Omi Iyamu · Personal DossierVol. XVII · 2026 Edition
Omi Iyamu.
HomeProjects & ExperienceUser ManualBriefsBlogPressBooksInterestsContact
← All essays
2026 · 06 · 154 min read

Anthropic sends staff to Washington to fight Fable, Mythos export controls

Anthropic dispatched senior security researcher Nicholas Carlini, head of safeguards Dave Orr, and risk-evaluation lead Logan Graham to Washington Saturday for direct talks with Commerce Secretary Lutnick and National Cyber Director Cairncross, seeking to end the export-control d

# The first export control on a commercial AI model, and what it changes for CTOs

The US Commerce Department's first export control on a commercial AI model is roughly seventy-two hours old, and the most important fact about it is that the negotiation is happening in real time. Saturday, Anthropic flew senior security researcher Nicholas Carlini, head of safeguards Dave Orr, and risk-evaluation lead Logan Graham to Washington for a closed-door meeting with Commerce Secretary Lutnick and National Cyber Director Sean Cairncross. Co-founder Tom Brown and policy chief Sarah Heck were already there. As of this morning, Claude Fable 5 and Mythos 5 remain offline globally.

If you build on foundation models, you do not get the luxury of waiting to see how this resolves. The architecture decisions you make this week will outlast whatever deal is or is not reached this week. Here is what I would tell a portfolio CTO.

## What the directive actually says

The June 12 letter from Commerce Secretary Howard Lutnick told Anthropic that any export, re-export, or domestic transfer of Fable 5 or Mythos 5 to non-US persons required prior government approval. The phrase that mattered was "any foreign national, inside or outside the United States." Anthropic does not run real-time nationality verification on its API; very few companies do. To comply, the company disabled both models for every customer everywhere. Refunds were offered for subscribers who signed up between June 9 and June 14.

The government's stated rationale is a jailbreak technique that Amazon scientists found, and that allegedly bypassed Mythos 5's cybersecurity safeguards. Anthropic, having reviewed what it believes is the underlying report, says the demonstrated capability is available from publicly deployed models, including OpenAI's GPT-5.5. Both reads can be true. The relevant point is that an eval finding by a third party moved national-security policy in seventy-two hours.

## What this means for architecture

Three things change for me.

First, the most capable tier of any foundation model is now a regulated input. Treat it that way. Do not architect a critical product flow that has zero fallback below the top tier. The capability gap between Mythos 5 and the next-best is real, but the operational gap between "available" and "available with conditions" is now larger. Design for a few weeks per year of unavailability at the frontier.

Second, model identity matters less than you think. The teams that will weather the next six months are the ones who have built a model-router layer with cost, latency, and capability metrics on every call. If your eval suite cannot tell you in twenty minutes which of three models passes 95% of your top-200 queries, you do not have an architecture. You have a vendor.

Third, the eval is the policy lever. The Amazon finding did not need to be a published paper. It did not need a press conference. It needed to land in front of someone in the White House. Whatever you think about the merits of the directive, the new fact is that third-party evals can now move policy at the speed of a meeting. If you ship a model, your safety review is now also a regulatory artifact. Treat it that way.

## What I am watching this week

I am watching for three signals. One — does the deal, if there is one, name a specific evaluation methodology that both Anthropic and the government accept? If yes, that methodology becomes the de facto standard for the next ten frontier models. Two — does any other lab get a similar letter? The Commerce Department's authority here is not lab-specific. Three — does the EU AI Act office say anything? The EU has its own mechanisms; an early statement would tell us whether this is a one-jurisdiction event or a coordinated posture.

I have been wrong before on how fast governance can move. In 2023, I assumed the EU AI Act would never have enforcement teeth on the timeline the text suggested. It does. I am updating again.

The honest read is that the regulatory regime around foundation models has been mostly text on paper for two years. Friday's directive is the first concrete instance of it behaving as policy. The companies that learn the most from this week are the ones who already have written evals, written incident plans, and written fallbacks. The companies that learn the most painfully are the ones who do not.

If you are debating what to write down first, write down your fallback model and how you would route to it tomorrow if your frontier provider went dark for fourteen days. Then write down which third-party eval result, if any, would change your safety posture before a customer notices.

I will be reading the Sunday updates carefully. Reply if you have a read I should consider.

If this was useful, the weekly Brief covers shorter ideas like this every Wednesday.
Read the Briefs →
© Omi Iyamu · MMXXVIContact → · linkedin.com/in/omiiyamu