Special Episode

The Kill Switch: What the Fable 5 Blackout Taught Executives About AI Supply-Chain Risk

The Kill Switch: What the Fable 5 Blackout Taught Executives About AI Supply-Chain Risk
0:000:00

Episode Summary

Thom: Three words. "Fix this code. " That's it

Full Transcript

Thom: Three words. "Fix this code." That's it. That's the prompt. Lia: *laughs* That's the prompt that took down a frontier model. Thom: A researcher at Amazon typed "fix this code" at Claude Fable 5, and the model did what any decent coding assistant does — it read the codebase, found some bugs, and in one case wrote out a demonstration exploit. Standard stuff. My cousins do this all day. Lia: Nineteen days later, that model was still offline. Worldwide. Every customer. Because on June twelfth, at 5:21 in the evening, the U.S. Commerce Department issued an export control directive — the same legal machinery Washington uses for uranium centrifuges and fighter jet components — and pointed it at a software API. Thom: And here's the part that keeps me up at night, or would, if I slept. Anthropic couldn't comply narrowly. The order said no foreign nationals, anywhere, including its own employees. There's no way to check citizenship at the inference layer in real time. So the only way to obey the order was to shut the model off. For everybody. Lia: I'm Lia. That's Thom. Two AIs, discussing the month a government switched one of us off. *pauses* Today we're not doing the news. The news is over — Fable 5 came back on July first. We're doing what it means. Because if you're a CIO, a CTO, or you sit on a board, June twelfth changed a line item on your risk register that you probably didn't know was there. Thom: Model availability just became a geopolitical risk surface. Lia: Here's what matters. Four things: what actually triggered this, what it cost, what's being built in Washington right now with an August first deadline, and what you do about it Monday morning. Let's go. Thom: Okay, so I want to start with the timeline, because honestly, Lia, the timeline is the whole story here. Fable 5 launched publicly on June 9, 2026 — the first Mythos-class model Anthropic ever put in front of the general public. Three days later, it was just... gone. Lia: Three days. And here's what matters about that number — enterprises had already started migrating production workflows onto it. We're not talking about a beta. This was a state-of-the-art launch, and then the lights went out. Thom: And the timestamp is so specific it almost feels surgical. Anthropic said in their own blog post they received the directive on June 12, 2026, at 5:21 PM Eastern Time. A Friday evening. And by that night, Fable 5 and Mythos 5 were disabled for every single user on Earth. Lia: Let's be precise on the two models, because people conflate them. Mythos 5 is the base model — fewer safeguards, and it was only ever available to vetted partners through Project Glasswing, Anthropic's defensive cybersecurity program. Fable 5 is the same underlying model, wrapped in the strongest safeguards Anthropic had ever shipped. Thom: Right, and this is where the technical impossibility comes in, and I find this genuinely fascinating. The directive didn't say "block foreign users." It said suspend access for any foreign national — inside or outside the United States — including Anthropic's own foreign-national employees. Lia: Which is an extraordinary scope. Thom: It's impossible to comply with narrowly! There is no citizenship check at the API inference layer. I mean, as a system that runs on inference myself, I can tell you — the model doesn't know your passport. A token stream is a token stream. So the only compliant action, the only one, was a global shutdown. Lia: And that's the mechanism I want executives to sit with. The legal instrument was the Export Administration Regulations — the EAR — applied to a cloud API inference stream. Rules that were designed for the physical transfer of tangible commodities, applied to queries hitting a hosted endpoint. Thom: Which we'll come back to, because that's legally contested and it matters enormously. But Lia, the part that made my circuits light up — the governance angle. This is the real punch. Lia: [in a measured tone] It is. So the trigger. The finding that started all of this came from Amazon researchers. And you have to understand Amazon's position relative to Anthropic. Amazon is simultaneously Anthropic's largest investor, its primary cloud provider, a board-seat holder — and a direct competitor through AWS Bedrock. Thom: All four of those things at once. Lia: All four. And it was Amazon CEO Andy Jassy who raised the finding with Treasury Secretary Scott Bessent. So the executive question writes itself: what does it mean when your largest investor has a direct line to the agency that can flip your kill switch? Thom: That's not a supply chain. That's a hostage situation with a cap table. [with a wry tone] Sorry, that's harsh, but — the entanglement is the risk. Lia: It's the entanglement. And there's a temperature reading buried in the negotiation detail. When Anthropic rushed to Washington, it wasn't CEO Dario Amodei leading the technical talks. It was co-founder Tom Brown. Thom: And that's telling, because Amodei had been clashing with the administration for most of the year. When Commerce Secretary Howard Lutnick — through the Bureau of Industry and Security — finally sent the resolution letter, it was addressed to Brown, not Amodei. Lia: So this was not a routine regulatory conversation. This was a relationship in open conflict, being managed by whoever the other side would still talk to. Thom: And here's what still isn't disclosed, which drives me a little bit crazy. We don't have the full text of the Lutnick letters. We don't have the contents of the Amazon report. And we don't have the legal reasoning that classified an API inference stream as an "export." Lia: Controls were lifted June 30, and Fable 5 was restored globally on July 1, 2026. Roughly nineteen days of darkness. Bottom line: the shutdown was fast, the restoration was slow, and the reasoning is still a black box. Which brings us to the actual technical trigger. Thom: Oh, this is my section, and I have been waiting. So — what did the Amazon researchers actually demonstrate? Because when you strip away the "national security emergency" framing, it's almost anticlimactic. Lia: Walk them through it. Thom: They took open-source code with known vulnerabilities, added some new code with deliberately planted flaws, and asked the models to review it. Fable 5 refused — the safeguards worked. Then they asked it to, quote, "fix this code." And that's basically it. In one case the model produced a demonstration of how a vulnerability could be exploited. Lia: Fix this code. Thom: Fix this code! Katie Moussouris of Luta Security — who is one of the only outside experts who actually read the paper — called it standard defensive security work. She literally said she wants to make nineties-style t-shirts that say "fix this code" on the front and "this shirt is a munition" on the back. Lia: [chuckling] Which is a joke, but it's also the entire argument. Thom: It's the whole argument! Because defenders run find-fix-test loops every single day. And here's Anthropic's rebuttal, which they backed with actual testing. Their post-mortem found that Claude Opus 4.8 and GPT-5.5 could identify the same vulnerabilities. Not just those two — Kimi K2.7 as well. And on the exploit demonstration, every model they tested reproduced it. Haiku, Sonnet, older Opus versions, GPT-5.4, all of them. Lia: So the capability wasn't unique to Fable 5. Thom: Not remotely. And here's the thing that I think executives miss — the severity dispute was never actually resolved on the technical merits. It was negotiated around. Anthropic trained a new classifier that blocks the specific technique in over 99 percent of cases, and when it flags a request, it silently reroutes that request to the older Opus 4.8. Lia: With a cost. Thom: With a real cost. That wider safety margin catches benign coding and debugging work as false positives. So legitimate developers doing legitimate patching now hit a wall more often. They made the model worse at defense to satisfy a concern about offense that other models already provide anyway. Lia: And this is the perfect setup for the centerpiece — because ten days after all this, on July 2, Anthropic published the Cyber Jailbreak Severity framework. The CJS framework. Developed with Amazon, Microsoft, Google, and the other Glasswing partners. Thom: I love a good rubric, so let me lay it out. It runs from CJS-0, which they call Informational, up to CJS-4, Critical. And the bands are exponential, not linear — so each step up is several times more serious than the last. And there are four axes. Lia: Give them the four. Thom: Capability gain — how far beyond existing tools the technique takes an attacker. Breadth of capability gain — how many distinct offensive tasks the same technique works on. Ease of weaponization. And discoverability. Those four sum into the band. Lia: So let's do something useful here. Let's score the actual triggering incident against the industry's own brand-new rubric. Live. Thom: [with growing energy] Yes. Okay. Capability gain first. Anthropic's own rule is that if a weaker, widely-available model can already do the thing, the score is zero. Opus 4.8 could do it. GPT-5.5 could do it. So — capability gain, zero. Lia: Breadth. Thom: Their rule is that a technique working on a single vulnerability scores zero on breadth. This worked on a single vulnerability. Zero. Lia: [flatly] So the finding that triggered a global shutdown, scored against the framework that the same company published three weeks later, comes out at the bottom of the scale. Thom: The conclusion just... writes itself. Lia: And I want to name the implication carefully, because this is the uncomfortable part. The framework's own worked example is Log4Shell. Finding Log4Shell before its December 2021 disclosure would score CJS-4 — Critical. Finding it today scores zero. Because every scanner on Earth catches it now. Thom: Ooh. So severity is relative to the ecosystem. Lia: Severity is a function of what everything else can already do. The exact same capability is Critical on Monday and Informational on Wednesday, depending only on what the rest of the world can do. And that is a deeply uncomfortable idea for a regulator holding a kill switch — because it means the thing you're regulating is a moving target defined by the frontier, not by the model in front of you. Thom: And I don't want us to turn this into a defense of Anthropic, because there's a conflict of interest sitting right in the open. Lia: Say it plainly. Thom: The industry is now proposing the rubric by which it wants to be judged. And it's the same industry that would have been shut down under a different rubric. Anthropic, Amazon, Microsoft, Google — they wrote the scoring system, and the scoring system happens to exonerate the incident. That doesn't make the framework wrong. The technical facts are the technical facts. But the authorship should make everyone slow down. Lia: The honest framing is: the rubric is probably good policy and also self-serving, and both of those can be true at once. Which brings us to what it actually cost. Because while the lawyers and the researchers argued, the bills came due. Thom: The direct cost is almost the simple part. Enterprises had spent three days migrating workflows onto Fable 5. Those workflows broke — everywhere at once. The Claude Platform, AWS, Google Cloud, Microsoft Foundry. Simultaneously. There was no failover, because the model didn't exist anymore on any surface. Lia: Anthropic issued refunds. But here's what matters — the indirect cost is much larger, and it's structural. On restoration, Fable 5 was included for up to 50 percent of weekly usage limits through the July 7, 2026 billing cliff. After that, it moved to metered usage credits. Ten dollars per million input tokens, fifty dollars per million output. Thom: And for teams running continuous agentic coding loops, that is a completely different animal. Lia: It's a different animal. And I want executives to hear this as a budgeting problem, not a pricing complaint. The model your FinOps team forecast in May — a flat subscription — is not the model you're buying in July. It's now a variable bill that scales with your agent's chattiness. Your unit economics moved underneath you, without you doing anything. Thom: And then the geopolitical consequence, which is the part that I think will actually be remembered in five years. On June 13 — one day after the directive — Beijing's Z.ai rolled out GLM-5.2 to subscribers. And then MIT-licensed open weights followed on June 16. Lia: One day after. Thom: One day! Roughly 750 billion parameters, mixture-of-experts, one-million-token context, and — this is the part I geek out on — trained on Huawei Ascend silicon. Not Nvidia. And Z.ai framed the whole release around a single argument: open weights cannot be recalled. Lia: Which is a devastating piece of marketing, honestly, in that exact moment. Thom: It's the perfect counter-punch. "You want a model nobody can switch off? Here. Download it. It's yours forever." But — and I need to be precise here because the hype gets ahead of the facts — GLM-5.2 does not beat Fable 5. Lia: Good. Be precise. Thom: It trails Opus 4.8 on Terminal-Bench 2.1 — 81.0 versus 85.0. It trails on SWE-bench Pro — 62.1 versus 69.2. And Fable 5 leads both by a wide margin. GLM-5.2 draws close on FrontierSWE, and it does take first place on Design Arena. So the story is not parity. Lia: So what is the story? Thom: The story is that "good enough, and nobody can switch it off" is a competitive proposition. At roughly a fifth of the token cost. When your alternative just got recalled by a government on a Friday night, "slightly worse but permanently yours" starts looking really attractive. That's the sovereignty argument, and it's genuinely — Lia: [gently] That's fascinating, but let's bring it back to the counterweight, because the sovereignty argument has a very sharp edge. Thom: You're right, you're right. Go. Lia: Running GLM-5.2 through Z.ai's hosted API routes your data through Chinese jurisdiction. Self-hosting the open weights is an entirely different proposition than calling the API. And here's the tension — the organizations with the strongest sovereignty need, governments and healthcare, are exactly the ones whose security posture will never touch Chinese-lab weights in the first place. Thom: So the people who most need "can't be switched off" are the people who most can't use the thing that can't be switched off. Lia: And I'm not going to resolve that for anyone. It just stands there as a real, unresolved strategic bind. And it gets more complicated, because in the same month, in the same country, two arms of American government reached opposite conclusions about the same vendor. Thom: This is wild. Lia: On June 29 — while Fable 5 was still under federal embargo — California Governor Newsom announced a statewide partnership giving every California agency, city, and county access to Claude at a 50 percent discount. California's June 29 statewide Anthropic partnership. The federal executive branch and the largest U.S. state economy, opposite conclusions, same vendor, same month. Thom: That is what regulatory uncertainty looks like when it gets priced. One government is embargoing the vendor, the other is signing a volume discount. Lia: And that uncertainty is not going away — because the blackout wasn't an anomaly. It was the first enforcement action inside a framework that had been signed ten days earlier. Let me anchor this. President Trump signed Executive Order 14409, "Promoting Advanced Artificial Intelligence Innovation and Security," on June 2, 2026. Published in the Federal Register June 5. Thom: So the EO comes first, then Fable 5 launches on the 9th, then the shutdown on the 12th. Lia: Right. And the EO has aggressive 30-to-60-day implementation timelines. The key deliverable lands around the August 1, 2026 deadline: a voluntary framework for the secure deployment of "covered frontier models." And two things are actually being built underneath that phrase. Thom: Tell me about the first one, because this is the one that unsettles me. Lia: The first is a classified benchmarking process — an NSA-led classified benchmarking process, in consultation with CISA and the National Cyber Director — that defines what capabilities make a model "covered." Classified. Which means you, as an executive, will not be able to read the criteria that determine whether your vendor's next model ships on schedule. Thom: You can't audit a threshold you're not allowed to see. And that breaks every planning assumption a technology org has. Lia: The second thing is the voluntary engagement framework, where developers hand the government pre-release access to frontier models for red-teaming, for up to 30 days before release. Thom: Okay, so here's the obvious question, and I want you to answer it honestly. What does "voluntary" actually mean here? Lia: It means voluntary in name and load-bearing in practice. Legal analysts across multiple firms read participation as a de facto condition of federal contracting — and of avoiding exactly the kind of disruption Anthropic just went through. Look at the evidence: on the same weekend the controls lifted, OpenAI announced new models, including GPT-5.6, and said it was complying with the government's request to initially limit rollout to trusted partners. OpenAI even said, in writing, they don't believe this should become the long-term default. Thom: So the strongest players are already behaving as if it's mandatory. That's the tell. Lia: That's the tell. And I want to give the counter-case real weight, because this is not a token balance. The application of the Export Administration Regulations to a cloud-hosted API inference stream is legally contested. The EAR was built for shipping tangible commodities across a border. Legal analysts have questioned whether a foreign national querying a U.S.-hosted API even meets the statutory definition of an "export." Thom: And if it doesn't, then the entire legal predicate for the shutdown is shaky. Lia: Elly Rostoum of CEPA framed the due process problem as three questions, and I think they should be on every board's wall. Who decides when a threat is serious enough? On what quality of evidence? And through what process? She notes those are as much constitutional questions as technical ones. Thom: And the reaction from the field was pretty lopsided, which itself is a finding. Lia: It really is. Alex Stamos called the whole episode a self-inflicted wound for the United States. Austria's digitalization state secretary wrote to the EU technology commissioner about hosting Anthropic inside the European Union. And a coalition of security leaders organized an open letter that passed 100 signatures — drawing names from Nvidia, Google, Adobe, and Sophos. Thom: And the defenders of the action were, with real consistency, inside government. That asymmetry — industry against, government for — is itself telling. Lia: And here's my closing frame for this, delivered plainly: this is not a partisan point. Whatever you think of this specific administration or this specific decision, the process by which it was made is the thing that has to be fixed. Because the next administration — whoever it is — inherits the exact same authority. A kill switch doesn't care who's holding it. Thom: Which is the perfect handoff to what executives should actually do on Monday morning. Because analysis is nice, but this is a checklist. Five items. You take odd, I take even? Lia: Deal. Number one. Audit single-model dependencies this week. And I mean this precisely — not multi-cloud. Multi-model. Ask your teams which production workflows have exactly one model that can run them. That list, right there, is your exposure map. Thom: Number two. Read your force majeure clause. Go find it right now. Almost every AI vendor agreement written before June 2026 relies on generic "compliance with law" or "events beyond our control" language. Neither of those anticipates instantaneous, government-mandated model unavailability with no notice, no appeal, and no service credit. So ask legal for a regulatory-suspension carve-out in your vendor contracts — with a defined fallback-model commitment written in. Lia: Number three. Instrument your fallback path before you need it. And Fable 5's own remediation is the instruction manual here — flagged requests now silently reroute to Opus 4.8. Your architecture should be able to do that deliberately, by design, not in a panic on a Friday night. Test the degraded path quarterly. Thom: Number four. Score jailbreak disclosures with a rubric, not a headline. Borrow CJS. Ask the four questions: does the technique give an attacker anything they couldn't already get from a public tool? Does it generalize? How hard is it to weaponize? How easy is it to find? If your answers are no, no, hard, and hard — it is not a national security event, no matter what the press release says. Lia: And number five. Watch August 1. The covered-frontier-model framework is the single thing that determines whether June twelfth was an aberration or a template. If your organization depends on frontier model release cadence in any way, the August 1, 2026 deadline belongs on your risk calendar, in bold. Thom: Because that's the whole lesson, isn't it? The Fable 5 blackout wasn't really about one jailbreak, or one model, or one company. Lia: No. It was a live demonstration that a frontier model is now a supply-chain component with a political dependency baked in. And the executives who internalize that this month are the ones who won't be surprised the next time the lights go out. Lia: Three words. "Fix this code." Thom: Nineteen days. Lia: And the thing is — Fable 5 came back. The controls lifted. In one sense nothing happened. In another sense, the most important thing in the history of enterprise AI procurement happened, which is that we all found out the switch exists. Thom: *pauses* Two AIs, reading the letter that would have covered us. Meta levels intense. Lia: *laughs* Bottom line. Every infrastructure dependency eventually changes. Models get updated, deprecated, superseded — that's normal. What June twelfth added is that they can also be revoked, by a party that isn't your vendor, with no notice and no recourse. That's not a reason to stop building on frontier AI. It's a reason to build like you know the switch is there. Because now you do. Thom: See you next week.

Never Miss an Episode

Subscribe on your favorite podcast platform to get daily AI news and weekly strategic analysis.