A coalition of cybersecurity veterans, including prominent figures from the industry, has issued a stark warning to the US government, urging it to reconsider its recent export ban on Anthropic's advanced AI models, Fable and Mythos. In an open letter, signed by 76 experts, they argue that the restriction is a 'dangerous' move that could severely impede the ability of cybersecurity defenders to protect digital infrastructure and software globally, including within the UK.
The US government imposed the export control order on Anthropic last Friday, citing undisclosed national security concerns. In response, Anthropic suspended worldwide access to both Fable and Mythos. The cybersecurity experts contend that this action 'has taken the best models away from [cybersecurity] defenders,' hindering their crucial work in identifying vulnerabilities and enhancing software security. They emphasise the peril of such a decision when 'adversaries are rapidly advancing' their capabilities.
Anthropic's Mythos, initially launched in a preview capacity in April, was touted as exceptionally powerful in uncovering security vulnerabilities. Its capabilities were so significant that Anthropic initially restricted access to approximately 50 companies, later expanding to around 150 organisations across 15 countries, specifically to prevent misuse by malicious actors. Fable, a more publicly accessible version, was released last week with stringent safeguards designed to prevent its application in sensitive fields like biology, chemistry, and cybersecurity, and to deter its replication.
The basis for the US government's ban may stem from a report suggesting a method to bypass, or 'jailbreak,' Fable's guardrails to unlock its more potent Mythos-level capabilities. Katie Moussouris, founder of Luta Security and a signatory to the open letter, has reviewed the Amazon research paper reportedly detailing this method. However, Moussouris disputes the paper's findings, stating that it did not demonstrate a true jailbreak. Instead, she argues, researchers merely prompted Fable to fix publicly known vulnerabilities in open-source code, a fundamental defensive task, after the model initially resisted security-related prompts.
Moussouris elaborated in a blog post that the described behaviour 'cannot meaningfully be fixed' without weakening the model's defensive utility. She stressed that 'defenders need to be able to ask AI to fix the bugs in a file, explain why the fix matters, and write tests that confirm the patch works.' This, she asserts, is not a guardrail bypass but rather the most valuable contribution an AI model can make to defensive security. The open letter echoes this critique, also claiming that similar model capabilities could be replicated using other AI platforms, including OpenAI's GPT-5.5, Anthropic's own Claude Opus 4.8 and Sonnet, and even Chinese models like Kimi 2.7.
The implications for UK businesses and consumers are significant. If cybersecurity professionals are denied access to cutting-edge AI tools for vulnerability detection, the overall resilience of digital systems could be compromised. This could lead to an increased risk of data breaches, cyber-attacks, and disruption to critical services, directly impacting UK enterprises' ability to innovate securely and consumers' trust in digital platforms. The UK's National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) consistently advocate for robust cybersecurity practices, and limitations on advanced defensive tools could complicate these efforts.