In March I published “Claude vs. the Pentagon,” a timeline of how Anthropic went from Pentagon darling to the first American company ever labeled a “supply chain risk.” I figured the story had peaked. A company suing the government, a competitor doing damage control, and an Atlantic essay comparing Dario Amodei to Oppenheimer.
I was wrong.
Three months later, the same company that the administration calls a national security threat shipped the most capable AI model the public has ever been allowed to touch. 72 hours after launch, the government forced Anthropic to yank it off the internet for everyone on the planet, citing a claim that the model broke into nearly all of the NSA’s classified systems “not in weeks, but in hours.” Roughly a hundred of the most respected names in cybersecurity signed an open letter begging the White House to reverse course.
Here’s the rest of the story, picking up where Part 1 left off.
Part 1: From “supply chain risk” to “maybe not a threat”
March 24–26, 2026 - A Judge Calls It “Classic Illegal First Amendment Retaliation”
Two weeks after Anthropic filed suit, the case got its first real test. On March 24, U.S. District Judge Rita Lin held a hearing in San Francisco and floated the obvious point out loud: if the Pentagon was so worried about operational integrity, it “could just stop using Claude” rather than blacklist the company. On March 26 she issued a 43-page opinion granting Anthropic a preliminary injunction, finding the company likely to win on all three theories it pressed (First Amendment retaliation, Fifth Amendment due process, and the Administrative Procedure Act) and writing that the record “strongly suggests” the government’s stated reasons were “pretextual.”
“Punishing Anthropic for bringing public scrutiny to the government’s contracting position is classic illegal First Amendment retaliation.”
The catch: Lin built in a seven-day administrative stay before the order took effect, and the Pentagon’s CTO immediately said the ban still stood. The supply chain designation itself runs through a separate statutory channel in the Court of Appeals, so the real fight over the blacklist moved to the D.C. Circuit. That split track is the whole story of the next two months.
April 8, 2026 - The Appeals Court Lets the Blacklist Stand
The supply chain designation went up to the D.C. Circuit on its own statutory track, and Anthropic lost the first round. A three-judge panel (Henderson, Katsas, and Rao) denied Anthropic’s emergency motion to stay the FASCSA designation, citing the need to avoid “judicial management of how, and through whom, the Department of War secures vital AI technology” during an active military conflict. The judges were careful to add that they “do not broach the merits at this time,” so despite headlines calling it a Trump win, all the panel really did was leave the blacklist in place while the case got briefed.
So as of April, Anthropic was living in a split reality. A California court said the government couldn’t ban federal agencies from using Claude. A D.C. court said the Pentagon could keep calling Anthropic a national security risk. The contract cancellations proceeded on a 180-day Claude-removal clock, and Anthropic stayed barred as a prime or subcontractor on covered defense systems.
April 17, 2026 - The Thaw That Wasn’t
Then the relationship looked like it might mend. Amodei went to the White House and met Chief of Staff Susie Wiles and Treasury Secretary Scott Bessent. Both sides called the talks “productive and constructive”; Anthropic said they covered cybersecurity, America’s AI lead, and AI safety. The Office of Management and Budget was already preparing to give agencies access to Mythos, and the White House itself was angling for it.
April-May 2026 - Claude Keeps Going to War Anyway
Despite the tech being blacklisted, the military kept using it anyways. Reporting through the spring kept Claude inside U.S. targeting workflows via the Palantir integration during operations against Iran. In a June 10 Bloomberg interview, Amodei addressed Claude’s reported role in the Minab school strike, saying the company couldn’t confirm whether Claude had been involved but that such use wouldn’t have violated Anthropic’s guidelines. The company the Pentagon called a supply chain risk was still, operationally, part of the supply chain.
May 19, 2026 - “A Spectacular Overreach by the Department”
The same three judges (Henderson, Katsas, and Rao) heard nearly two hours of oral argument on the merits, and the panel split in a way that made the outcome genuinely hard to call. Judge Karen LeCraft Henderson (a George H.W. Bush appointee) was blunt: she said she saw no evidence supporting the Pentagon’s risk determination, and called it “just a spectacular overreach by the Department.” Judge Neomi Rao (a Trump appointee) went the other way, pressing on what business a court has second-guessing the Defense Secretary’s national security judgment. The panel agreed to expedite, signaling a ruling in weeks rather than months. As of this writing it still hasn’t come.
That’s where the relationship sat heading into June: legally contested, politically toxic, operationally entangled. A divided appeals court, an injunction in California, a blacklist still on the books, and a Defense Department that couldn’t fully quit the vendor it had publicly disowned.
And then Anthropic shipped a new model.
Part 2: The Fable / Mythos ban
June 2, 2026 - Washington Quietly Builds the Off Switch
A week before any of this, Trump signed an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security.” Buried in it is the mechanism that makes the rest of the story possible: it asks AI companies to voluntarily hand the government access to “covered frontier models” for a cybersecurity review up to 30 days before they ship to outside partners, sets up a Treasury-led clearinghouse to coordinate vulnerability findings, and uses a classified NSA process to decide which models count as “covered.” Nobody paid much attention at the time. Seven days later it became the frame for everything.
June 9, 2026 - Anthropic Ships the Most Powerful Public Model Ever
Anthropic released Claude Fable 5 and Claude Mythos 5 together. Same underlying model, two trims: Fable 5 with classifier safeguards for anyone with a Pro subscription, Mythos 5 with the cyber safeguards lifted for vetted defenders in Project Glasswing. The whole point of the safeguards was to keep the general public from accessing Mythos-grade offensive cybersecurity capability. Hold that thought for about 72 hours.
June 10, 2026 - Pliny Plants the Flag
Within 24 hours of launch, the jailbreaker known as Pliny the Liberator posted “JAILBREAK ALERT, ANTHROPIC PWNED, FABLE 5 LIBERATED” and published what he said was Fable 5’s 120,000-character system prompt on GitHub, claiming multi-agent prompting, Unicode tricks, and narrative framing had beaten the classifiers. Anthropic pushed back hard, telling SecurityWeek that beating a conversational refusal isn’t the same as breaking core safeguards, that some of the outputs “were not produced by Fable 5 at all,” and that the rest “contained only general information already available in public sources, offering no meaningful uplift for real-world harm.”
Pliny’s stunt wasn’t what triggered the government. But it set the mood music: by the time the real warning came, “Fable 5 has been jailbroken” was already the story of the week.
June 11, 2026 - A Phone Call From Amazon
Amazon CEO Andy Jassy was already on a pre-scheduled call with White House officials about an unrelated topic when the subject of Fable 5 came up. Amazon’s own researchers had run a sequence of prompts at the new model and gotten it to produce information useful for cyberattacks, specifically exploit code for known vulnerabilities in x86 Linux systems. White House officials told Jassy to flag it directly to Treasury Secretary Scott Bessent, and he did.
June 12, 2026, 5:21 p.m. ET - The Lutnick Letter
Commerce Secretary Howard Lutnick sent Amodei a letter placing Fable 5 and Mythos 5 under export controls: no access for any user outside the U.S., and no access for any foreign national inside the U.S., without a government license. Non-compliance carried criminal and civil penalties. By multiple accounts Anthropic was given about 90 minutes to act, with no prior notice that a national security threat was even on the table.
You can also read this on the Handy AI Substack.
Because Anthropic can’t reliably verify the nationality of every user of a consumer product, “no foreign nationals” effectively meant “no one.” Late that Friday night, the company disabled Fable 5 and Mythos 5 for every customer worldwide.
June 13, 2026 - Anthropic: “We Believe This Is a Misunderstanding”
Anthropic posted its position publicly. The government’s stated concern was a method of “jailbreaking” Fable 5 to reach Mythos-grade cyber capability. Anthropic argued the jailbreak was narrow, not universal, that it had reviewed a demonstration of the technique surfacing “a small number of previously known, minor vulnerabilities,” and that the same capability is “widely available from other models (including OpenAI’s GPT-5.5).” The company said recalling a model deployed to hundreds of millions over a narrow exploit would, taken to its logical end, “essentially halt all new model deployments.”
The same day, Semafor reported a second motive the White House hadn’t put in writing: suspicion that a China-linked group had accessed Mythos. An Anthropic spokesperson said the White House never raised Chinese access in any of the conversations about the jailbreak or the export controls. It remains unclear which group, how, or how the government would know.
June 14, 2026 - “Not in Weeks, but in Hours”
It was reported that Senator Mark Warner, vice chair of the Senate Intelligence Committee, said General Joshua Rudd (who dual-hats as director of the NSA and head of U.S. Cyber Command) told him Mythos “broke into almost all of our classified systems, not in weeks, but in hours.” It became the most-cited justification for the ban almost immediately, and it reframed the whole fight from “patch a jailbreak” to “this capability shouldn’t exist in public.”
Treat the quote with care. The Economist’s defense editor, Shashank Joshi, clarified that he’d quoted Warner accurately but that the line lost its context as it ricocheted around social media. The breach was an authorized red-team drill on the government’s own networks, not a live foreign intrusion, and it was run on a model the government was already using through Project Glasswing. Warner raised it to argue for faster pre-release security testing of frontier models, and he was praising Anthropic when he did, not condemning it.
Also on June 14: David Sacks, who’d stepped down as the White House AI czar in March and now co-chairs the President’s science and technology council, posted a long thread claiming the administration had asked Amodei to fix the jailbreak or pull the model, and that Amodei refused, calling the breakdown a trust issue. Anthropic’s public position is that the jailbreak “isn’t serious,” which is, of course, exactly the disagreement. Anthropic, meanwhile, flew staff to D.C. to try to clean up the relationship in person.
June 15, 2026 - The Cybersecurity Establishment Revolts
An open letter at freefable.org, organized by former Facebook chief security officer Alex Stamos, called the ban “dangerous” and demanded the export controls be rescinded. It drew roughly a hundred signatures from security leaders at Nvidia, Adobe, Zoom, Google, and Sophos. The core argument: “To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous.”
Then the technical air came out of the “jailbreak.” Katie Moussouris, the Luta Security founder who literally built Microsoft’s and the Pentagon’s bug bounty programs, examined Amazon’s finding and concluded the “exploit” was a model responding to a prompt that amounted to three words: “fix this code.”
Same day, Axios published the gossip version. Under the headline “They screwed us,” it reported that the blowup was as much about personality and communication failure as cyber risk: Anthropic allegedly didn’t take the government’s outreach seriously, didn’t “honor” the June 2 cyber executive order’s pre-release-review ask, and an administration official summed up the mood with that two-word quote. The piece noted the earlier Pentagon fight also came down, in part, to people on opposite sides of the table just not liking each other.
June 17, 2026 - The Roundtable in Évian-les-Bains
Five days after his flagship products got pulled, Amodei sat down at a G7 AI working roundtable in Évian-les-Bains, France, alongside Sam Altman, Demis Hassabis, and roughly a dozen other tech executives, across from Trump, Treasury’s Bessent, Commerce’s Lutnick, and Secretary of State Marco Rubio.
Amodei and Hassabis pitched a U.S.-led AI coalition: structured allied access to frontier models, chip and component trade that locks out China, and joint work on the cyber, bioterror, and intelligence risks. Amodei urged the leaders to “resist the temptation to splinter” on AI rules. It worked on at least one person in the room, because two days later Trump was telling Axios that Amodei was “nice” and “smart.”
The optics inside Anthropic were less serene. The New York Times got hold of internal employee chats from the same stretch, where staff were openly rattled: “Are we being bullied based on bad vibes?” one asked; “At what point does this just feel like they don’t want us to exist?” asked another, with some worrying the fight could threaten the company’s path to an IPO.
June 19, 2026 - Trump: “Not Now, but a Week Ago, Maybe”
Asked on “The Axios Show” whether he saw Anthropic or Amodei as a national security threat, Trump said: “Well, not now, but a week ago, maybe.” He said he’d come away from his G7 meeting with Amodei thinking the CEO was “nice” and “smart,” and that the two sides were now working together on standards to evaluate AI jailbreaks.
But a presidential shrug is not a lifted export control. As of this writing, Fable 5 and Mythos 5 are still dark for everyone, the Commerce directive is still binding, and the supply chain case is still sitting with the D.C. Circuit. Trump softened the rhetoric while keeping every actual restriction in place.
Where Things Stand
Updated scoreboard, three months after the first one:
- Anthropic won an injunction in California, lost a stay in D.C., got a sympathetic-but-split hearing on the merits, and is still waiting on the appeals ruling. It shipped the best model on Earth and had it pulled in 72 hours. Its flagship products have now been dark worldwide for over a week, and it’s negotiating their return prompt by prompt. The safety-first brand keeps winning the public and keeps losing the government.
- The U.S. administration banned a commercial product used by hundreds of millions over a vulnerability that the most credentialed people in cybersecurity say is the model doing its job. The “broke into our classified systems in hours” line that carried the story turned out to be a senator’s secondhand account of an authorized red-team drill, which the reporter who broke it says lost its context on the way to going viral. Meanwhile the capability stayed live for ~200 elite Glasswing institutions. And within a week the President was publicly walking back the threat assessment.
- Amazon funded the model, hosts the model, and lit the fuse that pulled the model. Make of that what you will.
- The cybersecurity community did the thing it almost never does and spoke with one voice, and that voice said: stop taking our best defensive tool away while the attackers get better.
In Part 1 I asked whether you still get a say in your own creation once you’ve built it. The Fable 5 ban answers this from a new angle. Anthropic built the thing, the government decided who could use it (not the public), an investor decided when to flag it, a senator decided what it had done, and a hundred security pros decided that was all backwards. The builder was the one party in the room with the least say of all.