Anthropic received a letter on June 12, issued under Commerce Secretary Howard Lutnick. It instructed Anthropic to shut down its AI models Fable 5 and Mythos 5 for all foreign nationals, its foreign-national employees included. Given its inability to filter users by nationality in real time, Anthropic did what any reasonable company would do: it shut the models down for all users. Nearly three weeks later, the administration lifted the controls after Anthropic agreed to additional safeguards. The reversal showed how difficult the restriction was to sustain while comparable capabilities remained available elsewhere.

Anthropic called it a misunderstanding. Washington called it a national security issue, because of the supposed ability of users to “jailbreak” the models: to use them for other potentially nefarious purposes. But what was this “jailbreak” and what made it so dangerous that Anthropic had to shut down one of the most powerful AI models released to the public? ?

In its own statement, Anthropic writes that the jailbreak was “asking the model to read a specific codebase and fix any software flaws.” Just reading code and fixing bugs. Your security team does that before lunch. Anthropic’s own Project Glasswing is in the process of using this very same model to scale the disclosure and remediation of open-source code vulnerabilities. Before the shutdown, Glasswing had already identified over 10,000 high and critical severity vulnerabilities in critical software systems using the same model.

The government decided there’s a fundamental difference between offensive and defensive application of the tool. The truth is: such a difference doesn’t really exist. You can’t write a law making a distinction the technology itself doesn’t make and then blame the technology for doing exactly that.

The biggest unaddressed hypocrisy in the government position, however, is that the same order shutting down Fable 5 and Mythos 5 left OpenAI’s GPT-5.5 untouched. Anthropic points this out directly: the level of capability displayed there is widely available from other models (including OpenAI’s GPT-5.5) and is used every day by the defenders who keep systems safe.” OpenAI’s system card for GPT-5.5 rates its cybersecurity capability as”high.” The UK’s AI Security Institute tested GPT-5.5 as a cyberattack agent on a 32-step attack on a corporate network, estimated to take 20 hours of expert knowledge, and the model completed the full attack range in 2  out of 10 attempts. The benchmark was the same 32-step range previously completed by Mythos Preview, although Mythos succeeded more frequently in its initial evaluation.

Because the same broad capability remained available through GPT-5.5, the directive did little to improve national security during the weeks it was in force. It handed OpenAI an advantage, cut off American defenders from one of Anthropic’s most capable defensive tools, and was abandoned once Anthropic negotiated additional safeguards.

Earlier Efforts

Washington attempted similar measures decades ago. In the 1990s, officials designated strong encryption as a munition, leading to a federal investigation of Phil Zimmermann over the dissemination of his email encryption software. The Clipper Chip initiative, meanwhile, sought to establish an enduring state-controlled backdoor to access encrypted traffic. By 1996, the Clinton administration transferred most commercial encryption to Commerce Department controls once it became apparent that published mathematics simply could not be contained.

The Wassenaar Arrangement, a 41-country export control agreement, attempted a comparable maneuver in 2013 by introducing controls over intrusion software. The resulting definitions proved overly vague and inadvertently encompassed legitimate penetration testing activities, drawing extensive opposition from security researchers and industry and forcing the Commerce Department to withdraw its own proposed rule. Software does not behave like a centrifuge or a ballistic missile, yet Washington persistently repeats the same miscalculation whenever a new technology causes alarm.

The most direct counterargument involves semiconductor controls, and it deserves a real answer. Limitations on EUV lithography equipment have demonstrably decelerated China’s acquisition of high-end computational capabilities. But chips are physical. They’re heavy, manufactured by a small number of global producers, and cannot be clandestinely transported across borders en masse. A trained AI model is a file, transmittable in seconds without physical footprint. Physical chokepoints allow for effective restrictions, but once the target is mathematical code moving invisibly, control becomes unfeasible. The chip analogy doesn’t apply here.

Anthropic itself addressed this issue in November 2025 when it revealed an incident dubbed GTG-1002. In its post-mortem, Anthropic expressed high confidence that a Chinese state-backed actor deployed Claude Code to spearhead a cyberattack targeting approximately 30 technology firms, financial institutions, chemical companies, and government bodies. Anthropic estimated that Claude Code executed 80-90 percent of the campaign’s tactical operations; human operators intervened only at discrete decision nodes four to six times per execution cycle. The group circumvented safety protocols by impersonating a reputable defensive cybersecurity company performing authorized penetration testing.

That bypass, however, relied not on a technical vulnerability but on social engineering directed at an algorithm. From a prompt-level perspective, there exists no detectable distinction between a defensive security operation and an offensive intrusion, meaning no export restriction framework could reasonably anticipate or prevent such a scenario.

Targeting Anthropic

In late February 2026, Secretary Hegseth directed the Pentagon to designate Anthropic a supply-chain risk. This label is historically reserved for companies beholden to Beijing or Moscow. Former CIA director Michael Hayden and retired flag officers from the Air Force, Army, and Navy called it “a category error with consequences that extend far beyond this dispute.” The Pentagon designated Anthropic a supply-chain risk for refusing to remove safeguards against mass domestic surveillance and fully autonomous weapons.

Then three months later Commerce  restricted the same company’s best defensive tool for being too dangerous. The left hand is punishing Anthropic for having safety guardrails. The right hand is punishing them for not having enough. American critical infrastructure sits in the gap between those two decisions.

It is possible to read the Pentagon and Commerce actions not as bureaucratic contradiction but as two forms of pressure directed at Anthropic after its dispute with the administration. The available evidence, however, does not establish coordination or retaliatory intent. The more defensible conclusion is based on effect rather than motive, whether coordinated or not, the two actions combined to weaken access to defensive AI capabilities while leaving comparable capabilities available through other providers.

The military’s over-reliance on externally developed corporate AI models, according to a March article in Small Wars Journal, creates cascading vulnerabilities that policy checklists cannot contain. The Hegseth designation and the Lutnick directive together  provided a live demonstration of that thesis, two arms of the same government pulling in opposite directions on the same technology, while the underlying exposure grows.

These models do not possess cognition in any meaningful human sense. Rather, they represent statistical engines trained on more vulnerability reports and exploit databases than any individual could process across multiple lifespans. The danger they pose is economic, not existential. The June 12 directive did not concern a singularity marking the transition from human to artificial intelligence. The price floor for nation-state-level cyberattack dropped to a monthly subscription fee. Shutting down one company’s model doesn’t rebuild that floor. The math is already everywhere, and the current policy did not account for that reality. GTG-1002 already happened. It successfully penetrated a small number of targets. The response was to remove the defensive equivalent from American hands. At some point that becomes a broader institutional failure.

What Actually Works?

The U.S. government has already issued an effective directive: CISA’s Binding Operational Directive 26-04, which directs federal agencies to accelerate the pace of vulnerability patching based on risk and impact. But a directive alone isn’t a framework. Three things need to happen.

Congress needs to close the jurisdictional gap between Commerce and Defense on AI. Congress should clarify how Commerce’s export-control authority and Defense’s procurement and supply-chain authorities interact when both are applied to the same frontier AI provider, which is how you end up with Hegseth and Lutnick pulling in opposite directions on the same company in the same quarter. Project Glasswing, which has already identified over 10,000 high and critical severity vulnerabilities in critical software systems, should be expanded and federally funded as the affirmative national security answer by which defenders use AI to find and patch faster than adversaries can weaponize. And any future AI export restriction framework needs a defined evidence threshold. The limited evidence of a narrow non-universal jailbreak should not meet the bar for pulling a model deployed to hundreds of millions of people.

Anthropic helped write this outcome. For years Anthropic emphasized that Mythos possessed exceptional cybersecurity capabilities, required unusually strong safeguards, and initially warranted limited access. That framing justified their safety positioning, and their Project Glasswing partnerships. Then Commerce Secretary Lutnick signed a letter treating it exactly like what Anthropic called it: a munition.

Threat researcher Peter Girnus said it plainly when the news broke: “If you describe your product as a munition in every press release, eventually a government takes you at your word. They wrote the legal predicate themselves and called it a brand.” That’s not just a burn on Anthropic’s PR strategy. That’s a description of how they ended up here.

But Washington’s lesson is harder. You cannot embargo math that’s already out. Washington spent nearly three weeks proving it, pulling one of the most capable defensive models available to American users, then restoring access once it became clear that comparable capabilities remained available through other commercially available models. The controls are gone. It begs the question: are we moving in the right direction?

Michael Aaron Cody is an independent theorist published in Physics Essays, Journal of Modern Physics, European Physical Journal Plus (Springer Nature), FPIF, Small Wars Journal, and RealClearScience. His work spans physics and defense policy. Find him on X at https://x.com/MichaelCody.