Galaxy：Anthropic终极模型难题

Author Alex Thorn, Managing Director and Head of Research at Galaxy Digital; Source: Galaxy Digital; Compiled by Shaw, Golden Finance

At 5:21 PM Eastern Time on Friday, June 12, Anthropic received an export control directive from the U.S. Department of Commerce, ordering it to ban two large language models, Fable 5 and Mythos 5, for all foreign nationals worldwide—including the company’s own non-U.S. employees. The U.S. side claimed that someone had found a way to bypass Fable 5’s security safeguards and to invoke the underlying Mythos model’s cybersecurity capabilities.

This AI company could not, within the government’s required deadline, segregate user permissions by nationality. As a result, within just a few hours, it shut down the two models worldwide. All other Claude models remained available as normal.

Two of the industry’s top large language models were taken offline solely because of a single private government notice—without any court ruling, without public filing materials, and without disclosing the complete findings of the investigation. Just on Wednesday, a Reddit user posted that Fable 5 had already been added to the product catalog of Amazon Web Services’ Bedrock platform, suggesting that cloud-based restrictions might be easing. But regardless, this incident creates tremendous risk for the AI industry, technological innovation, and the U.S. capital markets.

Crossing the Rubicon (Setting an Irreversible Precedent)

In substance, the U.S. government has declared that it can arbitrarily take commercial large language models off the market based on nothing more than a single administrative order. Although this control measure falls under export controls, its market impact is equivalent to a product recall.

In the area of AI regulation, the federal government has crossed a red line: previously, it was only responsible for setting industry-wide rules that everyone follows. Now it holds discretionary veto power that can determine which models can be released to the public, and when. Once this power is established, it will not shrink on its own. If the government does not adjust its policies in time, any future issuance of similar control directives will only become easier.

Worse yet, the grounds for triggering this particular control measure are themselves untenable, making this bad precedent even more severe. Katie Moussouris of Luta Security, the only external expert who has seen the underlying research reports, gave a blunt, full account of what is supposedly the “model jailbreak vulnerability.” Amazon researchers input open-source code containing known vulnerabilities into the model and asked it to scan for security risks; both models refused. The researchers then asked the model to fix that problematic code, and the model carried it out.

Cybersecurity expert Katie Moussouris

Moussouris characterized the testing scenario under the directive as defensive prompt injection, not a true jailbreak method that bypasses security safeguards. She said that this capability is precisely the core value AI can provide to cybersecurity teams. According to the description of the only expert who has seen the complete investigation file, simply the phrase “fix this code”—those five words—forced the industry’s top performance cybersecurity-specialized large language models to be taken offline.

The U.S. Department of Commerce has not publicly released the control directive it sent to Anthropic, nor has it disclosed the complete basis for issuing the directive. Whether on the Department of Commerce website, the Federal Register, or other public channels, no relevant published documents can be found. This control notice was issued only in the form of a private letter from the Bureau of Industry and Security. Neither the Department of Commerce nor Anthropic has made the contents of the letter public. The statutory authority the Department of Commerce relied on to issue the directive is also unclear.

The Center for Strategic and International Studies (CSIS) speculates that the Department of Commerce may have invoked so-called “informed notification” authority under the Export Control Reform Act of 2018 (ECRA)—a power in which the Department privately tells a company that its related products must now apply for export licenses, with the implementing control details carried out under the Export Administration Regulations (EAR). But the EAR contains no supporting rules for this statutory authority. That is also why control measures had never previously been issued based on it, and why the Department of Commerce has not issued corresponding implementing regulations.

A Regulatory Standard That Can Never Be Met

In the defense content Anthropic itself published, one sentence directly exposes the irrationality of this policy. The company said that at present, no manufacturer can achieve complete defense against model jailbreaks; eventually, someone will find a universal bypass method. For years, security researchers have held the same view: no commercially deployed model that has already gone live can be proven to withstand malicious attacks deliberately targeting the model. Models with closed API access can be jailbroken through prompt-layer techniques; open-weight models can be altered completely, and doing so will directly erase the refusal-response logic built into the model weights. Once model weights are leaked (which has happened multiple times historically), closed-source models will reveal security vulnerabilities that are exactly identical to those of open-source models.

The regulatory standard implied by the government is completely at odds with the objective reality described above. If the hard requirement for launching a model is that there is no method to trigger dangerous capabilities, then this standard is impossible to satisfy at the level of underlying logic. Even Anthropic’s own engineers have confirmed that this condition cannot be met. Therefore, the company cannot provide a guarantee that there are no vulnerabilities, and other manufacturers cannot do so either. Based on Anthropic’s logic, if the entire industry uniformly implements this review standard, the commercialization and rollout of frontier AI large language models would come to a complete standstill. A threshold that no manufacturer can meet is not a safety standard—it is simply a discretionary veto disguised behind a veneer of professional technical criteria.

A Backup Path: Universal Identity Surveillance

Suppose Anthropic wants to strictly comply with the literal wording of the letter: it will only provide services to users in the United States, and it will fully block foreign nationals from using the service. The only feasible solution is to implement complete identity verification for all users. Anthropic would need to roll out a full Know Your Customer (KYC) onboarding process, requiring users to upload nationality and proof-of-residence documents, with a level of complexity comparable to opening a securities trading account. Relying on this mechanism, the platform could allocate access permissions by nationality (even if so, the company’s non-U.S. employees would still be restricted). Without implementing identity verification, it is simply impossible to isolate foreign national users’ access to the Fable 5 model.

Existing reports show that Anthropic is preparing a user identity verification system to meet the regulatory requirements, and the leaked code files also support this. The company is building an access-control system with monitoring attributes, but it should stop pushing this plan immediately.

Western countries are building surveillance infrastructure.

Western countries have long been building this identity verification and monitoring system. The United Kingdom’s Online Safety Act took effect in July 2025, requiring the UK’s Office of Communications (Ofcom) to implement what it calls a “high-reliability age verification mechanism.” Officially recognized verification methods include passport/ID photo recognition, facial age estimation, and open banking verification (banks confirm a user’s age based on account information without disclosing underlying financial data). In the U.S., about 19 states have enacted similar identity-access-control regulations, and many of the bills are facing judicial challenges based on the U.S. First Amendment. The Electronic Frontier Foundation (EFF) has consistently opposed this kind of control, warning that mandatory identity verification creates massive, highly sensitive data honeypots and puts an end to online anonymity.

If KYC identity verification mechanisms are used to control access permissions for large language models, all of the harms above will be transferred onto AI—and AI is precisely the technology most capable of digging into and exploiting the data it has stockpiled. No cutting-edge AI lab should be forced to implement mandatory identity access. The government should not force companies to do so either. The internet should remain open and free, and the knowledge and computing-power dividends carried by AI should be open to everyone.

Regulatory Deadlock Created by Open-Source Models

This export-control approach is, in essence, bound to backfire, and the root cause is the open-weight ecosystem. Frontier AI technology is not monopolized by a small number of American companies. In a public open letter led by Alex Stamos and signed by more than 100 cybersecurity leaders (signatories include Bruce Schneier, Casey Ellis, Paul Vixie, and other prominent figures), the current situation is stated bluntly: the gap between China’s open-weight large language models and the top U.S. systems is only a matter of a few months, not a few years— and this is only for projects that have already been publicly disclosed.

If the U.S. government relies on export-control veto power to restrict top U.S. labs from releasing their strongest models, AI research and development will not stop; it will only shift to areas beyond the reach of the government’s control tentacles: classified government projects, overseas labs, and the open-weight ecosystem. Open-source models that are currently only a few months behind will quickly close the gap once the reference benchmark stops iterating. If the release of top models is restricted for the long term, within just one or two years, the strongest models that ordinary individuals and companies can deploy locally will most likely be open-weight projects from outside the U.S. Moreover, the security guardrails embedded in such models will be weaker than those of products the U.S. government forced offline.

Then how would the U.S. government respond? A model that is already widely mirrored and distributed across thousands of hard drives and hundreds of file-sharing networks simply cannot be “recalled.” The government might try to prohibit the public release of open-weight files, but this policy would directly conflict with the U.S. Constitution.

The U.S. has already gone through a similar regulatory standoff and ultimately lost. In the 1990s, the U.S. government put high-strength encryption technology on the U.S. Munitions List. Under the International Traffic in Arms Regulations (ITAR), encryption software was treated as a weapon for control purposes—encryption programs were classified in the same regulatory category as laser targeting systems and particle beam weapons. Over the following three years, the federal government investigated Phil Zimmermann because the PGP encryption software he developed (“Pretty Good Privacy”) spread widely around the world. The government determined that uploading code to the internet is equivalent to exporting a weapon. In 1996, the federal authorities dropped the entire investigation without bringing any charges.

Phil Zimmermann, the founder of PGP encryption technology

Zimmermann’s response became the defining landmark event of that era. He had the complete source code of PGP printed as a hardcover book through MIT Press. His core rationale was that printed code is clearly protected speech—even if the same code in electronic form would be classified as controlled munitions. Technology rights advocates adopted the same logic: they printed a compact RSA encryption algorithm written by cryptographer (and later Bitcoin participant) Adam Back on T-shirts, along with warning text—declaring that the T-shirt itself is a munition.

The courts recognized this legal reasoning. In the Bernstein case and the Junger lawsuit, federal judges ruled that source code is speech protected by the U.S. Constitution’s First Amendment. In 1996, the U.S. government moved encryption technology off the munitions list and transferred it to the Department of Commerce for oversight, greatly relaxing controls. This, in turn, paved the way for the flourishing development of today’s internet industry.

Later, Moussouris promoted the addition of exemptions for security defense technology under the Wassenaar Arrangement. In her response to this issue, she also cited this history: model weights are essentially just a string of numbers, and publicly releasing weights constitutes an act of speech expression. If the government bans open-source models at scale, it will inevitably trigger a multi-generation First Amendment legal battle—and the government itself is inherently at a disadvantage. The U.S. has already acknowledged that similar technical capabilities are widely available abroad.

Therefore, this export-control scheme has a double failure. First, it cannot restrain overseas adversaries: overseas institutions develop their own large models. According to the tech media Semafor, the White House suspects that a China-linked group has already obtained Mythos-related capabilities; second, the U.S. domestic frontier AI track will be handed over to open-source models and overseas competitors, over which the U.S. has no legal means of control.

Anthropic Penalized for Telling the Truth

It is worth noting that Anthropic disclosed information truthfully throughout the entire process. The company admitted that there is no perfect security mechanism; prior to product launch, it conducted thousands of hours of red-team and blue-team adversarial testing together with U.S. and U.K. governments; it proactively disclosed that its security system has limitations. But this candor became, instead, the basis the government used to punish it. If a company reduces testing and closes off discussion of risks, it would not become the target of regulation. Yet when honest disclosure of potential risks triggers regulatory penalties, the entire industry will form distorted incentives: all manufacturers will choose to disclose less, or not disclose risks at all.

Cybersecurity practitioners have also pointed out that this logic is backwards from another angle. Moussouris and the co-signed experts stated that forcing models offline would only deal a severe blow to security professionals—who rely on these tools to uncover and fix vulnerabilities before attackers strike—while malicious attackers are left unconstrained. The model capabilities the government fears are precisely the tools that defenders use to survive. They come from the same source, so you cannot delete only one side.

Arguments Presented by Those Supporting the Control Directive

Objectively speaking, some reports do show that the government’s concerns are not entirely baseless. At the end of June, Virginia Democratic Senator Mark Warner relayed testimony from NSA Director Joshua Rudd during a Senate hearing: in an authorized red-team exercise, the Mythos model nearly breached almost all of the agency’s classified systems within only a few hours (though subsequent reporting by The Economist slightly weakened this claim). At the same time, Mythos is also the first large model to pass both sets of full cybersecurity tests conducted by the U.K.’s AI Safety Institute.

The model does have extremely strong technical capabilities—this is objectively true. But that only shows the need for a rigorous and standardized regulatory process, not a private letter on a Friday evening with no complete investigation conclusions.

In addition, Mythos has always been made available only to partners that have undergone strict background checks. The globally taken-down Fable is the version for ordinary consumers. Its safety guardrails route sensitive requests involving cybersecurity and biosecurity to the older model Opus 4.8. A civilian version with built-in protections was taken down globally based on a single defensive prompt demonstration, while the truly higher-risk professional version was never released to the public. This handling makes clear that the regulatory process confuses “technical capability” with “public deployment.”

Opus 4.8: Is It the Last Compliant Model Standing?

Following the regulatory logic above, the outlook is grim. If Fable cannot meet the standard, then no future model with stronger performance can pass review—because under the government’s current evaluation criteria, stronger performance means higher potential risk. There is no iterative version such as Fable 5.1 or Fable 5.2 that can improve attack resistance under the unachievable standard of “zero jailbreak vulnerabilities.”

After the Commerce Department’s directive, only Claude Opus 4.8 remains as the strongest model still in normal service, making it the performance ceiling that U.S. residents can use legally. The legal channel for deploying frontier new technologies has been shut, while offshore and non-compliant channels remain wide open.

The current situation is a multi-party lose-lose. Domestic frontier model releases are frozen; a universal identity monitoring system is being built to comply with the controls; and the top AI track is being handed to open-weight models and overseas competitors that the U.S. has no authority to regulate. All of this could have been avoided. The solution is exactly the regulatory mechanism that Anthropic itself called for: if the government wants to ban models with genuine serious safety risks, it should rely on a legally mandated, transparent process, publish complete technical investigation conclusions, and provide companies with channels to appeal and mount defenses. The regulatory threshold should focus on incremental increases in dangerous capabilities added by a model (i.e., high-risk functions added compared with existing publicly disclosed technology), rather than the government’s fantasy of “zero residual risk.”

If entry thresholds are truly necessary, controls should target the technical capabilities themselves, not user identity verification. A regulatory system that can only be implemented by collecting identity fingerprints from all users uses the most extreme monitoring measures to address a single narrow risk issue.

From a capital market perspective, revoking the directive is also fully justified, and its impact goes far beyond Anthropic alone. U.S.-listed “Magnificent Seven” tech stocks currently account for about one-third of the total market capitalization of the S&P 500. In 2025, about 42% of the index’s total returns came from these seven companies. NVIDIA’s market cap exceeded $4 trillion in July 2025 and rose to $5 trillion in October, at one point accounting for over 7% of the index’s total market value.

The four major cloud providers disclosed approximately $725 billion in capital expenditures for 2026, a 77% increase compared with last year’s $410 billion. Goldman Sachs predicts that by 2030 the total capital expenditures of global cloud providers will reach $5.3 trillion. AI-related capital investment has already deeply affected the macroeconomy: different institutions’ estimates differ. Goldman Sachs estimates that AI capital expenditure accounts for nearly 0.8% of U.S. GDP, and more optimistic estimates suggest that early-2026 U.S. economic growth is primarily driven by AI.

Massive investment and industry growth expectations are all built on a single core assumption: frontier models continue iterating, continue rolling out to customers, and generate enough revenue to cover the massive infrastructure investment. Now this assumption is precarious. OpenAI committed about $1.4 trillion over eight years, but its current revenue is only about $13 billion (Sam Altman does not recognize the $13 billion figure, saying actual revenue is far higher). Companies have increased infrastructure spending at scale in advance, but the benefits from AI have not yet been fully reflected in macroeconomic data. Investors are betting on distant terminal value—that these AI systems will be commercially deployed at scale in the future.

The U.S. stock market is highly tied to the AI growth narrative. If the pace of frontier model iteration and deployment slows down (or even stalls), investment portfolios worldwide will be hit.

Taking Fable offline adds enormous uncertainty to the entire industry: will the U.S. government routinely restrict the external release of large language models going forward? The logic above indicates that routine takedown controls are very likely. Once this happens, the growth logic supporting $725 billion in annual capital expenditures will collapse entirely, and cascading shocks will ripple across the entire industrial chain:

• High-bandwidth memory is in short supply; orders are booked through 2026. DRAM’s single-quarter increase exceeds 50%, pushing SK Hynix’s market cap above $1 trillion;

• Large-scale expansion of power infrastructure to support computing capacity; cloud providers even sign deals for dedicated nuclear power plants to guarantee electricity supply;

• NVIDIA, OpenAI, Oracle, CoreWeave, and Microsoft are intertwined to form a circular financing ecosystem.

If data centers built with $200 billion in investment are unable to generate any return because the government bans their associated large models from serving customers, and given that the stock market is highly dependent on the AI growth main theme, a slowdown—even a reversal—in frontier AI development will cause losses to investors worldwide.

More than 100 top cybersecurity professionals in the United States have jointly called on the U.S. to revoke the directive. Anthropic has secretly filed for an IPO this month, and market expectations value the company at nearly $965 billion. Now, the company’s flagship product can be completely shut down based solely on a single evening notice from one agency, with no effective channel for the company to appeal.

This AI regulatory model must be abolished in a timely manner to prevent it from becoming a long-term regulatory rule for the U.S. AI industry. If this mechanism becomes the norm for governance, Anthropic, AI R&D across the entire industry, and the United States’ global leadership in technology will all be severely damaged.