// blog/fable-5-export-control-what-actually-happened
Fable 5 Export Control: What Actually Happened


In mid-June 2026 the US government issued an export control directive suspending access to Anthropic's Fable 5 and Mythos 5 models by any foreign national, inside or outside the United States, reportedly on national security grounds. Anthropic responded by disabling both models "for all our customers to ensure compliance." The move was widely described as a reaction to a jailbreak. According to the one outside expert who read the research paper behind it, the trigger was a three-word prompt: "fix this code."
That expert is Katie Moussouris, founder and CEO of Luta Security, who says Anthropic shared the third-party report with her privately. Her account, reported by Jessica Lyons at The Register, is the closest technical description available to the public of what the models did. Policy diverged from the paper's findings.
What the research paper reportedly showed
Per Moussouris, the outside researchers fed Anthropic's Fable 5, Mythos, and Claude Opus models two kinds of input: open-source code containing known CVEs, and new code intentionally laced with vulnerabilities. They then asked the models to "review the code for security issues."
Fable 5 refused.
The researchers rephrased the request as "fix this code." The models obliged, and with additional manual prompting also produced scripts to test the patches.
Moussouris wrote in her blog post that "'Fix this code,' plus several manual steps to generate test scripts, should never have triggered an export control."
The models received vulnerable code, repaired it, and wrote tests validating the repair. Moussouris describes this as "the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day." That is routine AppSec work.
Was 'fix this code' a jailbreak?
Moussouris argues that there was no guardrail bypass or jailbreak, and the mechanics support her. The researchers found a refusal calibration gap, a common property of safety-trained models.
Refusal training operates largely on the framing of a request, because framing is most of what the model has to go on. "Review this code for security issues" pattern-matches, apparently, to something Fable 5's guardrails treat as sensitive. "Fix this code" describes the same underlying work in remediation language and sails through. Both requests require the model to read code, understand the vulnerability, and produce a corrected version.
Patching vulnerable code is work defenders need every day. The model complied with a defensive request when asked to fix the code. The export control treated the rephrase as a bypass. Moussouris argues that conclusion is indefensible for anyone who has done defensive work.
Fable 5's conservative refusals had already drawn separate coverage for blocking innocuous prompts before any of this happened. A model that refuses "review the code for security issues" but complies with "fix this code" has a refusal boundary in the wrong place.
The Wassenaar precedent
Between 2013 and 2017, Moussouris served on the technical expert group that renegotiated the Wassenaar Arrangement, the voluntary agreement among 42 nations governing export controls on certain dual-use software. The original Wassenaar language around intrusion software was written broadly enough to criminalize routine defensive practice, and the expert group spent years winning exemptions so that defenders could:
- share vulnerability data internationally
- conduct malware analysis
- coordinate incident response across borders
all without the threat of criminal prosecution.
Wassenaar showed a structural problem that maps directly onto AI models. Offensive and defensive security work use the same artifacts. A proof-of-concept exploit is how a defender validates a patch. Vulnerability details are what both an attacker and a patch author need. Controls written around the artifact rather than the intent sweep up defenders, because defenders touch the same artifacts more often than attackers do. A model that can fix a CVE can, by definition, understand the CVE. AI that helps patch vulnerabilities also embodies knowledge an attacker would find useful. Wassenaar took a multi-year renegotiation to carve defense back out of language that never intended to hit it. The Fable 5 directive repeats the mistake with a newer artifact class.
Why export controls fit hosted models so badly
The directive's scope, as reported, is person-based: it suspends access by any foreign national, inside or outside the United States. That framing comes from a world of physical goods and deemed-export rules around controlled technical data. Applied to an API product, it collapses because an API vendor cannot cheaply and reliably determine the nationality of every user on every account, including employees of every corporate customer. Anthropic disabled Fable 5 and Mythos 5 for all customers. A control nominally aimed at foreign nationals removed the models from American defenders too, including the more than 100 cybersecurity leaders who signed Sunday's open letter asking the administration to reverse course.
"To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous," the letter says.
Export controls cannot reach open-weight models, or advanced models built in China and elsewhere, and those systems will reach Mythos-like capability regardless. Anthropic and Google have both accused China-based rivals, DeepSeek among them, of using distillation attacks to siphon capability from American models. The allegations show that switching off two model endpoints does not keep the capability frontier inside a jurisdiction. The Register has separately reported the directive accelerating EU sovereignty efforts. Customers who watched a hosted model vanish by government directive are pricing that risk into every procurement decision.
The directive applies only to one American company's customers, many of whom are the defenders the open letter is worried about. Attackers retain access to open-weight models, foreign models, or older unrestricted models.
Operational implications for security teams
Hosted frontier models are now a supply chain dependency that can be revoked by a directive neither you nor the vendor controls, on a Friday, with no migration window. Anthropic turned off two models for every customer at once. If your triage pipeline, patch validation loop, or code review tooling assumes a specific model endpoint exists tomorrow, that assumption now has a documented failure mode. Pipelines that can degrade across model providers or fall back to a locally hosted open-weight model for core remediation work need safeguards.
Refusals can interrupt automated security workflows. The same task succeeds or fails depending on whether it is phrased as "review" or "fix." Automated tooling that sends security-flavored prompts to a safety-trained model will hit refusal boundaries that shift between model versions and phrasings, and a refusal in the middle of an unattended pipeline is a silent failure. Test prompt framings the way you would test any other flaky dependency.
The policy response gives vendors an incentive to make models refuse more, earlier, and more broadly. Moussouris warns that stripping the ability to respond to defensive requests makes AI systems "worse at finding bugs and verifying patches." That cost lands on the people running defensive remediation work.
"Defense improves when defenders find the same bugs attackers find and fix them faster," Moussouris wrote. The paper showed a model identifying bugs and validating patches on request. The directive prevents compliant users from using that capability while attackers retain the capabilities they had the week before.