Silencing a Fable: You Can't Export-Control a Capability That's Already Everywhere

Subscribe to the blog

Early in my career as a network engineer at Lockheed Martin, I spent more time than I should have worrying about U.S. export controls. Back then the battleground wasn't AI – it was encryption. If a router or firewall left American soil running (then) modern encryption, the federal government legally classified it as a munition. So everything we shipped was supposed to have the weakened images – capped at 40-bit or 56-bit encryption.

Even then, we knew it was security theater. Math doesn't care about customs forms or international borders, and PGP was already available internationally anyway. The absurdity peaked with DeCSS, when the code to decrypt DVDs was treated as a digital weapon and advocates like a vendor called Copyleft responded by printing the algorithm on T-shirts – turning a restricted cryptographic asset into wearable protected speech. I proudly owned and wore one of those shirts – it was my way of pointing out just how asinine bad security policy could be.

Fast forward to the summer of 2026, and the policy world seems doomed to repeat the same mistake.

The Fable 5 Saga, in Brief

On April 7, 2026 Anthropic announced Project Glasswing, a partnership with some of the largest security providers and vendors in the world. Project Glasswing came about because Anthropic believed they had created a new model, Mythos (and the later public-facing Fable 5), that could identify security vulnerabilities so rapidly and thoroughly it presented a risk to the public. But the promise was the capability wouldn’t be kept embargoed for long.

On June 9, Fable 5 launched to the public. By nearly every benchmark, it redefined state of the art, especially on the long-horizon coding and knowledge work. Fable 5 was essentially Mythos wrapped in what were intended to be robust safety classifiers to prevent abuse from bad actors in the public.

But the triumph was short-lived. Just days after launch, security researchers at Amazon found a way to bypass Fable 5's safeguards, prompting it to identify software vulnerabilities and, in at least one case, produce code demonstrating how one could be exploited. The reaction from Washington was predictable. Citing national security risks, the U.S. Department of Commerce forced the model to be pulled offline. For 18 days, Fable 5 effectively went dark. On June 30 the controls were lifted; on July 1, Anthropic redeployed globally with a new classifier and an updated approach to jailbreak severity.

The Part That Should Sound Familiar

When the model’s creators conducted their own post-mortem testing, they confirmed what anyone who lived through the crypto-export era could have predicted: the underlying capability was never unique to Fable 5. Opus 4.8, OpenAI's GPT-5.5, and Moonshot's Kimi K2.7 could also successfully identify and reason through the exact same classes of software vulnerabilities when subjected to similar adversarial prompts.

In other words: the government applied a sweeping export control to one specific model, from one specific provider, to gate a capability that was already distributed across the global AI landscape. And in doing so, not only did it hurt those who intended to use the model for the benefit of the security industry, but it demonstrated to everyone around the world that the US government could disrupt their ability to operate by influencing US-based model providers.

Fable 5 didn’t come back online on July 1 because the government successfully negotiated with math. Anthropic did what good security practitioners always do: leaned into defense-in-depth. Fable 5 came back with a new, targeted classifier specifically trained to catch the technique from the Amazon report, reportedly blocking it in over 99% of cases. Then they added a set of high-risk parameters that triggers a more conservatively tuned model to perform safety verification before passing sanitized output back to the user.

The more important story

While the headlines focused on the geopolitical friction of the 18-day ban, the development that will actually age well happened quietly in the background.

Coming out of this crisis, the coalition of industry giants participating in Project Glasswing published a first draft of a Cyber Jailbreak Severity (CJS) scale. This standard grades model bypasses across four distinct dimensions:

  • Capability Gain: Does the bypass unlock genuinely dangerous, dual-use capabilities, or does it simply bypass polite tone guidelines?
  • Breadth: How many distinct categories of harm does the exploit affect?
  • Ease of Weaponization: How much technical skill or formatting is required to execute the exploit?
  • Discoverability: How easily can the vulnerability be stumbled upon versus requiring targeted, sophisticated engineering?

This collaborative framework is where real AI security is actually being forged. This is the AI-safety equivalent of the Common Vulnerability Scoring System (CVSS) for traditional software – establishing a common language so that a vulnerability reported to one vendor means the same thing to all of them, turning chaotic "jailbreaks" into a graded, prioritizable security signal.

The pragmatic takeaway

The Fable 5 debacle should serve as a wake up call for a number of reasons. First, if the US government can do this to Fable, you need to have a plan should they decide to restrict export of ChatGPT, or Opus, or Gemini. Anthropic quickly accepted the government’s restrictions, and we don’t know that others would acquiesce as quickly, but if your business now relies on AI, sovereignty just jumped up your risk register.

Second, accept that the fear that AI models are, in fact, accelerating security threat identification and exploitation is valid – and there’s nothing meaningful we are going to do about that. The economic value of these models is greater than the perceived cost due to security events. If it wasn’t, Fable wouldn’t have come back. So we need to focus on how to use these models to our advantage just as the adversaries are.

Last, we must accept the non-deterministic reality of the tools we are building, move past the illusion of the absolute block, and start engineering the layered perimeters necessary to move fast and stay secure. This includes red teaming and social engineering testing of chatbots and agents before they go live.

My old DeCSS and RSA is a munition t-shirts have long fallen apart, but the symbolism they represented is clearly still relevant. Let’s see if we learned anything from them 25 years ago.

If you could use help making sense of these threats, or are concerned about your organization’s AI posture, we’re always here to help you look around corners. Reach out to us at questions@generativesecurity.ai.

About the author

Michael Wasielewski is the founder and lead of Generative Security. With 20+ years of experience in networking, security, cloud, and enterprise architecture Michael brings a unique perspective to new technologies. Working on generative AI security for the past 3 years, Michael connects the dots between the organizational, the technical, and the business impacts of generative AI security. Michael looks forward to spending more time golfing, swimming in the ocean, and skydiving... someday.

July 17, 2026
< Back to Blog
Copyright  2026 Generative Security
  |  
All Rights Reserved