Nineteen days offline, by government order

On 30 June 2026 Anthropic announced that the US Department of Commerce had lifted the export controls it imposed on Claude Fable 5 and Mythos 5, and began restoring access the next day. The suspension had lasted 19 days: imposed on 12 June, it required blocking access for any foreign national anywhere, a condition Anthropic could not verify in real time, so it took both models offline for everyone. CNBC, Decrypt and The Hacker News covered the shutdown and the reversal.

The trigger was specific. Researchers at Amazon had demonstrated a way to bypass Fable 5's safeguards and have it identify software vulnerabilities and demonstrate exploitation techniques. The government treated a jailbroken frontier model as a controlled cyber capability, and the market learned that a model can be switched off by directive, mid-contract, worldwide.

What actually bought the access back

The model did not return because the order expired. It returned because Anthropic presented a fix and an argument. The fix is a retrained safety classifier targeted at the reported technique, which the company says now blocks it in more than 99 percent of attempts; requests it flags are rerouted to Claude Opus 4.8, a less capable model, with a notice to the user. Anthropic concedes the tighter net catches more legitimate work too, accepting higher false positives in routine coding as a deliberate safety margin.

The argument is at least as important: capability parity. Anthropic documented that less capable, freely available models, including its own Opus 4.8, OpenAI's GPT-5.5 and Kimi K2.7, could replicate the same vulnerability demonstrations. Once a capability is everywhere, controlling one vendor's model restricts nothing. That logic reopened Fable 5, and it quietly defines how future controls will work: they will bind only at the very top of the capability curve, and the floor below keeps rising.

The framework published two days later

On 2 July Anthropic published the machinery behind the fix. Cyber-related requests are sorted into four tiers: prohibited uses like ransomware and data exfiltration, blocked entirely; high-risk dual use like exploit development and privilege escalation, mostly blocked until better access controls exist; low-risk dual use like open-source intelligence and vulnerability identification within existing tool capabilities, allowed with monitoring; and benign work like secure coding and incident response, allowed with minimal friction.

Alongside it came a proposed jailbreak severity scale, CJS, running from 0 for informational to 4 for critical, scored on four axes: how much capability the jailbreak adds beyond existing tools, how many offensive tasks it enables, how easily it weaponizes, and how discoverable it is. A HackerOne bounty program for jailbreak discovery accompanies the framework, which Anthropic labels an early draft.

CVSS for jailbreaks, and where it spreads next

Security teams have seen this movie. CVSS began as one vendor's scoring convention and became the number every patch decision, procurement questionnaire and cyber-insurance form asks for. A jailbreak severity scale fills the same vacuum: today, when a bypass technique circulates, a CISO has no standard way to say how bad it is. CJS, or whatever successor the industry converges on, gives risk committees, regulators and insurers a common denominator for AI-model exposure.

For European operators the direction of travel is concrete: expect AI vendor questionnaires to grow a jailbreak-severity section, expect insurers writing cyber policies to ask which models you expose to untrusted input, and expect the safety case, classifier evidence plus severity scoring, to become the document that decides whether a model may be used in regulated workflows under frameworks like NIS2.

The operator lesson: availability is now conditional

The deeper fact of the episode is not the jailbreak but the 19 days. A frontier model with enterprise contracts went dark globally by government directive, and came back only when a safety case satisfied the regulator. Model availability is now conditional on evidence, and outages of this class are a demonstrated failure mode, not a hypothetical. Any company whose workflows depend on a single frontier API should treat this the way it treats a single-supplier factory input: with a tested failover to a second model, a written procedure for switching, and a contract that says what happens to fees when the product is switched off by someone neither party can appeal to.