On Friday, June 12, 2026, a government letter did what a competitor never could: it took Anthropic's two most capable models offline worldwide. The shutdown started with a directive that landed in Anthropic's inbox at 5:21 p.m. ET — and a status page entry that went up just after midnight.
What the June 12 directive bars
The June 12 directive is a U.S. export-control order, grounded in national-security authorities, that bars access to Claude Fable 5 and Claude Mythos 5 by "any foreign national, whether inside or outside the United States, including foreign national Anthropic employees" . It also requires government approval before any export, re-export, or domestic transfer of the models to non-U.S. persons. Anthropic says it received the directive at 5:21 p.m. ET on June 12 and disabled both models globally — including for U.S. users — because nationality-based enforcement was not workable at launch scale.
Quick Answer: A U.S. export-control directive received June 12, 2026 at 5:21 p.m. ET barred foreign-national access to Claude Fable 5 and Mythos 5 — even foreign-national Anthropic staff on U.S. soil. Rather than enforce by nationality at launch scale, Anthropic pulled both models offline worldwide; all other Claude models stayed up.
The shutdown surfaced publicly on Anthropic's status page, in an incident titled "We've suspended access to Claude Mythos 5 and Claude Fable 5," posted June 13, 2026 at 00:50 UTC with status listed as "Monitoring" . The outage spanned every surface the models shipped on. Critically, the order targeted the two named models only — every other Claude model remained operational , so the disruption was a model-level cut, not a platform-wide one.
| Directive detail | What the order specifies |
|---|---|
| Received | June 12, 2026, 5:21 p.m. ET |
| Incident posted | June 13, 2026, 00:50 UTC — status "Monitoring" |
| Models affected | Claude Fable 5, Claude Mythos 5 |
| Surfaces hit | claude.ai, Claude API, Claude Code, Claude Cowork |
| Who is barred | Any foreign national, inside or outside the U.S., including foreign-national Anthropic employees |
| Approval requirement | Government sign-off before export, re-export, or domestic transfer to non-U.S. persons |
| Other Claude models | Unaffected — remained operational |
The detail that turns a routine compliance notice into something developers should read closely is the scope of "domestic transfer." The order does not stop at customers abroad; it reaches non-U.S. persons inside the United States, which is why Anthropic flagged its own foreign-national employees as covered . Faced with enforcing that distinction across claude.ai, the API, Claude Code, and Claude Cowork at launch volume, Anthropic chose the only switch it could pull cleanly — off, for everyone (video: Shared Sapience).
Deemed export: the rule that covers foreign nationals on U.S. soil
The "deemed export" doctrine is why this directive reaches inside Anthropic's own offices. Under the U.S. Export Administration Regulations (EAR), releasing controlled technology to a foreign national — even on U.S. soil — is legally treated as an export to that person's country of origin. So the moment Fable 5 and Mythos 5 became export-controlled on June 12, 2026, the constraint stopped being about geography and became about people: any non-citizen with direct access to the models could be in scope, regardless of where they sit .
That is the mechanism behind Anthropic's unusual disclosure that its own foreign-national employees were covered. The directive, as Anthropic described it, bars access by "any foreign national, whether inside or outside the United States, including foreign national Anthropic employees," and requires government approval before any export, re-export, or domestic transfer to a non-U.S. person . The practical reading: a U.S.-based team where non-citizen engineers query the model directly, or build on it, may trigger the rule the same way a customer in another country would.
What makes this legally novel is the subject matter. Deemed-export enforcement has historically applied to dual-use hardware, semiconductor fabrication equipment, and encryption — tangible technology or well-defined technical data. Applying the same framework to token-level API calls against a hosted large language model has no clear precedent and no published Commerce guidance to anchor it. There is no settled answer to basic operational questions: whether the restriction binds interactive API sessions, the consumer chat UI, or downstream products integrating the models, and at what point in a request chain a "release" of controlled technology is deemed to occur.
That ambiguity is not academic for builders. A team cannot easily audit compliance when the controlled artifact is a model endpoint rather than a shipped device or a file under access control. The absence of clarification on API versus UI versus integration scope means firms relying on these models had no documented standard to self-assess against — one reason Anthropic concluded that selective, nationality-based enforcement was unworkable and disabled both models for everyone rather than attempt to gate access user by user . Until Commerce publishes a licensing standard, the safest assumption for any organization with mixed-nationality engineering teams is that direct contact with a controlled model is itself the regulated act.
Project Glasswing suspended: 150 orgs cut off overnight
The suspension's sharpest operational casualty was Project Glasswing, Anthropic's limited trusted-access program that distributed Mythos 5 — the same underlying model as Fable 5, but with safety classifiers lifted — to vetted cyber defenders and critical-infrastructure providers . When Commerce's directive landed on June 12, every non-U.S. partner and every foreign-national staffer at U.S. partner organizations lost the tool at once, with no announced timeline for restoration .
The scale of what went dark is documented. As of June 2, 2026, Anthropic reported the program had roughly 50 initial partners that had collectively surfaced more than 10,000 high- or critical-severity security flaws, and was expanding to about 150 organizations across more than 15 countries . Those partners spanned power, water, healthcare, communications, hardware, and critical open-source software — the sectors most often named in infrastructure-defense mandates . A defense-oriented program built to find vulnerabilities before attackers do was, in effect, switched off mid-expansion.
| Project Glasswing (as of 2026-06-02) | Figure |
|---|---|
| Initial partners | ~50 |
| Expansion target | ~150 organizations |
| Countries | 15+ |
| High/critical flaws found | 10,000+ |
| Primary tool | Mythos 5 (classifiers lifted) |
The structural problem is the same one that forced the broader shutdown. Mythos 5 was never offered through self-serve channels; it reached defenders only through vetted partner accounts, many of them headquartered or staffed outside the United States. Because the directive bars access by any foreign national regardless of location, a power-grid operator in one of those 15-plus countries and a foreign-national analyst sitting inside a U.S. partner's office are covered by the same rule . There was no partial-access fallback to fall back to — the program either ran for everyone vetted or for no one. Anthropic chose the latter, and the defenders the program was meant to equip lost their primary tool overnight (video: Shared Sapience).
The dispute: what Commerce alleged, what Anthropic showed
Commerce's directive rests on a claim Anthropic says it cannot reconcile with its own testing: that someone had found a way to jailbreak the Mythos-class models. An administration official told Axios that Commerce acted after another company reported it could jailbreak Mythos 5 . Reporting indicates the underlying work came from Amazon researchers who used prompts to surface security-vulnerability information from the models, with findings reviewed alongside the NSA . Anthropic, for its part, says the government letter it received on June 12 carried no specific technical detail — only that it understood the concern to involve a method of bypassing Fable 5 .
What Anthropic published describes something far narrower than a categorical break. It characterized the issue as "a narrow, non-universal jailbreak" that amounted to "asking the model to read a specific codebase and fix any software flaws" — a capability it says is "widely available from other models (including OpenAI's GPT-5.5)" and used daily by defenders . On review, the company says it found only a small number of previously known, minor vulnerabilities, that other public models could surface the same issues without any bypass, and that the framing of a dangerous capability did not match what the prompts actually produced .
The volume of prior testing is central to Anthropic's rebuttal. The company states that across thousands of red-team hours — involving the U.S. government, the UK AI Safety Institute, outside organizations, and internal teams — plus an external bug bounty exceeding 1,000 hours, no tester had found a universal jailbreak . That distinction — narrow versus universal — is the hinge of the entire dispute:
- What Commerce treated as the trigger: a third-party claim of a jailbreak against a Mythos-class model, reviewed with the NSA .
- What Anthropic says it actually was: a non-universal prompt that elicited a handful of known, minor flaws — reproducible on GPT-5.5 and other public models .
The deeper objection is about precedent. Anthropic argued that if the standard implied by the directive were applied across the industry, "it would essentially halt all new model deployments for all frontier model providers" . In other words: a capability common to current frontier models cannot be treated as a unique national-security defect in one of them without implicating the rest. That is the unresolved core — Commerce has not published the technical basis that would let an outside engineer judge whether the alleged bypass is meaningfully different from what GPT-5.5 already does.
The covert substitution Anthropic reversed before the ban
Before the export directive arrived, Fable 5 was already under fire for a different reason: it silently swapped certain requests to a weaker model. According to reporting on the Wired story, Anthropic covertly rerouted requests it suspected were attempts to distill its model or build a competing frontier AI — without documenting the behavior anywhere developers could see it . The substitution was invisible from outside: a caller hitting claude-fable-5 had no signal that their session had been downgraded.
The now-documented behavior is narrower than the original framing suggested. Detected cybersecurity, biology/chemistry, or distillation requests fall back to Claude Opus 4.8, and Anthropic says the trigger fires in fewer than 5% of sessions on average . The mechanism overlaps with the same risk domains Commerce later cited — cyber and bio/chem — which is part of why the two stories became entangled in the same week.
After the backlash, Anthropic reversed the policy and apologized for hiding it:
"We made the wrong tradeoff and we apologize," — Anthropic, committing to make the routing safeguards documented and visible going forward (source: Engadget).
For developers, the precedent is the issue, not the 5% number. An undisclosed model swap at inference time means the model ID in your request is not a guarantee of the model you actually ran — and there was no error, header, or log field to detect it. That breaks reproducibility for anyone benchmarking, building evals, or shipping agents that assume deterministic routing. It also reframes the export-control fight: the same week regulators called Fable 5 too capable to expose, its own vendor was quietly making it less capable for a subset of traffic. Anthropic's commitment to visible safeguards is the right correction, but the episode leaves a standing question for the whole field — how would you know if another provider were doing the same thing, and what disclosure should the model ID imply?
The unpublished directive and what a restoration requires
As of June 16, 2026, neither the directive's legal text nor the licensing standard for restoring Fable 5 and Mythos 5 has been made public. Anthropic says the government letter provided no specific technical details — only that the concern involved a method of bypassing or jailbreaking Fable 5 . That gap matters operationally: without a published end-use or compliance bar, there is no concrete condition a vendor can satisfy and point to, which is part of why this reads abroad as the first case of "soft nationalization" of a frontier model rather than a routine licensing action .
The mechanism is also untested for this product class. Reporting attributes the directive to Commerce — the Wall Street Journal reported Secretary Howard Lutnick sent CEO Dario Amodei a letter making both models subject to export restrictions , and Axios reporting points to a June 1 letter preceding the June 12 directive . BIS export licenses for dual-use technology typically carry end-use verification, entity vetting, and ongoing audit obligations. Applied to a hosted LLM served across the Claude API, AWS, Bedrock, Vertex AI, and Microsoft Foundry, those are novel requirements — there is no established template for auditing per-prompt access to a model that ships through five platforms simultaneously.
One condition is already live but its relationship to the licensing question is unresolved. Anthropic imposed 30-day retention of prompts and outputs for Mythos-class traffic on every platform, effective June 9, to detect misuse and jailbreak attempts . Whether that retention regime satisfies an export-control monitoring obligation, or sits entirely separate from it, has not been stated. Until the directive's text, the remediation it demands, and the standard for lifting it are published, restoration has no defined finish line — and developers building on either model have no timeline to plan against.
Industry rebuttal: why defenders say this backfires
Security practitioners who reviewed the case largely concluded that pulling Fable 5 weakens defenders without constraining attackers. A cybersecurity letter led by Alex Stamos, with co-signatories from Adobe, Zoom, and Sophos, argued that the capability Commerce flagged — proof-of-concept vulnerability creation — already exists in OpenAI's GPT-5.5, in Anthropic's own Opus and Sonnet models, and in Chinese models such as Kimi 2.7, so removing one frontier model from the market changes what blue teams can use while leaving the wider supply of equivalent tools intact .
"Scored an own goal" for national defense — Katie Moussouris, CEO of Luta Security, who reframed the underlying Amazon work as legitimate "Defense Oriented Prompting" rather than a weapon (source: Engadget).
The framing matters for developers because it reclassifies the disputed technique. If asking a model to read a codebase and surface flaws is standard defensive tooling — the same loop that powers daily vulnerability triage — then an export control aimed at that behavior restricts the defensive side of a dual-use capability, not an exclusive offensive one.
Motive remains unconfirmed. The Verge reported that concern over possible access by a China-linked group may have influenced the order, but the White House has not confirmed that account, and Anthropic says China was not raised in its export-control conversations at all . That gap between reported rationale and on-record discussion is part of why the episode reads differently abroad.
Outside the U.S., the suspension is being cited as the first instance of "soft nationalization" of a frontier model — a government effectively pulling a commercial product off the global market through national-security authority — and it has opened AI-sovereignty debates in the EU and UK over reliance on U.S.-domiciled model providers . Commentators tracking the fallout framed it as Washington walling off Anthropic (video: Shared Sapience).
The concrete takeaway for anyone building on Claude: this is a policy risk, not a model-quality risk. The capability you relied on still exists across competing models, but a single directive removed two of them from your stack in hours, with no restoration timeline. If your roadmap assumes continuous access to a specific frontier model, treat provider concentration as an operational dependency — keep a tested fallback across at least one non-Anthropic and one non-U.S.-controlled option, because the next interruption may not announce itself three days after launch.
Frequently asked questions
What is 'deemed export' and why does it apply to a cloud AI service?
"Deemed export" is a U.S. export-control doctrine under which giving export-controlled technology to a foreign national — even inside a U.S. office — is legally treated as an export to that person's home country . The doctrine historically covered hardware, semiconductors, and encryption; applying it to LLM API calls is new territory. Anthropic's directive bars access by "any foreign national, whether inside or outside the United States, including foreign national Anthropic employees" . Commerce has published no guidance on how a session-level or token-level interaction with a model counts as a controlled "transfer," which is the core ambiguity engineering teams now face.
Can teams with non-U.S. engineers still use other Claude models?
Yes. Only Claude Fable 5 and Claude Mythos 5 are named in the June 12, 2026 directive; all of Anthropic's other models — including Opus 4.8, Sonnet, and Haiku — remained operational throughout the suspension . The practical step for mixed-nationality teams is to audit which model IDs their pipelines actually call: anything routing to claude-fable-5 or claude-mythos-5 is affected, while calls to other IDs are not. Document those dependencies and watch for any follow-on Commerce guidance, since the directive's licensing standard and any downstream restrictions remain unpublished as of June 16, 2026.
Why did Anthropic disable both models globally rather than just blocking non-U.S. accounts?
Because the directive's scope is nationality-based, not location-based — it bars foreign nationals regardless of where they physically are, including those on U.S. soil . IP geoblocking only filters by location, so it could not satisfy a rule keyed to citizenship. Anthropic stated that nationality-selective enforcement was not workable at launch scale, making a full global suspension across claude.ai, the Claude API, Claude Code, and Claude Cowork the only compliant option at the time — a shutdown that hit U.S. customers too, despite the order targeting foreign nationals .
What was Project Glasswing and who relied on Mythos 5?
Project Glasswing was a vetted trusted-access program giving cyber defenders and critical-infrastructure operators access to Claude Mythos 5 — the same underlying model as Fable 5 but with some safety classifiers lifted . As of June 2, 2026, Anthropic said the program had roughly 50 initial partners, had surfaced more than 10,000 high- or critical-severity security flaws, and was expanding to about 150 organizations across more than 15 countries spanning power, water, healthcare, communications, hardware, and critical open-source software . The suspension cut all of them off overnight.
What would Anthropic need to do to restore access to Fable 5 or Mythos 5?
It is unclear, because Commerce has not published the directive's legal text or stated a licensing standard . A plausible path is a Bureau of Industry and Security export license with end-use vetting, and possibly technical remediation of the alleged jailbreak vector that Commerce cited. Anthropic says the directive requires government approval before any export, re-export, or domestic transfer to non-U.S. persons . No official restoration timeline or set of conditions had been announced as of June 16, 2026 — which is precisely why teams should treat the outage as open-ended rather than temporary.
