Thule AI Policy Advisors
16 June 2026 U.S. Federal Approx. 13 minute read

A Directive, Not a Rule: The Fable–Mythos Suspension and the Limits of Export-Control Authority

Late on 12 June the U.S. government ordered Anthropic to cut off all foreign-national access to two of its frontier models. The order is being read as the first export control on a deployed model. The more important fact is that it arrived as a directive rather than a rule — and that distinction governs what clients should be planning around.

At approximately 5:21pm Eastern on Friday, 12 June, Anthropic received a letter from the U.S. government, citing national security authorities, directing it to suspend all access to its Fable 5 and Mythos 5 models by any foreign national — whether inside or outside the United States, and including the company's own foreign-national employees. Because Anthropic does not operate infrastructure capable of verifying citizenship or nationality in real time at the point of inference, the only way to comply on the timeline the directive contemplated was to disable both models for every user, everywhere. That is what the company did over the weekend. Access to its other models was not affected. Anthropic has said publicly that it regards the order as resting on a misunderstanding, that it is contesting it, and that it has sent staff to Washington to argue for restoration. We expect the dispute to be resolved, in some form, within weeks. The precedent it sets will outlast the dispute by years, and it is the precedent we write about here.

In our September viewpoint on the Action Plan we flagged the model-weight export-control provisions of the third pillar as the sleeper compliance problem for frontier laboratories: until that framework issued, the United States had not, in general, regulated the export of foundation models as such, and we advised clients to begin preparing for a regime that did. We did not anticipate that the first concrete exercise of that authority would arrive not through the revised Commerce Control List entries the Plan directed, but through a single letter delivered on a Friday evening, addressed to one company, about two named models, with its legal basis undisclosed. The shape of the first use matters as much as the fact of it.

What the directive actually restricts

It is worth being precise about what was and was not ordered, because the public discussion has blurred the two. This is not, on its face, a restriction on the export of model weights to a jurisdiction of concern — the model-weight scenario the Action Plan's drafters appear to have had in mind, and the one the diffusion framework was built to address. Fable 5 and Mythos 5 are, as far as is publicly known, served through Anthropic's own infrastructure; their weights were not being shipped abroad. What the directive restricts is access — the ability of a class of persons defined by nationality to send prompts to a model and receive its outputs. The theory, in export-control terms, is that providing a foreign national with the ability to use the model is itself a controlled transfer to that person, regardless of where the person sits and regardless of whether anything resembling a weight ever crosses a border.

That theory is not new in form. It is the logic of the “deemed export” rule, under which releasing controlled technology to a foreign national within the United States is treated as an export to that person's country of nationality. What is new is its object. Deemed-export doctrine was built for technical data and source code — for blueprints, specifications, and the like. Applying it to interactive access to a deployed inference service is a substantial extension, and it is the extension that produces the directive's most striking feature: the inclusion of Anthropic's own foreign-national employees, who are now barred from using two of the systems they were, in many cases, hired to build.

The diffusion framework asked who may receive a model. This directive asks who may use one. That is a different question, and the authority to answer it is less settled than the speed of the order implies.

Under what authority

The single most consequential unanswered question is the legal basis, and it is unanswered because the text of the directive has not been made public. There are, broadly, two candidates, and the choice between them is not academic.

The first is the Export Administration Regulations, administered by the Bureau of Industry and Security under the Export Control Reform Act of 2018. If the directive rests on the EAR, then it is an exercise of an existing, statutorily grounded authority, and it carries the EAR's machinery with it: classification against the Commerce Control List, license requirements and the possibility of license exceptions, an administrative record, and the established avenues for advisory opinions and appeal. It also carries the EAR's constraints. A control applied through the EAR is supposed to attach to an item that has been classified, and the question of whether interactive access to a model is a controlled “item,” an “export” of technology, or something the existing entries do not cleanly reach is precisely the kind of question the agency is meant to resolve through rulemaking, not through a letter.

The second candidate is a fresh emergency action under the International Emergency Economic Powers Act. IEEPA would supply far broader and more immediate authority — it is the instrument of last resort precisely because it does not require the antecedent classification and procedural scaffolding the EAR does — but it would also mark a significant escalation, placing access to a commercial AI product in the same legal category as sanctions and asset freezes, and inviting the familiar challenges to IEEPA's outer limits. Our present reading, on the available information, is that the government is most likely relying on residual EAR authority, with IEEPA held in reserve; but we hold that view with low confidence, and the non-publication of the directive's basis is itself the central problem. A control whose source is undisclosed cannot be complied with prospectively. It can only be obeyed after the fact.

The trigger, and why the standard is the real dispute

The proximate cause, as reported, was research by scientists at Amazon — a substantial Anthropic investor and infrastructure partner — indicating that Fable 5's safeguards could be partially bypassed, and that the related Mythos system is unusually capable at identifying software vulnerabilities, including some that have gone undiscovered for years. That finding was carried to senior officials, and the government's concern, as Anthropic understands it, centers on the prospect of a jailbroken frontier model being turned to offensive cyber use. Anthropic's public position is that the bypass is not serious and that the order reflects a misunderstanding; the administration's position, voiced by senior advisers, is that the company was warned and declined to remediate before the directive issued. We take no view on the underlying factual dispute, which turns on classified and proprietary material neither we nor most commentators have seen.

The dispute that matters for the industry is not factual but legal-standards-based. If the operative test is that a frontier model may be suspended from foreign-national access whenever a credible jailbreak of a safety-relevant capability is demonstrated, then the test will reach essentially every frontier model, because the demonstrability of some jailbreak, somewhere, on a model of this class is at present closer to a certainty than a contingency. Anthropic has made exactly this argument — that a standard of this shape would halt new frontier deployments across the industry — and on the structure of the argument, rather than the merits of this instance, we think it is correct. A capability-plus-jailbreak trigger, applied through an undisclosed authority on a same-day timeline, is not a deployment standard. It is a discretionary switch.

The kill-switch precedent

Strip away the export-control vocabulary and what the episode demonstrates is a latent capability: the government can, in practice, cause a deployed frontier model to go dark for the entire world within a weekend, by directing a single firm that lacks the means to comply more narrowly. The over-broad effect — a global shutdown in response to a nationality-scoped order — was not the government's stated aim; it was the product of the mismatch between what the directive demanded (verification by nationality at inference) and what the company could actually do (turn the model off). But the lesson generalizes regardless of intent. The compliance infrastructure that would let a laboratory comply narrowly with an access directive — robust, real-time identity and nationality assertion at the point of use — does not currently exist at most frontier providers. Until it does, every access directive is, functionally, an off-switch.

This has two implications clients are already asking about. First, the build-versus-wait question on identity infrastructure has been answered: providers who serve, or expect to serve, regulated or government-adjacent markets should treat verifiable, auditable, per-request attestation of user nationality and location as a near-term engineering requirement, not a future one. The capability is the difference between complying with a future directive at the scope it actually specifies and complying by shutting the service. Second, the business-continuity exposure of single-provider dependence on a frontier model has been demonstrated in the most direct way available. Deployers whose products have a hard dependency on a specific frontier model now have a concrete, non-hypothetical scenario in which that model becomes unavailable globally, with no notice, for reasons entirely outside the deployer's control and unrelated to the deployer's own conduct.

The allied-nationals problem

One feature of the directive deserves separate attention because its diplomatic and commercial consequences are out of proportion to the attention it has received. A nationality-scoped access ban does not distinguish, on its face, between nationals of jurisdictions of concern and nationals of the United States' closest partners. As written and as implemented, it reaches British, Canadian, Australian, and New Zealand nationals — the United States' intelligence-sharing partners — on the same terms as anyone else, and it reaches them whether or not they reside and work in the United States. For a measure justified by national security, sweeping in the nationals of the states with which the United States shares its most sensitive security relationships is, at minimum, an awkward result, and it will not have gone unnoticed in those capitals. We expect it to surface in the bilateral channels, and we would not be surprised to see a partner-nationals carve-out emerge as part of whatever restoration is negotiated. Clients with cross-border workforces should not, however, plan on that carve-out arriving quickly.

What we are advising clients to do

For frontier laboratories, the immediate work is threefold. First, treat the legal-basis question as a live compliance input rather than a matter of academic interest: a control grounded in the EAR can be planned against through classification and license analysis, while one grounded in IEEPA cannot be planned against at all, and your posture should be built to function under either until the basis is known. Second, prioritize the identity and nationality-attestation infrastructure described above; the capacity to comply narrowly is now the capacity to keep a model online. Third, engage the agencies on the standard, not merely the instance. The question that will define the next several years is what general test, if any, the government regards itself as applying, and that test is far more likely to be shaped now, while it is unwritten, than after it has hardened into practice through a series of directives.

For deployers, the work is continuity planning. We are advising clients with hard single-model dependencies to inventory those dependencies, to identify the model substitutions that would be required if a given frontier model became unavailable without notice, and to confirm that their contracts with model providers allocate the risk of a government-ordered suspension in a way they can live with. Most current enterprise agreements do not address this scenario cleanly; force-majeure and service-level provisions drafted before 12 June were, in general, not written with a national-security off-switch in mind. The renegotiation of those terms is, in our view, the single most actionable item to come out of the episode for the deployer community.

The Action Plan told the industry that the United States intended to bring foundation models within its export-control authority. That much was clear in September. What the events of 12 June add is the form the authority takes in practice: not, yet, the published Commerce Control List entries with their attendant process, but a discretionary directive, issued at speed, on a legal basis the recipient has not been told, with effects that ran well past the order's nominal scope because the means to comply narrowly did not exist. A rule can be read in advance and planned around. A directive can only be received. The substantive merits of this particular directive may well be resolved in Anthropic's favor in a matter of weeks. The structural fact it revealed — that frontier-model access now sits within reach of an instrument that operates faster than any rulemaking and with far less constraint — will not be resolved by restoring two models. Clients who read the episode as a one-off dispute between one company and one administration will, in our view, have misread it.

This briefing was prepared by Thule's U.S. federal and export-controls practices. It is general information and does not constitute legal advice. It reflects publicly available information as of 16 June 2026; the directive's text and legal basis had not been published as of that date.

All viewpoints