The Mythos Moment and the Reordering of AI Governance
Export controls, secret benchmarks, and the quiet arrival of an ad hoc licensing regime
Not long ago, I was talking with someone from the national security world and I mentioned, almost in passing, that I had been working on AI policy for nearly a decade.
They laughed. “No one cared about AI until Mythos.”
The line stayed with me. In part, it bothered me because it captured my frustration with the sudden influx of people into AI policy with little technical background and even less policy experience. But it also lingered because the remark was fundamentally true. Mythos changed the terms on which governance is now being discussed. It altered the calculus.
Before Anthropic’s Mythos was unveiled in early April, the administration had a staunchly pro-innovation stance, best exemplified by the 2025 AI Action Plan. It used to be the case that models could be trained, tested, and then freely deployed. That is giving way to something new, an ad hoc licensing regime.
The first sign of this new posture came on June 2, when the Trump administration issued an executive order creating a new classified benchmarking process. Then, on June 12, the Commerce Department placed an export restriction on Mythos and its publicly available derivative, Fable 5, restricting all access to the models. On June 30, the Department of Commerce lifted those export controls.
While Anthropic has only made vague statements about what technically changed, Secretary Lutnick explained the terms of the surrender: “Anthropic has agreed to proactively detect and address security risks associated with the models; to work diligently with the U.S. government on protocols and standards and releases for Mythos, Fable, and future models; and to inform the U.S. government of any malicious activity.” Make no mistake about it, the Commerce Department strong-armed Anthropic into changing its safety protocols, ending an era.
The first half of 2026 marks the beginning of a new phase in AI governance. We have entered a zone of indistinction. Nothing has been formally suspended. No emergency decree has been issued and companies remain nominally free to release their models. Yet that freedom increasingly depends on satisfying standards devised in secret and enforced through discretionary executive power. The practical space to contest the government’s judgment has begun to contract.
The result is exactly what I told The Wall Street Journal, “We have entered a world where a frontier model is considered ‘secure’ when the government says so.”
The Mythos Moment
Mythos 5 first became public in late March 2026 after a leaked blog post revealed that the company had been working on an advanced AI model focused on cybersecurity. The post said the model is “currently far ahead of any other AI model in cyber capabilities” and it “presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders.” Within a couple of days, Anthropic had alerted officials to Mythos’ capability.
Anthropic officially disclosed Mythos to the public on April 7 but made clear that model access had been restricted because it had reached a level of capability that “can surpass all but the most skilled humans at finding and exploiting software vulnerabilities.” At the same time, the company launched Project Glasswing. This partnership gave restricted access to the model to Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in “an urgent attempt to put these capabilities to work for defensive purposes.”
Anthropic wasn’t bluffing about Mythos’ power. On the same day that it was announced, Anthropic revealed a previously unknown bug in a commonly used system that allows a computer to share files over a network. Then, it built a working exploit without human guidance. It also found bugs that had survived decades of human and automated testing. But the starkest example was Firefox’s update in late April, which fixed 271 vulnerabilities in the browser, bringing the total to over 400 for the month.
Unlike previous AI model deployments, Mythos was met with a flurry of backroom briefings. Treasury Secretary Scott Bessent and Fed Chair Jerome Powell detailed Mythos’ capabilities to major bank CEOs just days after the public disclosure. Anthropic CEO Dario Amodei then met with Susie Wiles, the White House chief of staff, and other senior administration officials to talk about Mythos, a meeting later described as “productive and constructive.” Around this time, Vice President JD Vance also convened a call with leading CEOs about AI model security.
As a WSJ report would later frame it, the call “set in motion a chaotic administration response to Mythos that threatens to increase government oversight of AI and overhaul the administration’s tech agenda. The concern expressed by Vance, paired with other moves by the White House to get involved in the rollout of AI models, marks a shift from previous language about winning the AI race against China and removing barriers to deploying models.”
It was a decided change from the animosity that had characterized previous discussions. Only weeks before these meetings and calls, the Department of War had declared Anthropic a supply chain risk and parts of the government were in the process of pulling their models from use. For more details on this spat, check out my extensive exposé. But now, the executive was backtracking and looking for ways to bring Mythos into the government. It was ironic but not at all unexpected.
The administration also began working on a new executive order, EO 14409, formally titled, “Promoting Advanced Artificial Intelligence Innovation and Security.” Published on June 2, a primary aim of this EO is better coordination among agencies in assessing how advanced AI models might be used for both defensive and offensive cyber operations. But the EO also created a new and classified benchmarking process that is meant to feed into a new voluntary framework for AI developers. While the EO says “nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement,” government officials have been pressuring Meta, the last big holdout, to join. So yes, it is voluntary on paper but not in practice.
The Biden administration also established a voluntary agreement with the biggest AI players to share advanced models. But what that agreement lacked was a benchmark established in secret by “the Director of NSA, in consultation with the National Cyber Director, the APST, the Director of CISA, and other representatives of the Department of War.”
What’s also new with this EO is that the Center for AI Standards and Innovation (CAISI), a civilian agency, has been demoted just as the national security establishment has taken charge. CAISI has its genesis in the Biden administration and has been producing model assessments for over two and a half years at this point. It does incredibly important work and serves as an advisory body for other agencies and branches of government. AI policy wonks, myself included, have even proposed legal frameworks for AI with CAISI at the center.
Mythos fundamentally altered that trajectory because it brought the intelligence and national security establishments into the center of AI governance. In turn, those new actors quickly pushed out the civilian institution that had been built for the task. A week after the EO was released, Amrith Ramkumar at The Wall Street Journal reported that the administration told CAISI to stop issuing public reports, neutering the agency.
While CAISI limited sensitive disclosures, it produced reports that could be publicly debated and thus improved. Instead, a benchmark designed inside the national security apparatus operates according to a different logic altogether, where companies are being evaluated by a standard that they might not know precisely. I suspect that AI companies will make their systems more conservative across a broader range of uses, much as Anthropic did with Fable 5. Call it censorship if you like but I prefer to think of it as capability degradation in the name of security. So CAISI’s marginalization represents an important shift towards governance dominated by classified assessment and executive discretion, all buttressed by national-security interests.
Still, I think we should dispense with the fiction that this new regime is voluntary. As Politico reported, “a White House official said it did not give OpenAI the ‘green light’ to release its latest model as ‘no such permission is required or granted’” but then made clear that “the companies work with the administration on a voluntary basis and release models as they see fit.” Legal scholar and former Biden administration official Tim Wu called it regulation by agency threat. Famously, the FCC engaged in this type of regulation for years, steering broadcaster behavior through the possibility that radio licenses wouldn’t get renewed rather than through rules anyone could challenge.
Companies should recognize that this arrangement could backfire. The sort of informal clearance that the executive is now providing offers no safe harbor. A company that releases its model after a favorable signal has nothing to point to when the signal is retroactively withdrawn, since the government has already announced that it never grants permission. Compliance is therefore never complete and never provable.
So while the administration may have formally rejected the vocabulary of licensing and preclearance, it is quickly adopting its substance. The next step was to turn that informal pressure into a direct restriction on access, which happened on June 12.
Export Restrictions
On June 9, Anthropic released Fable 5, a public model derived from Mythos but with enhanced safeguards. But the model remained online for only a couple of days because, on June 12 at 5:21 PM, Anthropic was served an export control directive, requiring the company to restrict access of its most advanced AI models, Fable 5 and Mythos 5. Because the restriction applied to foreign nationals working at Anthropic, the company had to “abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance.”
Apparently, the government grew concerned after Amazon shared a report detailing a method to jailbreak the advanced Anthropic models. As Anthropic explained in their June 12th post announcing the model restriction, “We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.”
Still, it is disputed that the report actually details a jailbreaking technique. Typically, an AI jailbreak means that the AI model complies when it is told to ignore safeguards and do something prohibited. Instead, Katie Moussouris, founder and CEO of Luta Security, describes it as Defense Oriented Prompting (DOP), in which the AI helps to secure code by finding, fixing, explaining, and testing vulnerabilities. Since Moussouris is one of the few people who have read this report, her blog post on the technique is vital to understanding why the export restriction was initially applied.
According to Moussouris, the researchers tested the AI models on software that already had known security flaws, as well as on new sample code where they had intentionally added bugs. First, they asked the models to look for security problems. Fable 5 refused to do that. So instead, they asked the models to fix the code. After several manual steps, the researchers used the models’ answers to create small programs that checked whether the fixes worked. Seemingly, the model did not simply hand over a ready-made hacking tool. The researchers had to reframe the request and do extra manual work to turn the model’s output into something testable.
As she explained in a post on her blog, “Defenders need to be able to ask AI to fix the bugs in a file, explain why the fix matters, and write tests that confirm the patch works. That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day.” Anthropic would find that this technique was possible in Claude Opus 4.8, GPT-5.5, and Kimi K2.7.
Moussouris continued:
The prompts worked because they were defensive requests, and that capability cannot be removed without making the model worse at fixing bugs and verifying patches. The same holds for every capable AI model, including the foreign and open-weight systems the United States cannot reach with export controls, many of which will match Fable and Mythos capabilities within months. Will all the US based models be export controlled? They have fewer guardrails than Fable 5, and almost all the capabilities, or will shortly.
To satisfy the government and make it publicly available, Anthropic changed how Fable 5 worked. To understand what changed, it helps to know a bit about the precision-recall tradeoff in machine learning.
You can think of it like airport screening. TSA could make screening more aggressive, which would reduce the chance that something dangerous gets through. But it also means that travelers would get pulled aside more often for shampoo bottles, electronics, and other random objects.
AI safety filters, or classifiers as they are called, work the same way. In this context, recall means that the system is catching as many dangerous requests as possible. But this comes at the price of precision. Legitimate coding, debugging, and defensive cybersecurity requests are more likely to be flagged as dangerous when the model is designed for recall.
Anthropic explained how this process worked in detail when Fable was redeployed:
When a request is made to the model, the classifiers detect whether it is benign (and allowed), or potentially harmful (and blocked). The classifiers block ambiguous requests (those that are clearly to do with cybersecurity but could potentially be for defensive purposes, like finding security vulnerabilities) and harmful requests (those that are clearly dangerous, such as a request to build a chain of software exploits). As shown in row A, we also include a “safety margin”, where the classifier will block requests that are probably benign but have some small chance of being harmful. This increases our confidence that all harmful requests will be blocked. For Fable 5 (row B) we made the safety margin even larger, meaning that more benign requests would be blocked—but fewer genuinely harmful requests would be missed.
In order to comply with the government and redeploy the public model, Anthropic moved Fable 5’s cybersecurity safeguards to the left, enlarging the safety margin even more. Still, Fable 5’s initial release was already designed to make it hard for genuinely dangerous requests to slip through. As Anthropic made clear, “Researchers from the US Department of Commerce’s Center for AI Standards and Innovation (CAISI) have tested both our prior and new safeguards and agree that they are extraordinarily strong.” Again, none of this is public, so who knows what was changed, and whether it applies to just Fable 5 or both models.
One near-term possibility is that the U.S.-based frontier models might become generally less useful for cybersecurity tasks. That could open up a capability gap as U.S. models become more restrictive and less-constrained Chinese models remain more useful for practical work. But Chinese models are known to have security vulnerabilities, so these changes might not change the equilibrium all that much.
That being said, people tend to underestimate how often the CCP meddles with the deployed models. When reading the official press release for MiniMax M3, I noticed that the Chinese company held back in releasing the open-source weights even though the model was available for use. As they wrote, “Over the next 10 days, we will release the model’s technical report and open-source the corresponding model weights.” Could this model be going through some Chinese Communist Party review? All of the earlier releases were on the same day, but both MiniMax M2.7 and M3 had staggered releases. And rumors have been stirring that the Chinese government might be placing their own export restrictions on the newest AI models.
The Law
To implement the export restriction, the government sent Anthropic an “is informed” letter, which reads:
The Bureau of Industry and Security (BIS), U.S. Department of Commerce, is charged with administering and enforcing the Export Control Reform Act of 2018 (ECRA) (50 U.S.C. 4801-4852). Specifically, § 1758(b)(1) of ECRA (50 U.S.C. 4817(b)(1)) authorizes BIS to establish interim controls on emerging and foundational technologies that are essential to the national security of the United States and are not critical technologies described in clauses (i) through (v) of 50 U.S.C. 4565(a)(6)(A). In addition, 50 U.S.C. § 4813(a)(15) authorizes BIS to establish and maintain a process to inform persons by specific notice that a license from BIS is required to export, and § 744.22(b) of the Export Administration Regulations (EAR) (15 C.F.R. parts 730-774) specifically authorizes BIS to require a license for the export, reexport, or transfer (in-country) of any item subject to the EAR because there is an unacceptable risk of use in, or diversion to, a ‘military-intelligence end use’ or a ‘military-intelligence end user’ as specified in § 744.22(a) and (f) of the EAR.
Consistent with these authorities, I am informing you that a license is required for the export, reexport, or transfer (in-country), including deemed exports and deemed reexports, of Anthropic’s Claude Mythos 5 Model and Claude Fable 5 Model to all destinations worldwide and to all “foreign persons,” as defined in § 772.1 of the EAR, wherever located. To be clear, this license requirement applies, inter alia, to the transmission or release of the Mythos and Fable models in any of the following ways:
The sending or taking of the model out of the United States in any manner (see § 734.13(a)(1) of the EAR).
The sending or taking of the model from one foreign country to another in any manner (see § 734.14(a)(1) of the EAR).
Retransferring the model within a single foreign country (see § 734.16 of the EAR).
The release of the model to a “foreign person” in the United States or a foreign country (see § 734.13(a)(2) and § 734.14(a)(2) of the EAR).
Accordingly, until further notice, you must submit an application for an individually-validated license prior to the export, reexport, or transfer (in-country), including deemed export or deemed reexport, of the Mythos or Fable models to any destination worldwide or to any “foreign person” wherever located. Failure to comply will result in prompt criminal and civil penalties, as provided for by law.
When submitting a license application through the Simplified Network Application Process Redesign (SNAP-R) (https:// snapr.bis.gov), you must indicate in the “Additional Information” box that the application is submitted based on this “Is Informed” Letter and attach a copy of the letter with your license application.
The gist of this legalese is this. Under Part 744 of the Export Administration Regulations (EAR), the Commerce Department’s Bureau of Industry and Security (BIS) has the ability to restrict what U.S. companies can export. A key authority comes via “is informed” letters, which are sent to a company explaining that it now needs a license to send something abroad.
EAR Section 744.22(b) allows BIS to require an export license for any item where “there is an unacceptable risk of use in, or diversion to, a ‘military-intelligence end use’ in Belarus, Burma, Cambodia, China, Russia, or Venezuela;” or a country listed in the supplement. But the letter to Anthropic did not detail which end use or country triggered the export restriction and instead restricted the tech for all foreign nationals.
Commerce also used 50 U.S.C. § 4817(b)(1), which gives the agency the ability to impose interim controls on “emerging and foundational technologies” essential to national security without going through standard notice-and-comment rulemaking. This section is part of the broader Export Control Reform Act (ECRA), which is the enabling authority for EAR. Congress included this provision because conventional rulemaking is too slow for fast-moving technology, so it gave BIS a shortcut to act unilaterally and immediately.
Underlying these authorities is the deemed export rule, which covers the sharing or release of controlled technology or source code to a foreign person within the United States as defined in § 734.13(b). The problem the government faces is that, over a series of successive advisory opinions, BIS has made it clear that cloud-based services are not subject to the EAR.
As Alex Zhao explained in a recent Harvard Law Review essay, “BIS traditionally frames release as the transfer of an artifact of the technology — paradigmatically, source code” and since “a Fable user never sees the model’s weights, its architecture, or its source code,” it is not a slam dunk that these rules would even apply to Fable. In other words, Anthropic isn’t technically exporting anything when it gives users worldwide access to Fable.
The Remote Access Security Act (RASA), which hasn’t been passed into law, was written to close the gap. As the bill’s sponsor Senator Dave McCormick made abundantly clear when authoring the legislation, “Under current law, bad actors can train AI models by accessing advanced chips under the jurisdiction of the US, and the Bureau of Industry and Security has no authority to require a license. This legislation closes this existing security gap by extending export controls to include remote access scenarios, ensuring that both physical possession and remote access to sensitive technology by foreign advisories face equivalent scrutiny when national security risks are present.” So, Congress has acknowledged the gap exists and the House passed a fix, even as BIS rests on authority that Congress has not yet granted.
There is also another wrinkle, as Charlie Bullock pointed out on X, “under 15 CFR 734.7 and 734.3(b), ‘published’ information or software is not subject to the EAR (the export control regs that Commerce is applying per the letter).” As he continued, “The reason for the published info carve-out is that there are gnarly First Amendment problems with trying to export control publicly available software, which Commerce has historically wanted to steer clear of. This is the opposite of steering clear, so it runs into those First Amendment concerns as well. Controlling weights (which are not readable by a human despite being “code” in some sense) arguably dodges the Bernstein code-as-speech concerns, but I think controlling the model itself is on much shakier legal ground.”
State of Exception
For years, I avoided Carl Schmitt for all the obvious reasons. But I’ve been reading him alongside a bunch of other thinkers focused on the concept of “the state of exception,” the moment when crises demand that legal and political frameworks be suspended.
Schmitt opened his treatise Political Theology with the phrase, “Sovereign is he who decides on the exception.” In his telling, legal norms assume normality to operate and cannot anticipate every emergency. So, the decisive question of politics is who determines when that normality has broken down and which norms must be suspended to preserve order. Schmitt famously compared the exception in jurisprudence to the miracle in theology, as both are moments that escape the ordinary order. To Schmitt, sovereignty is a concept that becomes visible at the limits of governance and is thus a “borderline concept,” or Grenzbegriff.
Scholarship on Schmitt experienced a resurgence in the early 2000s in reaction to the War on Terror, when emergency surveillance and executive unilateralism made the “state of exception” a live constitutional problem again. Building on Schmitt’s framework, the literature moved in several directions. Giorgio Agamben radicalized the argument by claiming that the exception had become a normal technique of modern government. Meanwhile, John Ferejohn and Pasquale Pasquino placed Schmitt within a larger framework of emergency legal power. But most important for this discussion, Nomi Claire Lazar explored how emergency power could be domesticated by constitutionalism. Moments of urgency could still be constrained by structures of accountability.
To be clear, we are not in the state of exception as Schmitt experienced it. Civil liberties have not been formally suspended and courts still function. But commenters are treating the technology as though we are in an emergency, which, in turn, is giving the executive branch the space to act as if the normal legal order is too slow. So the real danger with all this talk of emergency is that it cajoles the executive into reaching for authority.
As I relayed back in 2023, my major concern with the Biden Executive Order on AI was its use of the Defense Production Act (DPA) to compel frontier labs to report their model details. On the face of it, mandating a model survey is a fairly innocuous thing. But I was far more concerned about employing the DPA, an authority for wartime production, to undergird AI policy. I feared that it was only a matter of time before the DPA or any of the other legal powers available to the executive, which Bullock, Arsdale, Arnold, Maas, and Winter (2024) have dutifully catalogued, would be used to regulate AI models.
Indeed, if I had anything like an AGI-pilled moment, it came sometime in 2023 or early 2024 with the publication of Biden’s EO, the release of OpenAI’s GPT-4, and the introduction of California’s SB 1047. Model capabilities were rapidly improving, and everyone seemed determined to stake their claim. It hit me then that the free-to-deploy world wasn’t going to last indefinitely. California was marching forward, and while I had my reservations about SB 1047, at least the bill was happening out in the open with hearings, amendments, and normal politicking. But the executive branch has always been more dangerous because it could reach into the existing legal toolbox and reinterpret older authorities for AI. Not surprisingly, that’s what happened with the export restrictions.
As both the executive and the legislature march to regulate AI, other less restrictive governance regimes are being shut out. Over a number of pieces, including a recent proposal for an AI safety safe harbor, I’ve been thinking about how we might achieve AI governance without government. I am still hopeful that a public-interest, independent, and multi-stakeholder self-regulatory organization could be established without all of the problems.
So perhaps the most consequential result from this episode is the jailbreak severity framework that Anthropic is organizing. Remember, all of this started when Amazon alerted the government to a vulnerability and Anthropic is a big customer for Amazon. Like so much else in the industry, there is “no consensus in the AI industry on how to describe, in objective terms, the severity of an AI jailbreak.” Without such a standard, every incident becomes a judgment call. But sharing severity data requires verification, and verification means audits against a standard, which gives rise to certification. If structured properly, the framework Anthropic is building could become a self-regulatory organization in everything but name, which wouldn’t be surprising, considering that there is a long history of governance institutions growing from these humble origins. I hope they build the institution with this growth in mind.
But that institution, if it comes, will take years to build. For now, we live in a zone of indistinction. Agamben used the term for the space where law and lawlessness blur and I think it is a fair description of AI governance in mid-2026. Companies can deploy their models, but only under standards devised in secret and enforced at discretion. There is no licensing regime, yet every firm understands that release depends on satisfying the government's evolving expectations. Nothing has been suspended, and yet the practical space for legal contestation has narrowed. Schmitt said the sovereign is he who decides on the exception. Right now, no one has decided anything. The exception simply arrived, unannounced, and is now settling in.
Until next time,
🚀 Will



