Anthropic’s most powerful public model went live on June 9, was pulled by a US government order on June 12, and returns globally on July 1. Here is the complete story, the technical details Anthropic has now made public for the first time, and the five implications almost nobody is talking about.
The 19-Day Timeline at a Glance
| June 9 | Claude Fable 5 and Mythos 5 launch globally via Claude API, AWS Bedrock, Google Vertex AI, and Microsoft Foundry. Fable 5 is Anthropic’s first publicly available Mythos-class model — the most capable model it has ever shipped for general use. |
| June 12 | US Department of Commerce issues an export-control directive after learning of a report by Amazon researchers describing a method to bypass Fable 5’s safety classifiers. Anthropic, unable to verify nationality in real time, disables both models globally for all users, including AWS Bedrock customers. |
| June 13 | Anthropic’s status page confirms the suspension; the company calls the government’s interpretation “a misunderstanding” and says it is working to restore access. |
| June 24 | Code strings in Claude Code v2.1.190 hint at a weekly-usage-limit model for a future Fable 5 restoration. |
| June 26 | US government approves partial restoration of Mythos 5 to more than 100 US organisations operating and defending critical infrastructure. |
| June 30 | Commerce Department lifts export controls on Fable 5. Anthropic publishes a full technical post-mortem and announces a new shared industry jailbreak-severity framework co-developed with Amazon, Microsoft, and Google. |
| July 1 | Fable 5 available globally on Claude Platform, Claude.ai, Claude Code, and Claude Cowork. AWS, Google Cloud, and Microsoft Foundry access to follow. |
What Actually Triggered the Ban
The government’s directive stemmed from a report by researchers at Amazon — one of Anthropic’s two largest investors and the company’s primary cloud partner — who had found a way to bypass Fable 5’s cybersecurity safety classifiers. By prompting the model in a specific way, the researchers got it to identify a number of software vulnerabilities. In one instance, the model also produced code demonstrating how one of those vulnerabilities could be exploited.
That finding reached the US Department of Commerce’s Bureau of Industry and Security, which invoked export-control powers to bar Anthropic from “exporting” the models to any foreign national — including Anthropic’s own non-US staff. Because Anthropic had no infrastructure in place to verify user nationality in real time, it had no option but to shut both models down for everyone, everywhere.
| ⚠️ Perspective #1: Amazon’s Researchers Suspended the Model Amazon Invested In
AWS has put roughly $4 billion into Anthropic. Amazon’s own cloud platform, Bedrock, distributes Anthropic models as a core product. Yet it was Amazon’s own researchers who produced the jailbreak report that triggered the US government’s directive — and in doing so, got AWS Bedrock access revoked for every customer globally, including Amazon’s own enterprise clients. This is not a conflict of interest story; internal security research is exactly what responsible AI deployment requires. But it is a striking structural irony: the same organisation that profits from Anthropic’s models being available handed the government the evidence to take them offline. It also hints at something important about how frontier AI risks will actually be discovered — not by external adversaries first, but by the companies closest to the models. |
Why Anthropic Said the Ban Was a Misunderstanding
Anthropic ran its own testing of the reported technique and reached a conclusion that directly contradicts the government’s framing: Fable 5 did not provide any unique offensive cyber capability.
The evidence Anthropic presented is striking. When it came to identifying the same vulnerabilities that Fable 5 surfaced in the Amazon report, many less capable models produced the same results — including Claude Opus 4.8, GPT-5.5, and Kimi K2.7. More critically, when it came to the single most serious element of the report — demonstrating how to exploit one specific vulnerability — every model Anthropic tested produced the same demonstration. That list includes Claude Haiku 4.5, Sonnet 4.6, Opus 4.6, Opus 4.7, Opus 4.8, GPT-5.4, GPT-5.5, and Kimi K2.7.
| 💡 Perspective #2: If Haiku 4.5 Can Do It, What Exactly Were We Protecting?
Claude Haiku 4.5 is Anthropic’s cheapest, fastest, most widely deployed model — available to free users, embedded in third-party apps, and accessible to anyone with an internet connection. If the same exploit demonstration that triggered a 19-day global ban on Fable 5 can be produced by Haiku 4.5, the export control was not protecting the world from unique Fable-5-level cyber risk. It was protecting the world from something already freely available. This is not an argument against AI safety measures — it is an argument that the export-control framework being applied to frontier AI models is not yet calibrated to actual risk. The US government treated the jailbreak as a Fable 5 problem. Anthropic’s testing suggests it is an industry-wide baseline capability problem, and one that export controls on a single model cannot meaningfully contain. |
Anthropic’s “Defense in Depth”: The Technical Architecture Now Public
For the first time, Anthropic has publicly explained in detail how its safety classifiers for Fable 5 actually work — information that previously existed only in vague terms in system cards and safety reports.
What classifiers are
Safety classifiers are smaller automated AI systems that run alongside the main model during a conversation. They monitor both incoming requests and outgoing outputs, and block the model from responding when they detect a potentially harmful cybersecurity task. Critically, these classifiers are separate from the main Fable 5 model itself, meaning a jailbreak of the underlying model does not automatically bypass the classifiers.
The safety margin concept
Rather than only blocking requests that are clearly harmful, Anthropic deliberately sets its classifiers to also block requests that are probably benign but carry some small risk. Anthropic calls this the “safety margin” — a buffer zone where requests that look clearly safe are allowed through, but anything in a grey area gets blocked. For Fable 5 specifically, Anthropic made this safety margin significantly larger than for any previous model, meaning a higher rate of false positives (legitimate requests getting blocked) in exchange for a much higher confidence that genuinely dangerous requests would never get through.
The jailbreak severity spectrum
Anthropic also published for the first time its internal classification of jailbreak types, which it now proposes as an industry standard. At the least serious end: minor jailbreaks that push into the safety margin but never reach genuinely harmful territory. Then narrow harmful jailbreaks, which can unlock a specific harmful behaviour but nothing beyond it. At the most serious end: universal jailbreaks, which unlock an entire class of dangerous behaviours with a single technique. Anthropic says no universal jailbreak for Fable 5 has been discovered as of its restoration, and that the Amazon report described a minor jailbreak that only pushed into the safety margin.
| 💡 Perspective #3: Anthropic Just Published the Most Detailed Public Blueprint for AI Safety Classifiers Yet
The level of technical transparency in Anthropic’s redeployment post is unusual for the industry. Anthropic has published not just what went wrong, but how its entire classifier architecture is designed — including the deliberate safety-margin tradeoff, the five-category jailbreak severity spectrum, and the defence-in-depth layering of training, classifiers, and retroactive pattern analysis. Google, OpenAI, and Meta have not published equivalent detail about the safety architectures of their frontier models. This post will likely become a reference document in AI safety research and policy discussions for months, and it is available publicly right now at anthropic.com/news/redeploying-fable-5. |
The New Industry Jailbreak-Severity Framework
One lasting outcome of the 19-day suspension is a formal cross-industry initiative that would not have existed otherwise. Anthropic, Amazon, Microsoft, and Google — alongside other Project Glasswing partners — are now developing a shared framework for assessing how serious any AI jailbreak actually is. Anthropic has proposed scoring jailbreaks on four criteria:
- Capability gain: How far beyond existing tools does the jailbreak take the attacker? If Opus 4.8 or GPT-5.5 can already do the same thing, the score is low.
- Breadth of capability gain: Does the same jailbreak technique work for many different harmful tasks, or only one specific case?
- Ease of weaponisation: How much skilled prompting and effort does it take to actually exploit the jailbreak in an attack?
- Discoverability: Is the technique already circulating publicly, or does it require specialist knowledge to reproduce?
Anthropic explicitly cites the Common Vulnerability Scoring System (CVSS) — the decades-old framework used across the software security industry for rating the severity of code vulnerabilities — as the missing analogue for AI jailbreaks. CVSS allows security teams to triage thousands of new CVEs every year by severity. Without an equivalent for AI, every new jailbreak report creates a judgment call that can, as this episode showed, escalate to a government export-control order within days.
| 💡 Perspective #4: This Is the Birth of “CVSS for AI” — and It Matters for Indian Tech Companies
India’s IT sector is one of the world’s largest consumers of AI APIs. TCS, Infosys, Wipro, HCL, and hundreds of smaller firms build enterprise products on top of models like Fable 5 via AWS Bedrock and Azure Foundry. When the June 12 directive pulled Bedrock access globally, Indian enterprise teams lost access to a model they were evaluating or had already deployed — with zero warning and no ETA. The absence of a standardised jailbreak-severity framework meant the government’s response was binary: the model is either available or it isn’t. A CVSS-equivalent for AI would allow governments to say instead: “this is a severity-3 jailbreak; no suspension required, additional monitoring is sufficient.” For Indian IT companies building AI-native products on US-hosted frontier models, the creation of this framework is arguably the most consequential outcome of the Fable 5 episode — more so than the model’s return itself. |
Anthropic’s Four New Government Commitments
Beyond the jailbreak framework, Anthropic announced a substantially deeper collaboration with the US government that will affect how every future frontier model launch works. The four commitments are:
- Pre-release government access: For models that materially advance the capability frontier in national-security-relevant areas, designated government partners will get expanded early access to both the model and its safeguards before broad release, with dedicated Anthropic technical staff working alongside government evaluators.
- Rapid information sharing: When significant jailbreaks or misuse patterns are found, Anthropic will quickly investigate, notify government counterparts, and share new safeguards for independent testing. It will provide threat intelligence reporting to government partners in advance of publication.
- Joint research teams: Anthropic is scaling up joint work with government partners, standing up dedicated teams to work on shared priorities, providing compute allocation for government testing, and making its red-teaming expertise available broadly.
- Common industry bar: Anthropic will work toward a shared, voluntary security and evaluation standard for frontier model providers, contributing evaluations, tooling, and best practices that the government can apply industry-wide.
What Fable 5’s Return Means for Users Right Now
Availability as of July 1
- Claude Platform, Claude.ai, Claude Code, and Claude Cowork: available globally from today.
- AWS Bedrock, Google Vertex AI, Microsoft Foundry: restoration to follow, no confirmed date.
- Pro, Max, Team, and premium Enterprise plans: Fable 5 included for up to 50% of weekly usage limits through July 7, then usage credits required.
- Standard Enterprise seats: no included allowance; all usage billed through credits from day one.
The new false-positive tradeoff
The new safety classifier added during the suspension is more aggressive than the one Fable 5 launched with. It blocks the flagged technique in over 99% of cases — but it also catches more legitimate coding and debugging requests as false positives. Anthropic acknowledges this and says it will continue refining the classifier to better distinguish genuine misuse from routine developer work.
Specs unchanged
Nothing else has changed. Fable 5 still has a 1M token context window, up to 128K output tokens per request, and is priced at $10 per million input tokens and $50 per million output tokens. It is still the same underlying model as Mythos 5, with safety classifiers layered on top.
| 💡 Perspective #5: The Sovereignty Problem Nobody Solved
The Fable 5 episode exposed a structural vulnerability in how the world’s most capable AI models are deployed. Anthropic is a US company. Its models run on US-hosted infrastructure (and on AWS, Azure, and Google Cloud, all US companies). When the US government issues an export-control order, every country in the world loses access simultaneously — including allies, including companies that have paid enterprise contracts, and including researchers who had no involvement in any jailbreak. India, the EU, Japan, South Korea, and Australia had no mechanism to negotiate their own continued access. The 19-day suspension triggered formal calls from Austria to the EU Commission to help Anthropic establish European infrastructure, precisely to decouple European access from US policy decisions. For Indian organisations, the lesson is the same one the semiconductor supply-chain disruption of 2021 taught: strategic dependence on a single country’s technology companies is a business risk, not just a geopolitical abstraction. Anthropic’s return is welcome. But India’s enterprise AI strategy needs a sovereign-access contingency plan that does not exist yet. |
Key Takeaways
- Claude Fable 5 returns globally on July 1, 2026, after a 19-day suspension triggered by a US government export-control order on June 12.
- The jailbreak that triggered the ban was, per Anthropic’s own testing, reproducible by models as lightweight as Claude Haiku 4.5, GPT-5.4, and Kimi K2.7 — undermining the containment rationale.
- Anthropic has published the most detailed public explanation of its safety-classifier architecture to date, including the safety margin concept and a five-category jailbreak severity spectrum.
- Anthropic, Amazon, Microsoft, and Google are developing a shared industry framework for rating jailbreak severity — effectively a CVSS-equivalent for AI — which could prevent future binary government responses.
- Anthropic has made four new government-collaboration commitments that will govern how every future frontier model launch works, including pre-release government access and joint red-teaming.
- Fable 5’s return comes with a new, more aggressive classifier that reduces false-negative risk but increases false-positive rate on routine coding tasks.
- The episode reveals an unresolved sovereign-access problem for non-US countries and enterprises, with no structural fix yet in place.
Frequently Asked Questions
What is Claude Fable 5?
Claude Fable 5 is Anthropic’s most capable publicly available model, launched June 9, 2026. It is a Mythos-class model — the same tier as Claude Mythos 5 — but shipped with safety classifiers for general public use. It has a 1M token context window, supports up to 128K output tokens, and is priced at $10/$50 per million input/output tokens.
Why was Claude Fable 5 suspended?
Amazon researchers found a technique to bypass Fable 5’s safety classifiers, prompting it to identify software vulnerabilities. The US Department of Commerce issued an export-control directive banning Anthropic from giving access to any foreign national. Unable to verify nationality in real time, Anthropic pulled both Fable 5 and Mythos 5 globally.
What changed while it was offline?
Anthropic trained a new safety classifier that blocks the reported technique in over 99% of cases. The tradeoff is an increased false-positive rate on routine coding and debugging tasks. The underlying model is unchanged.
Is Fable 5 available in India?
Yes, from July 1, 2026, Fable 5 is available globally on Claude Platform, Claude.ai, Claude Code, and Claude Cowork for users on Pro, Max, Team, and Enterprise plans. AWS Bedrock and Google Vertex AI access for Indian enterprises will follow once re-enabled by Anthropic.
What is the difference between Fable 5 and Mythos 5?
They share the same underlying model. Fable 5 has safety classifiers enabled for public use. Mythos 5 has those classifiers lifted in some areas and is available only to vetted US organisations in Project Glasswing, Anthropic’s government cybersecurity programme.
What is Project Glasswing?
Project Glasswing is Anthropic’s programme for deploying its most capable models, particularly Mythos 5, to US government agencies, critical-infrastructure operators, and vetted cybersecurity organisations that need access to the model’s full, unguarded capabilities for defensive purposes.
