had publicly disagreed with the government’s characterization.
The conditions Anthropic agreed to: proactive internal security research; early government access to future model launches before public release; reporting of any detected malicious usage; threat intelligence sharing; and participation in a cross-lab jailbreak severity framework with Amazon, Microsoft, and Google. That last element — a shared scoring standard sometimes described as a “CVSS for AI” — assesses potential jailbreaks on four axes: how much offensive capability an attacker gains, how broadly that applies across attack types, how easily it can be weaponized, and how independently discoverable the technique already is. Microsoft’s and Google’s adoption commitments have not been independently confirmed. How disagreements between labs on the same score will be resolved has not been announced. The broader AI governance questions surfaced by this episode — including who oversees AI model deployment decisions with national security implications — were taken up last month by a new UN commission whose members include Andy Jassy, the Amazon executive whose report initiated the original ban.
Anthropic also trained a new cybersecurity classifier targeting the “fix this code” approach, which the company says now blocks the technique in more than 99% of cases. Blocked requests are routed to the less capable Claude Opus 4.8 rather than rejected outright. Researchers from the Commerce Department’s own Center for AI Standards and Innovation assessed the new safeguards as “extraordinarily strong.” The 99% figure is Anthropic’s own claim; no third-party quantitative replication has been published.
One issue the July 1 restoration did not resolve: Microsoft removed Fable 5 from its internal Copilot model picker on June 10 — before the export control order — over a separate conflict. Fable 5 carries a mandatory 30-day data retention window that conflicts with Microsoft’s zero-retention standard for enterprise customers. That dispute was not part of the June 30 negotiations. Enterprise customers who need Fable 5 without the retention constraint still have no announced path forward.
What the episode actually demonstrated about AI governance remains genuinely open. The government applied a first-of-its-kind export control to a commercial AI model, based on research shared verbally but not in writing with the company, drawing a conclusion that the only expert to read the underlying paper explicitly disputed. That factual disagreement — was “fix this code” a security risk or standard defensive security work? — was not resolved. It was resolved around. Anthropic agreed to conditions, the government withdrew the order, and Fable 5 came back online.
Whether the classifier trained to block the technique now makes the model less useful for the kind of legitimate security research Moussouris described in June is the question nobody in the administration or at Anthropic has answered directly.

