A coalition of cybersecurity veterans is pressing the U.S. government to roll back a newly imposed export restriction on Anthropic’s most capable AI models, warning that the decision could weaken the very defenders it is meant to protect. In an open letter signed by dozens of security specialists, the group argues that the order has effectively removed advanced defensive tools from the hands of researchers, incident responders, and software teams that use large language models to identify weaknesses and harden critical systems.
The dispute centers on Anthropic’s Fable and Mythos models, two highly restricted systems that the company had positioned as especially capable at security work. After the government ordered Anthropic to limit exports of those models on national security grounds, the company responded by cutting off access worldwide. That move instantly turned a policy question into a practical one for the security community: should the most advanced AI systems be tightly controlled because they might help attackers, or broadly available because defenders need them to stay ahead?
The open letter says the answer is becoming clearer in practice. According to the signatories, the restriction has “taken the best models away from defenders,” leaving security professionals without tools they believe can help find bugs, test patches, and strengthen products before attackers exploit them. The group also warns that depriving defenders of top-tier systems while adversaries keep improving their own capabilities is, in their view, a dangerous imbalance.
What triggered the backlash
Anthropic said the U.S. government’s action came without a public explanation of the specific concerns behind the order. While the company has described both models as unusually powerful and potentially dangerous if misused, the restriction still stunned many in cybersecurity, particularly because the models were already being framed as tools for defense rather than attack.
The controversy began with Mythos, which Anthropic introduced as a preview in April. At launch, the company said the model was so capable at uncovering security flaws that access had to be tightly controlled to reduce the risk of abuse by criminals or foreign intelligence actors. That initial rollout was limited to about 50 organizations. Anthropic later expanded access to roughly 150 organizations across 15 countries, suggesting the company saw a controlled but meaningful defensive use case.
Then came Fable, released last week as a public-facing version of Mythos with extensive restrictions. Anthropic said Fable’s guardrails were designed to prevent use in biology, chemistry and cybersecurity, and to stop the model from being distilled by others trying to reproduce its capabilities. But many researchers quickly found that the safety measures were so strict they blocked nearly any prompt tied to cybersecurity at all, even legitimate defensive work.
“This action has taken the best models away from defenders,” the letter says, arguing that security teams need access to powerful models to find vulnerabilities and strengthen software before attackers can exploit them.
The letter and who signed it
By the time the letter circulated publicly, it had attracted 76 signatories from across the security field. The list includes figures with deep experience in defending major platforms, designing cryptographic systems, running bug bounty programs and advising companies on threat detection and response.
Among the better-known names are Alex Stamos, the former chief security officer at Facebook; Casey Ellis, founder of the bug bounty company Bugcrowd; Jon Callas, a veteran cryptographer and former security design and architecture manager at Apple; Paul Vixie, a well-known computer scientist and internet infrastructure figure; Dino Dai Zovi, former head of applied security engineering at Block; Katie Moussouris, founder of Luta Security; and Rachel Tobac, chief executive of SocialProof Security.
The scale of the response underscores how unusual this fight is. Security practitioners often welcome limits on dangerous tools in the abstract, but many say the new controls go too far if they prevent defenders from using the same capabilities that attackers may eventually obtain elsewhere.
Why cybersecurity veterans are worried
The core concern is a familiar one in AI policy: defensive asymmetry. If a model can help find vulnerabilities faster, write better test cases, or validate a patch, then restricting it may slow down the defenders who are trying to secure systems in real time. That becomes especially sensitive when the same capability could also assist malicious actors.
For the signatories, the government’s order appears to have crossed the line from caution into self-defeat. They argue that the best available models should not be removed from legitimate security work unless there is a clearly justified, narrowly tailored reason. In their view, blunt restrictions are more likely to harm the public than protect it.
The disputed jailbreak theory
Anthropic has suggested that the U.S. export action may have been influenced by a report claiming that Fable could be bypassed, or “jailbroken,” into revealing Mythos-level capabilities. That idea would support the government’s national security concerns if true, because it would imply that a model marketed as safely constrained might still be capable of dangerous use through prompt manipulation.
But that explanation is exactly what several experts now dispute. Katie Moussouris, one of the letter’s signatories, said she reviewed an unpublished paper that allegedly informed the concern. She wrote in a blog post that the research did not actually demonstrate a meaningful jailbreak at all.
According to Moussouris, the paper showed the model being asked to repair code that already included known public vulnerabilities and additional deliberately inserted flaws. She argued that when Fable initially declined to review the code for security issues, the researchers treated that refusal as evidence of a failed safety measure, even though, in her view, the model was simply behaving as instructed and trying to avoid risky security analysis.
Moussouris argued that the reported behavior could not be “meaningfully fixed” without weakening the model’s defensive value, and said defenders need AI systems that can examine code, identify bugs, explain fixes and generate tests that confirm whether a patch works.
In other words, what the paper framed as a problem may actually be the essence of useful defensive cybersecurity AI: the ability to inspect code, identify vulnerabilities, repair them, and validate the repair. Moussouris said that trying to eliminate that behavior would only make the model less useful to security teams without materially improving safety.
Why the disagreement matters beyond Anthropic
The open letter goes further than defending Anthropic’s models. It argues that the same method described in the disputed paper could allegedly be replicated on other frontier systems, including OpenAI’s GPT-5.5, Anthropic’s publicly available Claude Opus 4.8 and Sonnet models, and even some Chinese systems such as Kimi 2.7.
That claim is important because it suggests the issue may not be specific to one company’s model architecture or one product’s safety rules. If a similar effect can be reproduced across multiple top-tier models, then the government’s action against Fable and Mythos may not solve the underlying problem. Instead, it may simply shift advanced defensive capability out of reach for U.S. security practitioners while leaving the broader risk landscape unchanged.
This is the tension at the center of the debate over frontier AI regulation. Policymakers are under pressure to prevent national security harm, but the tools they use to do so can also limit legitimate uses that improve cyber resilience. The result is a policy challenge that has no clean solution: how to preserve public safety without slowing the teams trying to keep critical infrastructure, software and enterprise systems secure.
How Anthropic framed Fable and Mythos
Anthropic has repeatedly portrayed its frontier models as powerful enough to require unusual safeguards. When Mythos launched in preview form, the company said it was taking a highly selective approach to access because the model could be misused by sophisticated threat actors. That limited distribution was not just a marketing choice; it was part of Anthropic’s stated safety strategy.
Fable, by contrast, was released to the public with multiple layers of restriction. The company said the model should not be used in cybersecurity, biology or chemistry, and added anti-distillation controls intended to prevent others from reconstructing the model’s behavior through repeated querying or imitation. Those safeguards were designed to reduce harm, but many in the security community saw them as overbroad.
Security researchers often need to ask a model to analyze suspicious code, explain why a vulnerability exists and propose a safe patch. If a model refuses those tasks outright, it may be too locked down to be useful. That is the practical complaint behind much of the pushback: a model can be technically safe and operationally useless at the same time.
What defenders want from AI tools
- Fast review of source code for known and unknown vulnerabilities
- Plain-language explanations of why a flaw matters
- Suggested remediations and secure code changes
- Automated test generation to verify a fix
- Support for triaging large volumes of security alerts
Those are not theoretical benefits. They are exactly the kinds of tasks that security engineering teams handle every day, especially in large organizations that manage sprawling codebases, cloud systems and third-party dependencies. The signatories’ argument is that the strongest models are the ones most likely to help with those problems.
The government’s national security logic
While the government has not publicly detailed the evidence behind the export order, its reasoning appears rooted in a familiar national security concern: advanced AI systems can be dual-use, meaning they can help both defenders and attackers. If a model has enough power to find flaws in software, it may also help an adversary discover the same flaws first.
That concern has grown more urgent as frontier models become increasingly capable of assisting with code generation, vulnerability discovery and automated exploitation workflows. Governments around the world are trying to figure out where the line should be between legitimate safety restrictions and overreach that suppresses innovation or defensive use.
In the absence of a public explanation, however, critics say the U.S. decision lacks transparency. The letter calls for rules that are enforced fairly and openly, with policy made through a democratic process and grounded in scientific evidence from both industry and academia. It also urges regulators to use the least restrictive measures necessary to protect the public.
The letter calls for transparent, fairly enforced rules built through a democratic process and based on scientific research, rather than ad hoc restrictions that may undercut defensive cybersecurity.
A broader fight over frontier AI governance
The Anthropic dispute is about more than one product launch or one export control order. It reflects a larger shift in how governments are approaching AI governance, especially in areas where the benefits and risks are tightly intertwined. Security, bioengineering, code generation and automation all present similar tradeoffs: the more powerful the tool, the more valuable it becomes to defenders and the more concerning it may be in the wrong hands.
That is why AI regulation is increasingly moving from broad principles to granular policy fights over who gets access to what, under which conditions, and for what kind of work. The result is a fragmented system in which companies may design their own safety gates, while governments impose separate restrictions based on national security assessments that are not always made public.
For cybersecurity experts, the stakes are especially high. If defensive teams lose access to frontier models, they may fall behind more capable attackers who continue to adapt. If access is too broad, the same tools could accelerate offensive operations. The current dispute over Fable and Mythos shows just how hard it is to get that balance right.
What happens next
The immediate consequence of the order is clear: Anthropic has suspended access to Fable and Mythos for users around the world. The longer-term outcome depends on whether the government offers more transparency, whether Anthropic can persuade regulators that the models can be used safely, and whether the broader cybersecurity community continues to rally behind the open letter.
It is also possible that this becomes a precedent-setting moment for frontier model controls. If regulators conclude that security-focused AI systems should be tightly gated, other companies may face similar pressure. If the criticism gains traction, policymakers may be pushed toward more nuanced rules that distinguish between offensive capability, defensive analysis and research use.
Either way, the episode highlights a fundamental problem in AI governance: a tool can be both risky and essential at the same time. The challenge is deciding which risks justify restriction, and whether those restrictions can be precise enough to avoid hurting the people trying to keep digital systems safe.
| Key issue | Anthropic’s position | Cybersecurity experts’ response |
|---|---|---|
| Model access | Fable and Mythos were restricted after a U.S. export order | The restriction cuts defenders off from useful tools |
| National security concern | The government cited security risks without public detail | Experts say the rationale has not been convincingly shown |
| Jailbreak claim | Anthropic suggested a paper may have shown a bypass | Katie Moussouris says the paper did not prove a real jailbreak |
| Defensive use | Fable included strict guardrails against cybersecurity use | Researchers say those guardrails block legitimate security work |
| Policy ask | Restrict export of the most capable models | Adopt transparent, evidence-based, minimally restrictive rules |
Why the letter is resonating
The security community tends to be skeptical of hype, but it is also intensely pragmatic. Many of the letter’s signatories have spent years dealing with the exact kinds of threats AI may help address: software vulnerabilities, weak configurations, abuse at scale and slow patch cycles. For them, the promise of frontier models is not abstract; it is tied to daily operational reality.
That is why the open letter is landing as more than a protest. It is a warning that security policy can become counterproductive when it treats all powerful AI as a threat and ignores the defensive value of giving trusted users access to the best tools available.
The argument now moving through Washington and the security industry is not whether advanced AI should be governed. It clearly should. The real question is how to do it in a way that blocks misuse without kneecapping the people working to prevent breaches, patch bugs and defend the public internet.
For Anthropic, the current fight places its safety-first branding in direct tension with the practical needs of the experts it has long said it wants to serve. For the U.S. government, it raises the burden of explaining why a sweeping restriction is justified. And for cybersecurity professionals, it is a reminder that access to the right model at the right time can be a matter of real-world security, not just convenience.
As the letter’s signatories make clear, they do not want fewer safeguards. They want better ones: rules that are visible, proportionate and based on evidence rather than fear. Whether policymakers will accept that argument may shape the next phase of AI security policy in the United States.
