How the US vs. Anthropic Standoff on Claude Fable Will End

On June 12, 2026, the US government forced a deployed, commercial, frontier AI model offline, Anthropic's three-day-old Claude Fable 5. As I write this on the afternoon of June 18, Fable is still unavailable, and the DC talks have just shifted toward setting broad AI security rules.

I wanted to forecast when Fable will return. (We at FutureSearch got a lot of evals and projects out of it, and it is really an amazing model.) But it all hinges on why it was pulled in the first place. Was it a sincere but mistaken panic over a capability that turns out to be ordinary? Is the model genuinely dangerous in a way the public record does not yet show? Is the real worry that an adversary got access? Or is it all politics?

My best guess is politics, but I'm very uncertain, and put nontrivial probability weight on all four scenarios. So to forecast the outcome, I had to research all of them. Here is my view:

Even though "it's just politics" is my #1 hypothesis, I had to give over 50% of the probability to the other 3 scenarios. The rest of the piece goes through these scenarios one by one. Then I produce my unconditional forecast of what will happen by summing up all the possibilities.

A companion piece, The Claude Fable ban barely changes Anthropic's IPO timing or valuation, works the financial impact. This one is about the dispute itself.

What happened

I'll describe what happened only briefly, with this summary timeline, as there are plenty of other sources on what happened when.

Anthropic launched a new top tier above Opus, Sonnet, and Haiku. Mythos 5 is the most capable of the two and was kept tightly restricted: Anthropic's own red-team reporting describes a model that can autonomously find and exploit zero-day vulnerabilities across major operating systems and browsers (red.anthropic.com). Fable 5 is the guardrailed public version of that capability, with safety classifiers meant to block the high-risk cyber and bio territory.

On June 11, Amazon's Andy Jassy escalated a security finding to Treasury Secretary Scott Bessent. Within roughly a day, the matter ran through an NSA review and the National Cyber Director, Sean Cairncross, and on June 12 at 5:21pm ET, Commerce, through a Bureau of Industry and Security "is-informed" letter under the Export Control Reform Act, ordered Anthropic to bar all foreign nationals from both models (Politico). The stated trigger was a "narrow, non-universal jailbreak," reportedly a prompt that asked the model to read a codebase and fix its flaws, which surfaced a handful of previously known minor vulnerabilities (Snyk). I am going to treat it as established, as most of the security community does, that this particular trigger is not a genuine novel vulnerability. It is ordinary dual-use behavior that peer models like GPT-5.5 also exhibit. (This doesn't mean the model isn't dangerous, though.)

Anthropic complied, called the action a misunderstanding, and went into daily negotiations. As of June 18 the public picture is a hard one. The White House is demanding two things before it will lift the order: a full accounting of the roughly fifty to a hundred and fifty entities that had been given Mythos access through Anthropic's "Project Glasswing" program, and guardrails that are close to "jailbreak-proof," a standard cybersecurity experts consider technically impossible (Wired). At the G7 summit on June 16 and 17 the administration refused allied carve-outs, calling them "completely illogical." Commerce has signaled that even the safer Fable's return is "contingent upon fully resolving the jailbreak concerns" (Wired). By the afternoon of June 18 the picture had softened. After talks collapsed the previous Friday, when Anthropic refused a demand to de-deploy Fable, a week of in-person meetings led the two sides, represented for Anthropic by policy head Sarah Heck and co-founder Tom Brown, to begin building a shared framework to grade the severity of jailbreaks and guide any government response, with the administration now conceding that no model can be made completely jailbreak-proof (Politico). The controls were not lifted, and a resolution was reported to be a ways off.

It's important to state that this did not come from nowhere. Anthropic had refused to let the Department of War use its models for some uses it would not name, and in February the administration designated the company a "supply chain risk." Anthropic sued, and a federal judge granted a preliminary injunction, calling the government's move "Orwellian" (Anthropic PBC v. U.S. Department of War). The government appealed. The June order lands in the middle of that ongoing feud and just after Anthropic filed confidentially for a roughly $965B IPO. Second, the legal vehicle is novel and contested. Treating remote access to a hosted model as a "deemed export" of the model to foreign persons stretches export law in a way scholars call possibly illegal (Politico), but the same statute, ECRA, strips the standard route to challenge it in court.

Which of those four readings is correct shapes everything that follows. The four sections below take each scenario as true in turn and forecast every outcome inside it.

Scenario 1: A sincere mistake (20%)

In this world, the people who pulled the trigger believed in a real threat and were wrong. The "fix this code" demonstration genuinely alarmed non-technical officials in a fast, 24-to-72-hour cycle, and the alarm does not survive contact with the technical facts. The evidence that this is at least part of the story is strong. The process was a reactive scramble. The administration's demand that Anthropic make guardrails impossible to circumvent is something security experts uniformly call technically impossible, which reads more like naivety than calculation (Wired). Over a hundred cybersecurity researchers signed an open letter arguing the move misunderstands the technology and helps attackers more than it stops them (freefable.org), and Alex Stamos called the shutdown a death penalty for a speeding ticket.

What keeps this scenario from being the whole story, and caps it at 20%, is the selectivity. If the worry were a sincere but generic alarm about cyber-capable models, you would expect the government to be at least asking hard questions of GPT-5.5 and other peers with similar abilities. Instead it singled out the one company it was already fighting in court, the week after that company filed for a landmark IPO. A pure misunderstanding has trouble explaining why the sledgehammer fell on Anthropic specifically, even though Fable is the best ever released model.

If we are in this world, the path back is the friendliest of the four, because a good-faith actor adjusts when shown its premise was wrong. But "friendliest" is not "fast and clean". Even a government that realizes its technical premise was shaky cannot simply reverse a President-directed action without a face-saving exit. The administration has dug in publicly, refused allied carve-outs, and tied Fable's return to resolving jailbreak concerns it has already stated. So the natural shape of resolution here is not a clean climbdown. It is a package that lets both sides declare victory.

Concretely, conditional on Scenario 1, I forecast Fable back for US persons with a median around July 1, the fastest of any scenario, with a real chance of much sooner. The most likely mechanism is Anthropic's own KYC machinery, a privacy-policy change effective around July 8 that lets the company verify nationality and gate foreign nationals out, which is exactly the "recipient accounting" the government says it wants. On the question of how the dispute primarily resolves, even this friendly world lands on a negotiated compromise as modal at 49%, with a clean Anthropic-favorable fast restore at only 27%, an impasse into 2027 at 13%, and an outright Anthropic capitulation on its red lines at just 11%. The reason fast-restore is capped even here is the same face-saving logic: the moment Anthropic deploys a KYC gate, that gate is itself a concession, and what looked like a clean win reclassifies as a compromise.

The most useful thing about Scenario 1 is that if the premise was simply wrong, there is no reason to weaken Fable. I put the chance that Fable comes back materially capability-reduced, as opposed to returning essentially as launched with access gating, at only 17% in this world.

Scenario 2: The capability really is dangerous (14%)

This is the world where the government is substantively right, and right in the hardest way: the danger is intrinsic to the model. Mythos can autonomously find and exploit zero-days, Fable is a guardrailed wrapper over that same engine, and if the guardrails can be stripped, then the capability is loose regardless of who is nominally authorized to use it. In this world a vetted American with a jailbreak is as much a problem as a foreign adversary, and the only real remediation is to constrain what the model can do.

The case for this scenario is the genuine potency of the underlying capability, which is not in dispute. Anthropic's own materials describe Mythos finding serious vulnerabilities at scale, and the company itself had declined to make Mythos generally available, citing severe cyber risk. Reporting indicates an NSA review concluded the launch guardrails could be stripped. So the raw ingredients for a real, capability-level danger are present.

The case against, and the reason this is the lowest-weighted scenario at 14%, is the shape of the remedy. If the government believed the capability was dangerous in anyone's hands, barring foreign nationals while leaving Claude for Government and NSA access intact would be a strange cure. You do not solve a nationality-agnostic danger with a nationality filter. The order's structure, foreign-persons scope with domestic carve-outs preserved, points away from "the capability itself is the problem" and toward access. This is the single most important consistency check in the whole analysis, and it is why, when I split the broad "the security concern is real" case into its capability and access versions, the access version came out larger, 23% against 14%. The remedy reveals the theory.

If we are nonetheless in the capability world, almost everything gets harder and slower, and this is the scenario that should worry a Fable user the most. Restoring access to US persons does not actually fix the stated problem, so the median US restoration slips to around August 25, with a fat tail into early 2027, the slowest of the four. More strikingly, this is the scenario where the product comes back diminished. I put the chance that Fable returns materially weakened or re-guardrailed at 58% here, against 17 to 25% in every other world, because a genuine capability danger can only be met by actually reducing the capability, and the government's "jailbreak-proof" demand, impossible to satisfy perfectly, forces real degradation as the negotiated approximation. Mythos fares worst of all: in this world it most likely never returns to broad commercial use, ending up government-only or quietly superseded.

The endgame here is the one place the government has real leverage to win. Conditional on Scenario 2, compromise is still modal but only narrowly, at 37%, and government-favorable capitulation rises to 34%, by far its highest across the four worlds. If the danger is real and intrinsic, the government can legitimately demand heavy constraints, and Anthropic's commercial desperation, a flagship offline during an IPO run, gives it little room to refuse. Impasse into 2027 sits at 19%, and a clean fast restore is nearly off the table at 10%.

Scenario 3: The foreign-access worry is real (23%)

This is the most coherent of the "the government is right" stories, and at 23% it is the larger half of the substantive case. Here the concern who gets access. The model is acceptable in vetted American hands.

The evid

[truncated for AI cost control]