Bunny Honey ClubBunny Honey/blog
Work with us
← back to indexblog / ai / anthropic-fable-5-mythos-reactivated
AI

Fable 5 is back. What the 19-day ban actually taught us

Anthropic's Fable 5 is globally available again after a 19-day export ban. Mythos 5 isn't. What the asymmetric restoration reveals about the new AI kill switch.

AH
Arthur HofFounder, Bunny Honey Club AI
publishedJul 02, 2026
read8 min
Fable 5 is back. What the 19-day ban actually taught us

Nineteen days. That's how long it took from the moment the Commerce Department disabled Claude Fable 5 and Mythos 5 to the moment Fable 5 came back online, globally, on July 1. We wrote about the ban itself, the European sovereignty angle,

Nineteen days. That's how long it took from the moment the Commerce Department disabled Claude Fable 5 and Mythos 5 to the moment Fable 5 came back online, globally, on July 1.

We wrote about the ban itself, the European sovereignty angle, and the cybersecurity case against it while the models were still dark. Now they're not, and the restoration is the more interesting story — because it isn't a full restoration. Fable 5 is back for everyone. Mythos 5 is back for about 100 vetted organizations and nobody else. That asymmetry is the actual news. The Fable 5 reactivation isn't a return to the pre-June-12 status quo — it's the moment the export-control kill switch stopped being a one-off emergency action and became a calibrated, repeatable government tool, with a published severity framework and a two-tier access model that Anthropic will now maintain indefinitely. This is what changed in 19 days, who reportedly triggered it, and what it means that the tool is now built rather than improvised.

The 19-day timeline, closed

To recap briefly, because the shape of the full cycle is the point.

June 9: Anthropic launches Fable 5 and Mythos 5 publicly — its most capable systems to date.

June 12, 5:21pm ET: The Commerce Department delivers an emergency export-control directive. Anthropic disables both models globally within hours because partial compliance (restricting only foreign nationals) wasn't operationally achievable.

June 13–30: Anthropic negotiates with the US government. Multiple reports describe direct meetings between Anthropic leadership and White House officials. Anthropic works on a technical fix.

June 30: The Commerce Department lifts the export controls.

July 1: Fable 5 returns to general availability — Claude Platform, Claude.ai, Claude Code, Claude Cowork. Mythos 5 returns only for a subset of vetted US organizations under Project Glasswing, plus a separate small cohort of biology researchers.

Nineteen days from disable to (partial) restore. That's fast by the standard of any previous AI export-control episode, and slow by the standard of "an emergency directive got issued and lifted in an afternoon." The speed of the initial action — hours — and the speed of the resolution — weeks — are two different clocks, and both matter for what comes next.

19 daysban to Fable 5 global restoration
~100orgs with restored Mythos 5 access
1new safety classifier reportedly deployed
0on-record Anthropic confirmation of Amazon's role

What actually got fixed

The technical fix, as far as public reporting describes it, is narrower than "Anthropic made Fable 5 safe." It's specifically: Anthropic trained a new classifier that targets the prompt-framing pattern that triggered the directive in the first place — the "ask the model to identify vulnerabilities in this codebase" pattern that (per multiple outlets) Amazon researchers demonstrated.

This matters because it tells you the fix is reactive, not general. Anthropic didn't solve dual-use code-analysis capability as a category — nobody has, and we made that argument at length when the ban first landed: the capability is present in GPT-5.5, Gemini 3 Ultra, and open-weight Llama derivatives, none of which faced a comparable directive. What Anthropic did was patch the specific technique that got demonstrated to the government. That's a real fix for the specific case that triggered the specific directive. It's not a fix for the category of risk the directive was nominally about.

The more consequential move, reported alongside the classifier fix, is that Anthropic proposed an industry-wide framework for scoring jailbreak severity. That's Anthropic trying to get ahead of the next version of this problem rather than reactively patching the current one. If that framework gets adopted — even informally, even just by Anthropic and a couple of peer labs — it changes the shape of future episodes. Instead of "a government official decides a jailbreak is severe enough to warrant an emergency directive," you'd have "a jailbreak scores above a published threshold on an industry-standard severity scale, which triggers a defined response." That's a meaningfully different governance model, and it's the part of this story most coverage undersold.

The asymmetric restoration is the actual signal

Fable 5 is back for everyone. Mythos 5 is back for a curated list. That split tells you something specific about how the government and Anthropic are now thinking about risk tiers.

Fable 5 — the safety-tuned public model — gets broad distribution because its risk profile, post-classifier-fix, is judged acceptable for general availability. Mythos 5 — the model with the Glasswing safeguards lifted, built explicitly for advanced cybersecurity work — stays restricted to roughly 100 vetted organizations: government agencies and private companies, many of them Fortune 500 firms, doing defensive cybersecurity work. There's also a separate, smaller cohort of "select biology researchers" who get biology and chemistry safeguards lifted specifically, while keeping the cyber safeguards in place. Three distinct access tiers, each mapped to a specific trusted-user population and a specific safeguard configuration.

This is Anthropic building the controlled-distribution model we described as the coherent alternative to the June 12 directive when we covered the cybersecurity case against the ban. At the time, we argued that if the government's actual concern was broad availability of a dual-use capability, the sensible policy response was vetted-partner distribution for above-threshold capability — not a blanket disable. What's happened since looks like exactly that, retroactively formalized. Glasswing already existed as a pattern before June 12; what's new is that it's now explicitly the mechanism for managing the government's risk tolerance on an ongoing basis, not just an internal Anthropic distribution choice.

Was it really Amazon?

Worth being precise about what's actually confirmed versus reported, since this detail is doing a lot of work in the public narrative.

Multiple independent outlets — Fortune, MLQ News, Gagadget — report that Amazon researchers demonstrated the triggering jailbreak to the government, and that Amazon CEO Andy Jassy personally raised the concern with the White House. Fortune's separate reporting specifically frames the finding as defensive research rather than malicious intent: Amazon's own coverage reportedly characterized it as "not a jailbreak" in the adversarial sense, but a demonstration of a capability gap that concerned them enough to escalate.

We have not seen an on-record Anthropic statement naming Amazon, nor a Commerce Department statement confirming Amazon's role. The attribution is well-sourced across independent reporting chains, which is different from being primary-confirmed. We're treating it as strongly-reported and flagging the distinction rather than asserting it as settled fact.

If the attribution holds, the competitive-dynamics reading is hard to avoid: a competing frontier-model lab flagged a rival's model to the government, and the flag produced a 19-day disable of that rival's flagship product. Whether that's "responsible disclosure between labs operating in a shared risk environment" or "a competitor used a national-security lever against a rival" depends entirely on the facts of the disclosure — which, again, are not fully public. We're not going to adjudicate that from outside. We're noting that the incentive structure this creates — a demonstrated capability to trigger a national-security action against a competitor's product — is now visible to every frontier lab, regardless of whether Amazon's motives here were pure.

The kill switch is now a maintained tool, not an improvised one

The framing we used when the ban first landed was that the Commerce Department had exercised a capability that had been "sitting on the regulatory shelf" and demonstrated it could be used on a four-hour timeline. The framing now, post-restoration, needs an update: the tool isn't just demonstrated anymore. It's being actively calibrated.

An industry-wide jailbreak-severity framework, if it materializes as more than a proposal, is the calibration layer. It converts "an official decides this is severe enough" into "this scores above a published threshold." That's not a weaker version of the kill switch — it's a more durable one, because a defined trigger is easier to invoke consistently and harder to argue against in the moment. The next model that trips a similar wire won't need a fresh emergency-directive improvisation; it'll have a published rubric to point to.

For the European sovereignty argument we made in June, this cuts against optimism. A calibrated, rubric-based version of the kill switch is more likely to be exercised again, not less, because the operational friction of using it drops each time the process gets more defined. The 19-day cycle we just watched — disable, negotiate, patch, partial-restore — is now a known playbook. The next frontier model that trips the wire, whether it's Anthropic's or a competitor's, will run through some version of the same cycle, probably faster.

The story isn't that the ban got lifted. Bans get lifted. The story is that we now know exactly how long it takes, what the government wants to see before it lifts one, and that the response, going forward, is a formal severity score rather than a phone call. That's the part that should worry the next lab this happens to.

policy analyst commentary, July 1, 2026

What we'd tell an operator building on Claude today

The advice we gave in June holds, with more confidence behind it now that we've watched the full cycle resolve rather than just watched it start.

Design for model substitutability, not model loyalty. The 19-day Fable 5 outage is no longer a hypothetical risk scenario — it's a demonstrated, bounded, real-world data point with a start date, an end date, and a public record. Any production system with a hard dependency on a single frontier model from a single provider should have a tested fail-over path to at least one other model family. This was true advice in June. It's now backed by an actual case study instead of a projection.

Watch the Mythos 5 access-tier structure as a preview of what "controlled distribution of frontier capability" looks like going forward. If you're building anything in the security-tooling space — the kind of work we described in the cybersecurity perspective piece — the Glasswing-style vetted-partner model is probably the shape your access to the most capable tools will take for the foreseeable future, not a temporary workaround.

Watch whether the jailbreak-severity framework gets real adoption. If OpenAI, Google, and the other frontier labs sign onto something like it, or a visibly similar version of it, that's the signal that the industry has moved from "hope this doesn't happen to us" to "here's the process when it does." That's a meaningfully more stable equilibrium than what existed on June 11, even though it means the kill switch is now a permanent feature of the landscape rather than a one-time event.

The 19 days are over. The tool that got used during them isn't going away. It's getting sharper.

— filed underAIStrategyAI Policy
— share
— keep reading

Three more from the log.