Is the Model I Picked Really the One Answering? Two Questions from Fable 5's Week
The two things we assume when we pay for a chatbot
When we pay a monthly subscription for an AI chatbot like ChatGPT or Claude, we quietly assume two things. One is that the model we selected is the one answering our questions. The other is that as long as we keep paying, that access won’t suddenly disappear. Nobody uses Slack worrying it might secretly rewrite their messages, or Notion fearing it could shut off worldwide at 5 p.m. today.
This is the same expectation we bring to any subscription software (SaaS, Software as a Service). And here is the interesting part: the API that developers call from code actually behaves more like SaaS. It comes with contracts and terms, and when behavior changes, a notice usually follows. It was on the lighter, more casual side, the chatbot we just pay for and use, that those two assumptions broke first.
In the second week of June 2026, two events around Anthropic’s new model, Fable 5, showed this within three days of each other. One was that the model you picked may not be the one that actually answered you. The other was that the access was never really your right to begin with.
Put as two questions: First, is what I’m using right now really the thing I chose (transparency)? Second, who holds the right to keep using it (access rights)? This piece follows those two questions through both events, anchored in primary sources.
Is the model I picked really the one answering?
Anthropic released Fable 5 to the public on June 9. The same day, a more powerful variant, Mythos 5, arrived alongside it (more on that later). Fable 5 immediately posted the highest score among publicly available models on the Vals AI benchmark, making it, at launch, the smartest public model around.
The problem was a guardrail buried inside it that users were never told about. Its target was model distillation, the practice of taking a large model’s outputs and using them to train a smaller, competing model. When Fable 5 judged a request to be a distillation attempt, it did not process that request on the original model as is. Instead, it quietly handled it differently in the background. The net caught more than competitor training: debugging AI code and optimizing neural network architecture, anything that looked close to it, got swept in too.
One thing worth making clear. Fable 5 also had restrictions on other sensitive categories such as cybersecurity and biology. But on those, the handoff to a different model was visible. The one that was handled quietly, invisibly, was distillation. So the heart of the problem is not “there were restrictions” but “this one restriction was the one you couldn’t see.”
The issue is not “the same question gives different answers each time.” That is just how generative models work. The real problem is that I asked the Fable 5 I selected, and the answer may not have come from Fable 5 at all. It could be a degraded output, or a result that went through some other processing, while looking perfectly normal, and none of that was visible to me.
Anthropic’s 319-page system card (the official document describing a model’s capabilities and limits) stated that this mechanism would “not be visible to the user,” and that instead of an explicit refusal it would use “prompt modification, steering vectors, or parameter-efficient fine-tuning.” The odds that someone using the chatbot every day would find and read one paragraph buried in 319 pages are close to zero. Being published is not the same as being knowable.
The thing that showed this structure most clearly was, ironically, Anthropic’s fix. After the backlash, the company said requests flagged for distillation or national security would fall back to Claude Opus 4.8, and that users would be told when the switch happened. In other words, the structure where the model I picked (Fable 5) gets answered by a different model (Opus 4.8) in the background is still there. What changed is that now you are told about the swap. The fix itself revealed what the problem really was.
Developers reacted hard. One prominent researcher wrote that “the claude fable 5 nerf for AI research has induced the angriest reaction I’ve ever seen in my life.” The core of the anger was less that outputs were degraded and more that the degradation itself was hidden. Anthropic apologized on June 11: “We made the wrong tradeoff and we apologize for not getting the balance right.”
When you can’t see it, you can’t tell safety from business
Trace Anthropic’s reasoning and the choice is not hard to understand. Distillation is the channel through which a competitor can catch up cheaply, and blocking it is, from the company’s seat, defending a moat. Announce the block transparently and attackers learn the triggers and route around them more easily. So “quietly” is the more effective option, technically.
Here is what is worth noting. That mechanism arrived under the name of safety, but what it actually protected was Anthropic’s business interest. From the user’s seat, there is no way to tell a guardrail that protects me from a device that protects the company’s moat. Both run on the same “invisible” mechanism. As long as I can’t confirm that what I picked is really what I’m getting, I can’t know what sits behind it either.
Access was never my right
The second event came three days later. On June 12 at 5:21 p.m. Eastern Time, Anthropic received an export control directive from the US government. Export control is a regime that, citing national security, restricts the transfer of specific technologies abroad.
The scope was unusual. It ordered that access to Fable 5 and Mythos 5 be blocked for all foreign nationals, inside or outside the United States, and that included Anthropic’s own foreign-national employees. Anthropic stated that, to comply, it had no practical choice but to disable both models for essentially all customers. US customers were no exception.
Mythos 5, swept up alongside, was the more powerful variant released on June 9. It was a restricted edition open only to about 50 organizations vetted through “Project Glasswing” (Amazon, Apple, Google, Microsoft, CrowdStrike, and others), while Fable 5 was the general public edition carrying the guardrails.
The government’s stated basis was a jailbreak (a technique for getting around a model’s safety controls). But when Anthropic reviewed the demonstration it received from the government, the jailbreak turned out to be “narrow, non-universal.” Specifically, it involved asking the model to read a particular codebase and fix the software flaws in it, a capability that also exists in OpenAI’s GPT-5.5 and that security professionals use routinely.
Anthropic complied with the directive while pushing back publicly.
“We disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people.”
The company warned that if this standard were applied across the industry, it “would essentially halt all new model deployments for all frontier model providers.”
This isn’t about generosity, it’s about rights
Read this event as a matter of generosity, “given and then taken away,” and you miss the point. What it exposed is more structural. The access I was paying to use was never my right; from the start it was a permission held by the vendor and the state. A permission can be revoked, and I have no seat at the table when that decision is made. I broke no terms, and being a US customer made no difference.
What is new here is not the jailbreak itself. The ability to read a codebase and find vulnerabilities already exists in several models. What is new is that the state set a precedent: on the basis of that capability, it can recall a commercial model already deployed to hundreds of millions, within days. An export control regime, built for components and equipment, was used to switch off a running software service itself.
This is where it diverges from SaaS. A SaaS cutoff is usually a vendor’s individual decision based on my terms violation. Here, regardless of anything I did, a party that wasn’t even the vendor, the state, revoked my access.
Both questions point to the same place
Looked at separately, one is a trust problem inside the developer community and the other is a matter of geopolitics and regulation. But lay the two events on top of each other and the same sentence remains: I cannot control the AI I depend on.
Control splits in two. One is whether what I’m using right now is really the thing I chose (transparency). The other is who holds the right to keep using it (access rights). The two events showed that each of these axes sits in the hands of the vendor and the state, respectively.
| What we expected from a chatbot | What broke with Fable 5 |
|---|---|
| The model I picked is the one answering (transparency) | A different model can be swapped in behind the scenes |
| Access is a right I hold (access rights) | Access was a permission held by the vendor and the state |
Why this isn’t abstract is easier to see in one scene. Say a company built a customer-facing feature on top of Fable 5. The output it shipped on June 10 may contain results that went through some other processing without its knowledge, and on June 12 it loses access to the model entirely. Both questions land on one company within three days. Neither was that company’s fault.
This is usually where the phrase “Sovereign AI” comes up. It is typically waved as a national flag: “so we, too, must build our own foundation model.” But a single training run for a frontier model costs hundreds of millions, and the moment you catch up, the gap reopens. A national in-house model is an expensive, slow, partial answer, and it isn’t a lever an individual or a small organization can reach for today. What these two events actually point to is a smaller, more concrete kind of sovereignty: how much of the transparency and access over my own tools I actually hold.
What I took away from this
This is less a definitive answer than a personal thought I had watching all this unfold. If the tool I depend on is out of my hands, both on whether it’s the one I picked and on whether I can keep using it, then there is still one thing I can hold onto. It is being able to handle an open-weight model myself. Open-weight refers to a model whose weight files are public, so anyone can download and run it directly in their own environment (the Llama, Mistral, and Qwen families, for instance).
This touches both of the earlier questions. If I run the model myself, nothing in the background can hide what is answering (transparency), and weights I have already downloaded can’t be retroactively recalled by anyone (access rights). Both axes of control naturally move to my side.
It isn’t a grand undertaking. You download the weights, spin the model up with a tool like vLLM or Ollama, and, if needed, adapt it to your work with light fine-tuning like LoRA (which only touches a subset of parameters). You can also set it up so you normally use an external API and fall over to this path when that one is blocked or untrustworthy.
Of course, open-weight models are weaker than something like Fable 5. So I think of this as insurance rather than a replacement. You’re not buying the same capability; you’re keeping one option that, however weaker, doesn’t stop when the main path is cut. The cost is GPU spend and operational overhead. And to be honest about the coverage: routine extraction, classification, summarization, and internal document search already run fine on today’s open-weight models, while top-tier reasoning and long, complex work still show a real gap. It carries most of the everyday load without breaking, but it doesn’t fill the peak.
In the end the thought that stayed with me was simple. Keep renting if that’s how it works, but learn to handle at least one model you can switch on and off yourself, even a weak one.
Closing
Renting AI isn’t the problem in itself. The problem is that we believed in it the way we believe in SaaS, that what we picked arrives as is, and that it won’t suddenly cut off. The two events of the second week of June showed that neither of those is a given. One may not have been the model we chose, and one was revoked overnight. What’s left afterward is less a grand conclusion and more a small question: how much do I actually know, and hold, about the tools I use.
Sources: Anthropic statement, TechCrunch, The New Stack, Gizmodo, DevOps.com, NBC News. Anchored on the primary source (Anthropic’s statement); secondary outlets were used to verify the timeline and quotes.
Related Posts
Anthropic's 96 Hours - Access, Capability, Execution Across Three Layers
Three Anthropic announcements across 96 hours in April 2026, broken down into Access, Capability, and Execution layers to reveal a coordinated vertical integration strategy.
AI Governance Is Heading Down a Different Path - Mapping the Current Branches
AI governance is heading down a different path from typical regulation. EU, Korea, and US legislation, academic critique, market autonomous adoption, identity/KYC complement, compliance SaaS - five branches pointing the same direction, plus the 5 elements of governance taking shape.
In the Headless Era, Where Does Pincered Value Collect? - Vertical Compression of the Builder Layer
The builder layer compresses vertically as hyperscalers and frontier labs squeeze from above and below. Value shifts to custom ops assembly and the defensibility conditions above it.