On 12 June 2026, at 5:21pm Washington time, a directive from the US government reached Anthropic: access to its frontier models Claude Fable 5 and Claude Mythos 5 was to be suspended immediately for every customer worldwide – outside the United States as well, and including the company's own foreign-national employees. The legal basis, according to Anthropic: export control, invoking national security authorities, with no specific reasons given. Three days earlier I had written here about the line Anthropic itself had drawn through its strongest model – the wall between freely available and access-restricted capability. That wall has now grown a second side.
What is remarkable is not that a model disappears for a while. What is remarkable is who can flip the switch: not the market, not the provider, but a state – by letter, overnight, with no disclosed process. For a European financial institution this is no peripheral tech footnote. It is the question of whose goodwill the availability of a critical capability rests on. And the answer 12 June gives should be an uncomfortable one.
What: On 12 June 2026 the US government directs Anthropic, under export-control authority, to suspend access to Claude Fable 5 and Mythos 5 worldwide for all customers (as Anthropic describes it)
Scope: applies to all users, including outside the US and the company's foreign-national employees; all other Anthropic models remain available
Rationale: national security authorities, with no specific detail; Anthropic believes the concern is a method of "jailbreaking" the model
Anthropic's position: a narrow, non-universal jailbreak; the capability shown is widely available, expressly including OpenAI's GPT-5.5; the company believes this is a misunderstanding
Precedent: applied across the industry, Anthropic argues, this standard would "essentially halt all new model deployments for all frontier model providers"
Status: Anthropic is complying, has promised more detail within 24 hours, and intends to restore access as soon as possible
A letter at 5:21pm
The company that had its switch flipped here is no start-up at the edge of the market. Anthropic confidentially filed paperwork for a public listing in early June, most recently valued at around 965 billion US dollars – one of the largest pending IPOs in tech history. It is precisely this private company that is steered by executive directive, its most capable model to date switched off for hundreds of millions of users, overnight. That a state may claim such a capability is arguable. That it does so without disclosed grounds and without a regulated process is the actual event.
Anthropic is complying with the directive but clearly disputes it. The jailbreak shown, it says, consists essentially of asking the model to read a particular codebase and fix its flaws – narrow, non-universal, with minor vulnerabilities that can be found in other publicly available models without any technique at all. The capability behind it is widely available, expressly including OpenAI's GPT-5.5, and is used every day by exactly the defenders who keep systems safe. Perfect jailbreak resistance, Anthropic notes, is not currently possible for any provider. The company believes the directive is a misunderstanding.
It bears stating: this account comes entirely from Anthropic. The US government has not set out its concern publicly. So far we hear only one side – and that is part of the problem. When access to critical infrastructure is withdrawn without the grounds being made comprehensible, a regulated institution lacks the basis on which to assess the risk at all.
From the market, via the provider, to the state
On 9 June the story was this: a private provider no longer rations its strongest capability by price, but by trust tier – those on the Project Glasswing partner list get full access, everyone else a throttled model. On 12 June the story is this: a state withdraws access altogether, for everyone. These are not two topics. It is one topic, seen twice. Frontier capability is governed less and less by the market and more and more by the jurisdiction in which the provider sits.
For a European bank that treats such a model as a critical ICT third-party provider under the Digital Operational Resilience Act (DORA), this shifts the risk question. It is no longer primarily: how good is the model? It is: who can switch it off on me, and what do I do when they do? A capability whose availability hangs on a foreign authority is not a tool you own. It is a dependency you manage – and no outsourcing contract protects against it when an export-control directive is what ends it.
I understand the instinct – the process does not convince me
I want to take the other side seriously, because it has an argument. A state that believes an uncontrollable offensive cyber capability is in circulation may act – that is the job of national security. And Anthropic is partly caught in its own net here: a company that itself declares this model too dangerous for open access, and therefore splits it into a safeguarded and an access-restricted variant, has supplied the logic the government now carries one step further. The line of 9 June and the intervention of 12 June share the same premise: that this capability ought to be controlled.
What troubles me nonetheless is not the whether, but the how. A letter at 5:21pm, no transparent, statutory process, no disclosed factual basis – and all of it against a capability that, on the provider's own account, has long been available elsewhere. Anthropic warns that applied across the industry this standard would essentially halt every new model deployment. One need not share that warning to see the core: when access to infrastructure used by hundreds of millions can be revoked by executive decision and without a comprehensible process, the precedent weighs more heavily than the individual case. Both can hold at once: the intervention may be justified. The manner in which it is carried out is not.
What Europe's banks must do now
Whether or not your own institution deploys Fable 5 tomorrow changes little: the episode rewrites the third-party risk calculus. Four consequences follow – and none of them is a protectionist reflex.
A European frontier provider must move from nice-to-have to a maintained option. Concretely: Mistral should be evaluated and qualified – not out of patriotism, but because a provider under EU jurisdiction with self-hostable model weights dissolves precisely the dependency that 12 June exposed: the foreign kill switch. Pushing a European solution here is a risk-management decision, not an industrial-policy slogan.
Counted honestly, on the same benchmark (SWE-bench Verified, agentic coding, as of 9 June 2026):
| Model | Provider (jurisdiction) | SWE-bench Verified |
|---|---|---|
| Claude Fable 5 | Anthropic (US) | 95.0% |
| Claude Opus 4.8 | Anthropic (US) | 88.6% |
| GPT-5.5 | OpenAI (US) | 82.6% |
| Mistral Medium 3.5 | Mistral (EU) | 77.6% |
The gap is real and should not be talked away: around five points behind GPT-5.5, around seventeen behind Fable 5. Against that stand roughly 1.50 US dollars per million input and 7.50 per million output tokens (Fable 5: 10 / 50), model weights that can be self-hosted on a handful of GPUs, EU jurisdiction and an open architecture. A note in my own cause: mind the benchmark variant – SWE-bench Verified is not SWE-Bench Pro. It is the same lesson as on 9 June: you have to know which number you are quoting. And the top score is the wrong metric if the stronger alternative can be switched off from Washington.
Agentic systems bind a model in far more deeply than a simple chat interface: into tool-calling, orchestration, memory and evaluation. Every layer that hard-codes one provider's API format, prompt structure or behaviour deepens the dependency until switching amounts to a rebuild. DORA names concentration on a few ICT third-party providers, and lock-in, expressly as risks to be managed. For agentic architectures that means an abstraction layer between orchestration and model from day one. Lock-in avoided at design time is cheap; lock-in discovered on a Friday at 5:21pm is not.
The answer is the one banks have already learned in the cloud: no single provider as a single point of failure. A workable multi-vendor strategy means model-agnostic orchestration, at least one substitutable alternative per critical use case, and a hybrid mix of API-based frontier models and self-hostable or EU-based models for those workloads that must not depend on a foreign kill switch. Not every use case needs the strongest model. The question is which ones must keep running when the strongest one goes dark.
Sovereignty is no longer a location debate
For a long time the call for European AI sovereignty sounded like a protectionist reflex – a slower, more expensive model defended on principle. 12 June changed the register. When a foreign government can withdraw access to a critical capability overnight, without disclosed grounds, sovereignty stops being industrial policy and becomes operational availability. What I will be watching most closely over the coming months is whether European supervisors read this episode for what it is – an availability risk at a third-party provider, on their own books – or whether they wait for the next letter at 5:21pm to make the argument for them. The strongest model is impressive. But the most important question is no longer how good it is. It is who can switch it off.
Christian Schablitzki
Strategy & Management Consultant · Agentic AI expert for financial institutions
Over 20 years in investment banking and derivatives trading, followed by more than 10 years advising financial institutions. Currently a Partner at Infosys Consulting in Germany. Certified in Google AI, Generative AI Leader (Google Cloud) and IBM RAG and Agentic AI.
LinkedIn profile →Keep reading – every two weeks in your inbox.
Capital markets insights, regulatory updates and AI trends. Concise, well-founded, free.
GDPR-compliant. Unsubscribe any time.