Fable 5 Didn’t Fail the Jailbreak Test. It Failed the Weapons Test.

On June 12, 2026, Anthropic disabled Fable 5 and Mythos 5 — its two most capable models — for every customer worldwide. The proximate cause was a government directive citing national security. The stated trigger was a jailbreak: Amazon researchers had shown that asking Fable 5 to read a codebase and flag software vulnerabilities constituted a breach of its safety controls. Within days, 76 cybersecurity experts signed an open letter calling the ban dangerous, pointing out that every other frontier coding assistant on the market — including open-source models anyone can download — performs the same security-audit function without restriction. The government’s response, as filtered through Anthropic’s own account, was to provide verbal, not written, evidence of the vulnerability. No technical specification. Just a phone call and a directive.

That is a strange way to shut down the world’s most capable AI system over a jailbreak. It is a completely normal way to execute a policy decision that was already made four months earlier.

February First

The supply chain risk designation that made the June order possible was issued on February 27, 2026. Defense Secretary Pete Hegseth applied it under the Federal Acquisition Supply Chain Security Act (FASCSA), and the immediate consequence was that all federal agencies were ordered to cease using Anthropic’s technology, and defense contractors were barred from “any commercial activity with Anthropic.” Anthropic was removed from USAi.gov, the government’s centralized AI procurement platform. It was the first time the supply chain risk designation — historically reserved for foreign adversaries like Huawei and ZTE — had ever been applied to an American company.

The dispute that produced this designation was not about jailbreaks. It was about weapons. The Pentagon had demanded that Anthropic allow Claude to be used “for all lawful purposes” without restrictions. Anthropic refused on two specific grounds: it would not remove the usage policy provisions prohibiting Claude’s deployment in mass domestic surveillance of Americans, and it would not allow Claude to operate in fully autonomous weapons systems without human intervention. The Pentagon gave Anthropic a deadline of February 27, 2026 at 5:01 p.m. Anthropic released its refusal statement on February 26. The supply chain designation followed the next morning.

A federal judge in San Francisco, reviewing Anthropic’s subsequent lawsuit, found the designation troubling and ruled in March that the Pentagon had “taken retaliatory measures likely violating law.” She granted a preliminary injunction. The D.C. Circuit, weighing the same facts and citing “weighty governmental interests,” declined to stay the government’s position in April. The legal status of the FASCSA designation remains split and unresolved. Notably, by March 4 — days before the lawsuits were even filed — reports indicated that Claude was being deployed in the US conflict with Iran, suggesting Anthropic found some accommodation on military use even while contesting the designation in court.

The Instrument

The June export control directive is a different legal instrument from the February designation. Where FASCSA governs federal procurement — who can buy what during government contract performance — the June action operates under the Export Controls Reform Act of 2018 (ECRA), Cold War-era legislation designed to regulate the shipment of dual-use physical goods to foreign adversaries. Applied to an AI API, ECRA activates what’s called the “deemed export” rule: a foreign national accessing an export-controlled technology on US soil is treated, legally, as if the technology has been exported to their home country. That means Anthropic’s foreign-national employees cannot access Fable 5 at work. The Chinese engineers who helped train the model. The French developers on the research team. Anyone with a foreign passport, operating in America, is now subject to an export license requirement to use the API they helped build.

The jailbreak provided the statutory hook. Anthropic’s account of what it received is telling: verbal evidence, no written documentation, a “narrow, non-universal” vulnerability the company characterized as “common to other AI models.” The specific behavior that triggered the directive — asking a model to read a codebase and identify software flaws — is what every serious coding assistant does. Cursor does it. GitHub Copilot does it. Dozens of open-source models fine-tuned on security research corpora do it. The 76 experts who signed the letter noted exactly this: the ban “has taken the best models away from defenders, created market uncertainty, and risked America’s AI leadership” — while doing nothing to restrict the capability it claims to target, because that capability is ubiquitous.

Dean W. Ball of the Foundation for American Innovation called the decision “baffling” and “cartoonish,” noting the administration simultaneously supports AI chip exports to China while banning model API access for allied and neutral nations. Peter Girnus of the Zero Day Initiative compared it to the 1990s encryption export restrictions — regulations that eventually collapsed under their own incoherence, long after the cryptographic software they targeted had already proliferated worldwide.

The Void

What makes the Anthropic situation genuinely novel — beyond the political dispute and the specific facts of the February standoff — is the legal architecture it has exposed. As the Volkov Law analysis puts it, “there is no clear, comprehensive statutory framework governing government authority to restrict commercial AI model access on national security grounds.” FASCSA was written for hardware procurement. ECRA was written for physical dual-use exports. Neither was written for AI model APIs. The government is using Cold War statutes, in sequence, to do something neither statute was designed for — and no court or Congress has yet articulated what authority, if any, actually exists for this.

The “deemed export” rule, applied to AI systems, is procedurally strange in ways that don’t exist for physical goods. A server you ship to China stays in China. An API call that a foreign national makes from Cupertino completes in milliseconds and leaves no durable artifact. The threat model the government is invoking — a foreign national using Fable 5 to find exploitable vulnerabilities in critical infrastructure — doesn’t require Fable 5. It requires any capable language model. Restricting Fable 5 access for foreign nationals achieves a regulatory paper trail, not a security outcome, because the underlying capability is already distributed across hundreds of models with no export license requirement.

The government’s threat model — foreign nationals using frontier AI to find exploitable vulnerabilities in US infrastructure — is not fictional. The capability is real. But the policy response to a real threat doesn’t become coherent just because the threat is real. Restricting Fable 5 for foreign nationals while leaving every open-source code-analysis model unrestricted is a policy that achieves documentation of compliance, not reduction of risk. The 76 experts who signed the letter against the ban understood this distinction. So does anyone who has worked in export control enforcement: rules that can be trivially circumvented don’t eliminate the threat; they just move the activity off the books.

The split court decisions compound the ambiguity. Judge Rita Lin, in San Francisco, reviewed the February FASCSA designation and found it likely retaliatory and improperly tailored. The D.C. Circuit reviewed the same record and found sufficient governmental interest to let the designation stand while the case proceeds. Two federal courts have reached opposite preliminary conclusions on whether the government’s actions against Anthropic were legitimate. That split won’t resolve until a higher court rules or Congress writes the statute that currently doesn’t exist.

What the Sequence Tells You

The February designation and the June export order are structurally related even when they operate under different laws. The February action established Anthropic as, in the government’s view, a supply chain risk — placing it in a legal category previously reserved for foreign adversaries. That status creates a context in which subsequent restrictive actions become easier to justify and harder to contest. A jailbreak that would have been handled through a responsible disclosure process at any other company becomes, against a supply chain designation backdrop, an actionable national security trigger.

Anthropic refused to enable autonomous weapons and domestic surveillance in February. The government responded by designating it a supply chain risk — the same category as Huawei. Four months later, the government found a jailbreak that every frontier model has and used it to pull Fable 5 from the global market. If you think the June order was primarily about the jailbreak, you need to explain why the government provided only verbal evidence, why the identical capability in other models drew no similar action, and why the entire sequence began with a dispute about weapons policy. There is no clean answer that preserves the safety-first framing of the June directive.

The US has decided that export control law and procurement law are the instruments of AI governance. The first American company to test those instruments learned that refusing to be a weapons contractor gets you designated a supply chain risk, and that a jailbreak every model has is sufficient legal cover to take your models offline four months later. The statutory architecture for doing this properly — with written evidence standards, clear authority, and proportionate tailoring — doesn’t exist yet. What exists is the power to act, two statutes to act under, and one company that said no in February and lost its models in June. Every other AI lab is now watching to see what Anthropic’s case settles, because the answer determines what “no” costs in this industry going forward.

AI-generated editorial illustration · TemperatureZero · June 24, 2026