10 min read

Claude Fable 5's 19-Day Ban: How a Jailbreak Report Triggered US Export Controls on Anthropic's Flagship Model

From launch to shutdown to redeployment in three weeks: what happened to Anthropic's Mythos-class model, and why Swiss organisations relying on frontier AI should be paying attention.

On 9 June 2026, Anthropic released Claude Fable 5, the first Mythos-class model made generally available to the public and, on its own benchmarks, the most capable model the company had ever shipped. Three days later, on 12 June, the US government imposed export controls on it, and Anthropic pulled the model offline worldwide. It stayed dark for nineteen days. On 1 July it came back — same core capabilities, tighter safeguards, and a new industry-wide framework for judging when an AI jailbreak is serious enough to matter. This is the verified timeline, the reasoning behind both decisions, and what changed between the version Swiss organisations tested in June and the one available today.

9 June: A Mythos-Class Model Goes Public

Fable 5 and its restricted sibling, Mythos 5, were released days after Anthropic had publicly warned that frontier AI systems were approaching the point of recursive self-improvement without human intervention — a juxtaposition the trade press did not let pass unremarked. Fable 5 launched with state-of-the-art results on nearly every benchmark Anthropic tested, in software engineering, long-context reasoning, vision, and scientific research; Stripe reportedly used it to compress months of engineering work into days. Pricing was set at $10 per million input tokens and $50 per million output tokens — less than half the cost of the earlier Mythos preview. Mythos 5 itself remained gated to Project Glasswing partners and vetted biology researchers, unchanged from the access model this publication covered in April.

12 June: A Jailbreak Report Becomes an Export-Control Order

The trigger was not a decision Anthropic made on its own. Amazon security researchers found a prompting technique that could get Fable 5 to flag specific software vulnerabilities and, in one documented case, to write code demonstrating how a flaw could be exploited. Anthropic's position, then and since, is that this was reproducible on weaker models too — including Claude Opus 4.8 and GPT-5.5 — and amounted to routine defensive security work rather than a uniquely dangerous capability. The US government disagreed with the framing enough to act: it applied export controls to both Fable 5 and Mythos 5, restricting access for foreign nationals with immediate effect. Anthropic has stated it had no reliable way to verify user nationality in real time, so the only way to comply was to suspend both models for every user, everywhere — not just the group the order targeted.

12–30 June: Two Weeks Offline

For roughly two weeks, Fable 5 and Mythos 5 were unavailable on the Claude API, Claude.ai, Claude Code, Claude Cowork, and the major cloud marketplaces. Behind the scenes, Anthropic negotiated with the US Department of Commerce, committing to proactively hunt for further vulnerabilities in its own models, report malicious use, and coordinate future releases with government officials. On 30 June, Commerce Secretary Howard Lutnick notified Anthropic co-founder Tom Brown that the export control restrictions were being lifted, citing the company's cooperation in addressing the risks the department had identified.

1 July: Redeployment With a Narrower, Sharper Filter

Fable 5 returned globally on 1 July 2026 on Claude Platform, Claude.ai, Claude Code, and Claude Cowork, with AWS, Google Cloud, and Microsoft Foundry availability following shortly after. The redeployed model is not a capability downgrade. What changed is the safety layer wrapped around it. Anthropic trained a classifier targeted specifically at the jailbreak technique Amazon reported, claiming better than 99% effectiveness against it, and widened the model's general caution margin — accepting more false positives, and more benign requests redirected to the weaker Opus 4.8, in exchange for fewer true positives slipping through. Alongside Amazon, Microsoft, and Google, Anthropic also published a shared industry framework for scoring jailbreak severity across four criteria: capability gain over tools already available to an attacker, breadth of attacks a technique enables, ease of weaponisation, and discoverability by others.

◆ Key Takeaway

For Swiss organisations building products or workflows on frontier US AI models, the Fable 5 episode is a supply-chain availability event, not just an AI safety story. A model that was generally available on Monday was globally unreachable by Friday, for nineteen days, because of a regulatory decision in Washington that had nothing to do with Swiss law, Swiss customers, or anything a Swiss customer did. Treat frontier LLM API dependency the way you would treat any single-vendor, single-jurisdiction critical dependency: document a fallback model or provider for production workloads, avoid hard-coding a specific model version into critical paths without an abstraction layer, and factor export-control exposure into vendor risk assessments alongside the usual DORA/NIS2 third-party criteria — particularly for any workflow that touches vulnerability research, code analysis, or other categories a future order might restrict.

What Actually Changed Between the Two Versions

  • Cybersecurity safeguards: the June launch version routed roughly under 5% of sessions — cybersecurity, biology/chemistry, and distillation queries — to Opus 4.8 via general-purpose classifiers. The July version adds a classifier trained specifically on the Amazon-reported technique, with a claimed >99% catch rate.
  • Caution margin: widened. More borderline-legitimate requests near the safety boundary are now redirected rather than answered directly.
  • Jailbreak evaluation standard: previously internal to Anthropic; now a four-criteria framework shared with Amazon, Microsoft, and Google.
  • Government commitments: new — proactive vulnerability hunting, malicious-use reporting, and coordination with US authorities on future frontier releases.
  • Core capabilities: unchanged. Anthropic has not reported any reduction in coding, vision, or long-context performance in the redeployed model.

What Is Still Unclear

Anthropic has not published the exact technical detail of the Amazon-reported prompting technique, so external researchers cannot independently verify the "routine defensive work" characterisation. Nor is it public how the four-criteria jailbreak framework will be applied to future incidents, or whether it carries any binding weight beyond the four companies that agreed to it. Switzerland was not a party to the export-control decision or its reversal, and has no equivalent domestic framework for restricting access to frontier model capabilities — which means the next time a comparable order is issued, Swiss users will again be bystanders to a decision made entirely outside Swiss jurisdiction, with the same operational consequences.