Fable 5 Comes Off the Leash
Anthropic's most capable widely released model was frozen by a US export-control order three days after launch. Eighteen days later the controls came off — and the reason it came back says more than the reason it left. The whole story, in one place.
Claude Fable 5 is available again. On June 30 the US government lifted the export controls that had frozen it, and starting today — Wednesday, July 1 — it is back for users globally, on the Claude Platform, Claude.ai, Claude Code, and Claude Cowork.
That is the headline. It is not the story. Fable 5 was pulled over a capability the government treated as a national-security risk. It came back because Anthropic says its own testing showed that capability was not unique to Fable at all. And the model that is genuinely dangerous in this saga was never the one the public lost.
This is the third chapter of a story I have been tracking since launch. Here is all of it — start to finish.
The eighteen-day timeline
It was an export control, not a ban
On June 12 — three days after Fable 5 launched — the US government, citing national-security authorities, issued an export-control directive. It did not order a blanket shutdown. It ordered something narrower and stranger: no foreign national may be given access to Fable 5 or Mythos 5. Not foreign nationals abroad — any foreign national, anywhere, including Anthropic's own foreign-national employees.
That is an export control, and the distinction from a plain "ban" matters. Software that legally cannot reach a foreign national is software you have to gate by nationality — and Anthropic had no reliable way to verify a user's nationality in real time. So the only way to comply was the blunt one: cut access to both models, for everyone.
Fable 5 did not go dark because it broke. It went dark because Anthropic could not prove who was on the other end of the connection.
Why the government reached for the switch
The trigger was a jailbreak. Anthropic says Amazon researchers found a way around Fable 5's safeguards by prompting it to identify software vulnerabilities, and in one case got it to produce code demonstrating how a vulnerability could be exploited.
To be clear about what that was and wasn't: this was reported vulnerability identification plus a single exploit demonstration — not a live break-in, and not a novel zero-day loosed on the world. But it is exactly the kind of dual-use cyber capability that regulators have been trying to get their arms around — the reason frontier models draw national-security scrutiny in the first place.
Except, by Anthropic's own account, the capability wasn't special.
The twist: the fear was pinned to the wrong model
When Anthropic tested the claim, the result undercut the premise of the order. Anthropic says many less capable models could identify the same vulnerabilities Fable 5 found — it names Opus 4.8, GPT-5.5, and Kimi K2.7 — and that for the exploit demonstration specifically, every model it tested could produce the same thing: Haiku 4.5, Sonnet 4.6, Opus 4.6, 4.7 and 4.8, GPT-5.4 and 5.5, and Kimi K2.7.
Its conclusion, stated plainly: guarded Fable 5 "provides no such unique offensive capabilities." The thing it got pulled for is something Anthropic says other models it tested can already do.
So if the reported capability is broadly available, what was actually worth worrying about?
Fable is the guarded one. Mythos is the dangerous one.
This is the part to get right, because it is easy to invert.
Fable 5 and Mythos 5 are the same underlying model. The difference is the guardrails and who gets through them. Fable 5 shipped with what Anthropic calls "the strongest safeguards we've ever applied to a model," and it is the public product. Mythos 5 ships with fewer safeguards, was never public, and goes only to a small set of vetted partners in Anthropic's Project Glasswing.
Unmuzzled, Mythos is dangerous in exactly the way the order feared. Anthropic says Mythos 5 "can be used to find and exploit software vulnerabilities more effectively than any other model — and all but the most skilled human security experts." That is a real, unique offensive capability — the one Fable was accused of having but doesn't.
So the two got tangled. The guarded public twin, Fable, was frozen over a capability it does not uniquely possess. The dangerous twin, Mythos, is the one that actually warrants the caution — and it was handled on its own track. The government approved restoring Mythos access for a set of US organizations on June 26, four days before Fable's controls came off. Mythos never became public; it stays inside the vetted-partner program. But the model with the uniquely strong exploit-finding capability got its restricted access back first. The safeguarded one the public was using stayed frozen the longest.
If that ordering feels backwards, it is because the directive treated the model name as the control point — when the real risk boundary was everything around the shared weights: the safeguards, the partner-only access, the allowed uses.
What changed to bring it back — and what you'll feel
Anthropic didn't only wait out the order; it shipped a fix. It trained a new safety classifier that targets the specific bypass Amazon reported and, it says, blocks that technique in over 99% of cases. It is careful not to claim the model is now jailbreak-proof — perfect robustness isn't the claim; blocking the reported technique is.
There is a cost, and you'll feel it. Fable 5 already launched with a safety margin Anthropic calls "much larger than in any prior launch," and the new classifier tightens things further. Anthropic puts it plainly: the classifier comes "at the cost of flagging benign requests more often during routine coding and debugging tasks." So some ordinary coding and debugging work will trip the filter more than you're used to.
That is the tax on the redeployment: a jumpier Fable 5, and some of those flags will be false alarms. Anthropic's answer is a fallback — "users will be notified if a request to Fable 5 is blocked, and the request will instead be sent to Opus 4.8." It is the same refusal-fallback wiring I covered at launch, and if you build on Fable it is what keeps a false positive from stalling your app.
What you actually get
On the plans: Anthropic says Pro, Max, Team, and select Enterprise subscribers get Fable 5 within up to 50% of their weekly usage limits through July 7, after which it moves to usage credits. Standard Enterprise seats get no included allowance — all Fable usage runs through credits. That is subscription access, separate from per-token API pricing. If you were waiting to try it inside your plan, the included window is short.
The precedent this sets
The most consequential part of the announcement isn't Fable at all. It reads like a precedent — an export-control order reaching a live, deployed language model — and precedents get reused.
So Anthropic, with Amazon, Microsoft, Google, and its other Glasswing partners, is proposing a shared way to score how dangerous a given jailbreak actually is, on four axes:
- capability gain — how far beyond existing tools the technique reaches;
- breadth — how many different attacks use the same trick;
- ease of weaponization — how much skill it takes to turn into a real attack;
- discoverability — how easily someone could find it.
Read those against what just happened. Under Anthropic's own criteria the Amazon report scores low on capability gain — Anthropic says other tested models reached the same behavior — whatever it scored on the rest. A framework like this exists so that the next government order gets aimed at the model that scores high on capability gain, not the one with the scariest name in the headline. It is a proposal, not adopted regulation — but it is the machinery starting to form around a problem that just got its first live test.
Around it: a new HackerOne program for security researchers to submit cyber jailbreaks they find in Fable 5, plus commitments to give government evaluators pre-release access to future models, independent evaluation, and a shared voluntary security standard across frontier labs. That last piece moves the regulator closer to the release process itself. Whether that reassures you depends on the regulator — which is the argument I made when the leash first went federal, and not the point of this post.
The point
Three chapters, one lesson. At launch, Fable was Mythos behind a classifier leash. On June 12 the leash went federal. Today it comes off — not because anyone decided the model was safe, but because Anthropic's own testing showed the specific fear was pinned to the wrong model.
The theme of this whole series holds: in frontier AI, the model is rarely the story. Fable and Mythos share one brain; everything that mattered here happened in the layer above it — the guardrails, the access rules, the billing, and now the export lawyers. Same weights, different leash.
Fable 5 is back. Route accordingly.
Fable 5: Mythos on a Leash. The June 9 launch — why the public model is the gated face of Mythos. Read it →
Mythos on a Federal Leash. The June 12 export-control order that froze both models three days after launch. Read it →
Opus 4.8 Would Rather Tell You It Failed. The reliability release — and the model that now catches Fable's false-positive refusals. Read it →