Last week, the United States Department of Commerce issued an export control directive that suspended all access to artificial intelligence developer Anthropic’s Fable 5 and Mythos 5 AI models by any foreign national. That included those inside or outside the United States, even those working at the company.
Although the letter to the AI developer hasn’t been released, there is speculation that concerns were raised over the potential for the models to be subject to a “jailbreak” that would bypass any corporate safeguards.
The company responded by abruptly disabling both platforms to all customers to ensure compliance, but added that access to its other models would be unaffected.
“We are complying with the government’s legal directive and are removing access to Fable 5 and Mythos 5 for all users. However, we disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people. If this standard was applied across the industry, we believe it would essentially halt all new model deployments for all frontier model providers,” the company explained in a statement, and apologized for the disruption to its customers.
Jailbreaking Concerns
Anthropic said it worked with the U.S. government, the UK’s AI Security Institute (AISI) and multiple private third-party organizations and internal teams to “red-team” Fable’s safeguards. It added that no testers had been able to find a “universal jailbreak,” the method that could very broadly bypass the model’s safeguards, and unblock “a wide range of cyber capabilities.
However, the company added, “We suspect that perfect jailbreak resistance is not currently possible for any model provider. Every safeguard used in the industry is vulnerable to non-universal jailbreaks.”
There have been reports that a jailbreak does exist, but details remain unclear.
Jacob Krell, senior director for secure AI solutions and cybersecurity at Suzu Labs, told ClearanceJobs in an email that from what he has seen, no jailbreaking actually occurred.
“The reported ‘jailbreak’ is asking Fable 5 to read a codebase and identify software flaws. That is a code review. Security teams and developers across the industry use AI models for that exact purpose daily. ‘Jailbreak’ is strong language for a routine task,” Krell suggested.
Supply Chain Risk
It was just months ago that the Department of War designated Anthropic to be a supply chain risk, which banned it for use across the federal government. However, some agencies continue to use it.
“The NSA carved out an exemption to keep using Mythos because no alternative matches it for vulnerability discovery,” added Krell. “Commerce now export-controls the consumer version of that same model. Three agencies, three contradictory positions on the same technology.”
Model Software Test Case
The sudden export control directive gave Anthropic less than two hours last week to take the models down, which some experts warn could impact AI development.
“This regulatory action marks a critical moment in artificial intelligence risk management, exposing the fragility of advanced model delivery when software vulnerability assessment capabilities cross into export control territory. For security leaders, the urgent reality is that traditional geofencing and identity management systems are inadequate for enforcing real-time nationality-based access controls at the application layer,” explained Noelle Murata, chief operating officer at AI cybersecurity provider Xcape, Inc.
Murata told ClearanceJobs that enterprises should inventory dependencies on frontier AI services and implement localized fallback architectures to prevent single-point-of-failure outages during sudden vendor recalls. Moreover, it may be necessary to assess automated code-review or vulnerability-scanning integration points to handle immediate API deprecations without breaking internal software development lifecycles.
“Models are dual-use weapons,” suggested Murata. “Regulatory enforcement can pull frontier models from production with zero warning if prompt injection or jailbreak techniques unlock offensive cyber capabilities like automated vulnerability discovery.”
Moreover, Murata added that identity management must evolve.
“Traditional geographic IP blocking cannot satisfy export mandates that restrict access based on an individual’s nationality or citizenship, creating a massive compliance gap for SaaS-delivered AI,” she told ClearanceJobs via an email. “We have spent years worrying about a rogue AI escaping into the wild, only to find out it could be entirely neutralized by asking the compliance department to verify a birth certificate.”
Comparisons to Nuclear Weapons
There have been reports that at least one White House official compared Fable 5 and Mythos 5 to that of the atomic bomb, a description that may seem to be a bit of a stretch. However, it isn’t seen as hyperbole when it comes to certain government directives.
“Export controls put this capability in the same legal category as weapons systems and nuclear technology. When code analysis triggers that classification, the people making the decision believe it has real strategic impact,” said Krell. “Automated vulnerability discovery at machine speed is no longer a research curiosity. It is a regulated asset.”
The new controls may be a warning to other AI developers.
“Offensive security built on manual-pace vulnerability research and human-speed exploitation development is on borrowed time,” Krell further told ClearanceJobs. “The government just told you the automation works well enough to regulate. Every team still relying on analysts to find vulnerabilities at human speed is competing against a capability the government now considers strategic.”
