On Friday Afternoon, a Government Turned Off the Most Powerful AI Model in the World
At 5:21 p.m. ET on Friday, June 12, 2026, Commerce Secretary Howard Lutnick sent Anthropic CEO Dario Amodei a letter. By the weekend, Claude Fable 5 and Mythos 5 - the company's two most capable models, launched only three days earlier - were dark for every user on Earth.
Not deprecated. Not rate-limited. Switched off, by order of the US government, using export-control authority.
As far as anyone can tell, this is the first time a government has reached into a commercial AI lab and forced a specific frontier model offline worldwide. Over a weekend. Almost no public process. On technical facts the two sides still cannot agree on. If you build anything on top of frontier AI - or you are just trying to read where this is all heading - nothing else in the industry this year comes close. Here is what we know, what is still disputed, and what it means for who gets to control an AI model going forward.
What Actually Happened
The verified spine of the story is not in dispute:
- June 9: Anthropic launches Fable 5 for general use and Mythos 5 for a restricted set of partners. Fable is the guardrailed, publicly available version of Anthropic's top "Mythos-class" tier; Mythos 5 is the unrestricted version, available only to vetted organizations through a program called Project Glasswing.
- June 12, 5:21 p.m. ET: Lutnick's letter, issued through the Commerce Department's Bureau of Industry and Security (BIS), invokes national-security export-control authority and bars access by any foreign national, anywhere in the world - including Anthropic's own foreign-national employees.
- That weekend: Because Anthropic cannot reliably filter users by nationality in real time, complying with a "no foreign nationals" order meant pulling the models for everyone. Both Fable 5 and Mythos 5 went offline globally. Every other Claude model stayed up.
Anthropic confirmed it was complying and, in the same breath, made clear it thinks the government got it wrong: "We disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people." It posted the same on its official X account.
Two Very Different Stories
That word - "jailbreak" - is where the agreement ends. The government and the company tell materially different versions of what happened, and no neutral party has reconciled them.
Anthropic's version: the trigger was a "narrow, non-universal" jailbreak that "essentially consists of asking the model to read a specific codebase and fix any software flaws." It surfaced a handful of already-known, minor vulnerabilities - the kind, Anthropic says, that other public models including OpenAI's GPT-5.5 can find too. The company says it received only verbal evidence of the exploit, no written technical detail, and that perfect jailbreak resistance is not currently possible for any model. Applying this standard across the industry, it warned, "would essentially halt all new model deployments for all frontier model providers."
The government's version, as told by White House AI figure David Sacks on X: Anthropic was warned the model was jailbroken, Amodei declined to patch it or pull it, and the administration then imposed controls "reluctantly," ready to lift them "once the jailbreak is patched." Sacks' sharpest line: "In this case, Anthropic prioritized the continued offering of the consumer model over safety."
Then there is the part that is louder than it is confirmed. Reporting from Semafor ties the action partly to suspicions that a China-linked group accessed Mythos 5 - while admitting it is "unclear" how the White House learned of it, which group it was, or how access was gained. Anthropic disputes that framing entirely. Fortune reports that Amazon - simultaneously a major Anthropic investor, its cloud host, and a competitor - flagged the jailbreak to officials. Treat both as contested allegations, not settled fact. Strip them away and the verified core is narrower, and stranger: a government pulled the best model in the world over a cyber exploit the lab itself judged minor.
What Was Actually at Stake: Offensive Cyber, Not Sci-Fi
To understand why the government cared, you have to understand what "Mythos-class" means. This tier is defined less by how well it writes and more by how well it hacks.
Anthropic's own system card for the Mythos preview (published in April) reports the model saturating cyber benchmarks - a 100% pass rate on Cybench, an 84% success rate on a custom Firefox zero-day exploitation benchmark, and becoming the first model to solve a private cyber range end to end. On Anthropic's internal risk framework, the card notes the threshold for assisting with known chemical and biological weapons was "likely crossed," while the bar for genuinely novel weapons was not. (One precision worth keeping: those numbers come from the April preview card, the closest published technical record - not from a separate June Fable 5 card, which does not appear to exist publicly.)
That is the crux. Fable 5 was the same fearsome capability wrapped in guardrails - classifiers that route cyber, bio, and chemistry queries to a more constrained model - deemed "safe enough" for public release. Mythos 5 was the unrestricted version, locked to partners. The export order forced Anthropic to pull both, including the guardrailed public one. A model the company spent "thousands of hours" red-teaming before launch was treated as too dangerous to remain online, on a risk it had concluded sat below its own deployment bar.
The Legal Move That Should Worry Everyone - Whatever You Think of the Model
Here is the part the "is the model dangerous?" debate misses. The mechanism matters more than the model.
The government did not pass an AI safety law. It did not go to a court. It used an export-control "is informed" letter - a tool built for stopping advanced chips from reaching China - which lets BIS impose a licensing requirement immediately, with no notice-and-comment rulemaking, no published standard, and no hearing. As University of Minnesota law professor Alan Rozenshtein argued in Lawfare, this was "a standardless export letter based on contested technical facts."
And it only works at all because of a quiet legal change. Export controls historically did not reach foreign access to US software-as-a-service. That gap closed in January 2026, when Congress passed the Remote Access Security Act (369-22 in the House), letting BIS regulate remote access to controlled items - originally to stop Chinese firms from renting controlled GPUs in the cloud. Applied to a live, API-served AI model five months later, it became something else: a switch the government could flip on a product used by hundreds of millions of people. Rozenshtein's conclusion is the one to sit with - "Congress will have to step in and establish a proper framework with meaningful standards and a defined process," because right now there isn't one.
The Safety Paradox
Here is the irony the whole field is chewing on. Anthropic is the safety-first lab. Its entire brand is transparency about danger - detailed system cards, capability disclosures, a public scaling policy that ties deployment to risk thresholds. And that same transparency may have loaded the gun pointed at it. When you publish a 244-page document explaining that your model can autonomously discover and exploit software vulnerabilities, you have also handed regulators a ready-made narrative: a model too dangerous to be allowed online.
Whether the disclosure caused the action is unproven - the reported trigger was an external exploit demo, not the system card. But the structural problem stands regardless, and it is the genuinely portable lesson: a regime that punishes the most transparent lab teaches every lab to be less transparent. If candor about capabilities and jailbreak limits invites a weekend shutdown while opacity skates by, you have built an incentive to disclose less. That corrodes the very norm regulators say they want. The cybersecurity community largely sided with Anthropic on the substance: dozens of experts signed an open letter arguing Fable's abilities "are not uniquely good" compared to other frontier models, and that AI has been finding and exploiting bugs at a high level since last year. Vulnerability-disclosure expert Katie Moussouris called asking an AI to fix bugs in a file "the most valuable thing an AI model can do for defensive security" - not a guardrail bypass at all.
The Asymmetry This Exposes: You Cannot Switch Off an Open Model
Now connect two facts. A government just demonstrated it can disable a closed, API-served model overnight. And a government cannot recall an open-weight model - once Meta's Llama or DeepSeek's weights are released, the copies exist on countless machines forever.
That asymmetry was theoretical a week ago. It is concrete now. The same control that makes a closed model governable also makes it shut-off-able by someone who is not you. Developers are already saying out loud where that points: move the capability-hungry work onto open weights and local models, the exact form policymakers have no lever over. It is the through-line to a question we wrote about last week: when does running your own model make sense? "My provider can be ordered to shut my model off" was not on most people's risk list before Friday. It is now.
What This Means for the Future of AI Control
Step back and the Fable shutdown is the first live test of a control toolkit that has been quietly assembling for two years. The levers that now exist, or are being built:
| Control lever | What it does | Status (mid-2026) |
|---|---|---|
| API on/off directive | Force a vendor to disable a hosted model | Just used, via export law |
| Export controls on model weights | License required to export frontier weights (ECCN 4E091) | On the books, federally dormant |
| Remote-access / SaaS controls | Regulate foreign access to cloud-served tools | Now statutory (2026) |
| Compute governance | FLOP thresholds that trigger obligations | Underpins US + EU rules |
| Pre-release government access | Benchmarking of frontier models for cyber capability | June 2026 executive order (voluntary) |
| Incident reporting (EU) | Systemic-risk models must report and mitigate | Enforcement begins Aug 2, 2026 |
Washington and Brussels are answering the same question in opposite registers. The EU AI Act leans on mandatory transparency and incident reporting for the most capable models. The US, having rescinded its earlier oversight framework, grabbed the blunt on/off lever it happened to have lying around. As Tech Policy Press put it, this looks less like a coherent playbook than an improvisation - "drastic levers of state power" deployed because no purpose-built process existed. The direction of travel is clear even if the destination is not: frontier models are now treated as dual-use national-security technology, and governments intend to keep a hand on the switch.
What It Means for Your Business
You do not need an opinion on the politics to act on the lesson. The Fable shutdown turned an abstract risk into a procurement fact: a model you depend on can be taken offline by someone who is neither you nor your vendor, with a weekend's notice. Concretely:
- Treat any single hosted model as a single point of failure. Model redundancy is now a resilience requirement, not a nice-to-have.
- Build an abstraction layer. Route through an interface that lets you swap providers - Anthropic, OpenAI, Google, open-weight - without rewriting your application.
- Keep a fallback that cannot be switched off. A self-hosted open-weight model on standby is insulated from export action by design. This is the continuity case for open models, distinct from the cost case.
- Put it in the contract. Negotiate force-majeure-style terms that cover regulatory unavailability, and treat model availability as a supply-chain risk you actually track.
- Inventory your AI dependencies. Know which workflows touch which model, so that when one goes dark you know what breaks before your customers do.
The Bottom Line
This was not a government discovering a clean "kill switch" for dangerous AI. It was a reach - a tool built for a different problem, aimed at a frontier model because nothing purpose-built was on the shelf - and it exposed two fault lines that are not going away. Closed models are governable but can be switched off by third parties; open models are neither. And a safety regime that comes down hardest on the most transparent lab quietly teaches the whole industry to say less.
As of this writing the models are still dark, Anthropic is negotiating, and the outcome is open. However it resolves, the precedent is set: the question of who can turn off an AI model - and on what authority, with what process - is now one of the defining governance questions of the decade. Build accordingly.
OneWave AI helps businesses build AI systems that are resilient to exactly this kind of disruption - multi-model architectures, provider-agnostic abstraction layers, and a clear-eyed view of where frontier APIs, self-hosted open models, and on-prem hardware each belong. Get in touch or book a free call.