Three days. That is how long Claude Fable 5 was available before the US government ordered Anthropic to pull it for everyone on the planet.

On June 9, 2026, Anthropic released Fable 5 and Mythos 5, its most powerful models to date. On June 12, Commerce Secretary Howard Lutnick sent a letter to CEO Dario Amodei citing national security authorities and directing Anthropic to suspend all access by foreign nationals, including Anthropic’s own foreign national employees. Because there was no practical way to filter users in real time, Anthropic shut both models down for everyone.

For any business that had built workflows on those models, the lesson was abrupt: control of your AI stack matters, and right now, most businesses do not have it.

What Made Mythos Different Enough to Alarm Governments

Claude Mythos Preview, the restricted model that preceded the public Fable 5 launch, is not primarily a writing or reasoning tool. Its defining characteristic is what it can do to software.

Before Mythos, no AI model could reliably complete expert-level cybersecurity tasks. Mythos completed them 73 percent of the time. The practical effect on vulnerability timelines has been striking. In 2018, the average gap between a vulnerability being discovered and a working exploit appearing in the wild was 2.3 years. By 2025, that gap had compressed to 23 days. After Mythos, it dropped to roughly 20 hours.

That is the number that matters. Twenty hours from public disclosure to working exploit. No human security team patches and tests that fast. No traditional SOC can triage and remediate that quickly across a large infrastructure. The attack surface for organizations of every size changed in a material way when Mythos was released, regardless of whether those organizations have access to the model.

Anthropic has restricted Mythos itself to approximately 40 vetted organizations under a program called Project Glasswing. But equivalent capability, by most estimates, reaches the broader market, including adversarial actors, within 6 to 24 months.

Fable 5 was Anthropic’s attempt to offer Mythos-class capability in a form safe for general use, with state-of-the-art results across software engineering, knowledge work, vision, and scientific research. The three-day window before the government shut it down was enough time to confirm the capability was real. It was not enough time for most businesses to adapt to what that means.

The Access Problem Is Bigger Than One Announcement

The Fable 5 suspension is the most dramatic recent example of a structural problem that predates it: businesses building on third-party AI infrastructure have no guaranteed continuity.

Access can be suspended by government directive. It can be restricted by geography. It can change based on export control law, provider pricing decisions, capacity limits, or policy shifts that have nothing to do with the customer’s use case. When any of those conditions change, workflows that depend on the model stop working.

This is not a theoretical risk. It happened in three days in June 2026 to every Anthropic customer simultaneously. Before that, access to some models was restricted to the US only. Cross-border restrictions on AI capabilities have accelerated as governments treat frontier models as strategic assets rather than commercial software.

Sovereign AI: What It Means and Why It Is Moving Up the Priority List

Sovereign AI describes an organization’s ability to develop, run, and control its own AI capabilities without depending on external parties for access, data processing, or infrastructure.

The concept has four distinct components. Territorial sovereignty covers where data and compute physically sit. Operational sovereignty covers who manages and secures them. Technological sovereignty covers who owns the underlying stack and model weights. Organizational sovereignty covers governance, accountability, and the ability to audit what the system is doing.

Most organizations that use AI today have none of these four. Their data leaves their premises to be processed by a third-party model. They have no access to model weights. Their infrastructure is managed by the provider. And their ability to audit model behavior is limited to whatever the provider chooses to expose.

Gartner projects that 65 percent of governments will introduce formal technological sovereignty requirements by 2028. The EU AI Act is already in effect and imposes obligations on both providers and deployers. Regulated industries, including finance, healthcare, and critical infrastructure, face additional sector-specific constraints.

For businesses operating across borders, the picture is more complicated. Data processed in one jurisdiction may trigger compliance obligations in another. A model restricted by US export control may not be legally accessible to foreign national employees even when those employees are physically inside the US. The Fable 5 directive made this explicit: compliance was impossible at the user level, so Anthropic shut down access for everyone.

The Challenges Businesses Face Right Now

The cybersecurity challenge from Mythos-class models is real and immediate. Patch cycles that took weeks can no longer outrun exploit development. Security teams need to assume that any disclosed vulnerability is being weaponized within hours, not days or months. Vendor timelines for security fixes, which are typically measured in days, no longer align with the threat timeline.

At the same time, the same models that accelerate attacks also improve defense. Organizations with access to capable AI can automate threat detection, vulnerability scanning, and incident response at speeds that manual processes cannot match. The asymmetry works in both directions. The question is whether an organization’s defensive posture is improving as fast as the offensive capabilities available to its adversaries.

The regulatory challenge is layered on top. Compliance with the EU AI Act, GDPR, sector-specific regulations, and emerging national AI laws requires understanding what a model does with data, where processing occurs, and who has access to outputs. Most third-party model deployments make all three of those questions difficult to answer with confidence.

The operational continuity challenge, illustrated by Fable 5, is the most underappreciated of the three. Businesses that depend entirely on frontier model providers for core workflows have taken on a concentration risk they may not have priced correctly.

What the Next Phase Looks Like

A few trends are converging that will shape how organizations approach AI over the next two to three years.

Models are getting smaller without losing capability. Distillation and quantization techniques are producing models that run efficiently on enterprise hardware without requiring hyperscaler infrastructure. This makes on-premises or private cloud deployment practical for a much wider range of use cases than was possible in 2023 or 2024.

Hybrid architectures are becoming the standard approach for organizations that need both capability and control. Sensitive data stays on-premises and is processed by a model the organization operates. Less sensitive tasks use third-party frontier models where access and pricing make sense. The architecture treats AI access as a procurement decision rather than an all-or-nothing dependency.

Governments are not stepping back from frontier AI regulation. The Fable 5 directive is likely the first, not the last, government action to restrict access to models that cross capability thresholds related to cybersecurity, biology, or other dual-use domains. Businesses that plan as though today’s access conditions are stable are making a bet that does not have good historical support.

Cybersecurity investment needs to adjust its baseline assumptions. Twenty-hour exploit timelines require automated response capabilities, not faster human processes. Organizations that have not already invested in AI-assisted security operations are operating at a growing disadvantage relative to threats that now have access to Mythos-class offensive tools.

What Businesses Should Do Now

The Mythos and Fable 5 story is not primarily a story about Anthropic. It is a story about what happens when AI crosses a threshold that governments treat as a national security matter, and what that means for every organization that assumed AI access was stable infrastructure.

Three practical steps apply across most businesses.

First, audit AI dependencies with the same rigor applied to any critical vendor. Understand what happens to each workflow if access to a specific model is suspended, restricted geographically, or repriced significantly. Build that scenario into continuity planning.

Second, assess the cybersecurity posture against Mythos-era timelines, not pre-2025 baselines. The 20-hour window from disclosure to exploit is the operating environment now, not a future risk.

Third, treat data sovereignty as a design requirement, not a compliance checkbox. Where data goes, who processes it, and what controls govern that processing will determine legal exposure under laws that are already in effect and regulations that are coming.

The businesses that will operate confidently through the next several years of AI development are the ones that understand what they are depending on, control enough of their stack to absorb disruption, and build security postures that match the current threat environment.

Intworks works with organizations to assess AI infrastructure risk, design sovereign and hybrid AI architectures, and build cybersecurity programs that account for AI-era threat timelines. Get in touch to talk through where your organization stands.