The Off Switch: How Washington Pulled a Frontier Model Offline Without a Law

The Off Switch: How Washington Pulled a Frontier Model Offline Without a Law | Omniscient Media

On Friday, June 12, at 5:21pm Eastern, a United States company received a letter telling it that its newest software product could no longer be used by foreign nationals, anywhere on earth, including the company's own non-citizen engineers.^[1] The company was Anthropic. The product was Claude Fable 5, the consumer-facing version of a frontier model the company calls Mythos 5. Because no large language model can verify the citizenship of every person reaching it through an API in real time, the only way to comply was to turn the models off for everyone. Within hours, Anthropic disabled both for all customers worldwide.^[2] Ten days later, neither model is back online.

What happened on Friday the 12th is worth describing precisely, because the mechanism is the part that lasts. Washington did not pass a law, hold a hearing, publish a finding, or name the threat in public. It sent a private letter under an export-control statute written for physical goods, reclassified access to a piece of American software as an export, and switched off a capable model across the world in an afternoon. To understand why the response was so swift, it helps to know what the government had seen three days earlier: Senator Mark Warner, vice chairman of the Senate Intelligence Committee, had relayed a disclosure from the NSA director that Mythos had "broke into almost all of our classified systems, not in weeks, but in hours."^[9] The subsequent negotiations have not produced a restoration. They have produced something else: the rough outline of an ad hoc licensing regime for frontier AI, assembled in real time, with no public rules and no clear endpoint.

What the order did, in its own terms

Anthropic's account, published the same day, is specific. The government, "citing national security authorities," issued "an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees."^[1] The company's framing of the consequence is equally specific: "The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance."^[1]

The scope is the unusual part. An export control that reaches "any foreign national, whether inside or outside the United States" reaches a company's own payroll. Reporting on the directive spelled out the same boundary: the restriction covered "people outside the U.S. as well as non-citizens working inside the country, including employees within Anthropic."^[3] The logic that produces this result treats an American firm granting its own non-citizen staff access to its own model as an act of export. There is no border crossing, no shipment, no foreign buyer, only a company and its engineers.

The statute being used

The government has not published the order, its rationale, or its legal basis, so the authority has to be inferred. Brian Egan, a partner at Skadden and a former Legal Adviser at both the State Department and the National Security Council, writes that the basis is most likely the Export Controls Reform Act of 2018, "the Commerce Department's primary authority for administering U.S. 'dual-use' export controls."^[4] The specific tool, he explains, is the statute's "is-informed" power: the Act "authorizes Commerce to privately 'inform' U.S. companies like Anthropic that an export license from Commerce is required to engage in any activity that Commerce finds may involve the development of weapons of mass destruction."^[4]

That phrasing carries the whole design. The instruction is private. It is addressed to a single company. It converts a permitted activity into one that now requires a license the company does not have. Egan is careful about what is and is not new here. Commerce has used "is-informed" letters before, mostly for semiconductors and the equipment that makes them. What he flags is the reach: "While Commerce's use of its 'is informed' authority is not novel, the breadth of the order issued with respect to the Anthropic models is unprecedented."^[4] The word is his, not this publication's. The tool is old. The size of the thing it was pointed at is not.

What the government says it found

The stated trigger is a jailbreak. Anthropic says the letter "did not provide specific details of its national security concern," and that the company's "understanding is that the government believes it has become aware of a method of bypassing, or 'jailbreaking' Fable 5."^[1] Anthropic describes the demonstration it was shown in deflating terms: "To date, the government has only given us verbal evidence of a potential narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws."^[1] The company says the technique surfaced "a small number of previously known, minor vulnerabilities," that those flaws "all appear relatively simple," and that "other publicly-available models are able to discover them as well without requiring a bypass."^[1] Anthropic names one such model directly, writing that the capability shown "is widely available from other models (including OpenAI's GPT-5.5)."^[1]

That last point is the one the export-control frame has to answer for. If a frontier model from another lab can do the same thing without a bypass, and carries no order, the action is hard to read as containment of a unique capability. Egan reaches the same gap from the legal side: "It is also not clear why Anthropic's models were singled out for this treatment, as compared to other U.S. large language model AI companies."^[4]

The NSA test conducted under Project Glasswing, the government-collaboration program through which Anthropic had provided restricted Mythos access to cyberdefense partners, helps explain why officials were not in the mood to treat Amazon's jailbreak report as a minor technical complaint. The classified demonstration, predating the shutdown by a day, was the context the jailbreak rationale alone could not supply. The Economist's Shashank Joshi, who originally reported the Warner quote, later noted on X that the NSA result "surely depends on using Mythos alongside other tools under very particular conditions" and that it would be a mistake to read it too literally - adding an important caveat that the post's original framing did not include.^[9]

The SK Telecom thread

Running alongside the jailbreak dispute is a second concern that the government did not surface publicly but appears to have weighed heavily. Days before the June 12 shutdown, the White House had quietly ordered Anthropic to revoke Claude Mythos access from SK Telecom, South Korea's largest wireless carrier, citing alleged ties to China, according to reporting by WIRED.^[10] SK Telecom was among the roughly 150 additional organizations that gained Mythos access earlier that month when Anthropic expanded Project Glasswing. Anthropic complied immediately with the revocation; the government did not threaten export controls at that stage.

The case for a China connection rests on SK Telecom's historical relationship with China Unicom, a state-owned carrier. In 2004, the two companies formed a joint venture; in 2006, SK Telecom invested $1 billion in China Unicom's Hong Kong-listed convertible bonds, which were eventually converted into a roughly 6.6 percent equity stake. SK Telecom sold its remaining 3.8 percent stake back to China Unicom in 2009 for approximately $1.3 billion. A residual investment connected to that venture, valued at roughly $17 million, still appeared in SK Telecom's 2025 SEC filing.^[10] SK Telecom itself pushed back, saying the reports "lack verified facts" and that the company "has no ties to China." Anthropic, for its part, said the SK Telecom issue and the Amazon jailbreak report were separate matters, and noted that the export control letter sent on June 12 does not reference SK Telecom or China by name.^[10] But the confluence of concerns, a company with contested China-adjacent relationships accessing the world's most capable cyberoffense model, appears to have been what the Trump administration concluded it could not tolerate.

The contested account, kept contested

Around the order sits a second story that depends on who is telling it. David Sacks, co-chair of the President's Council of Advisors on Science and Technology, posted his version on X on Saturday, the day after the models went dark.^[5] By his account the government warned Anthropic that Fable 5 had been jailbroken, asked Dario Amodei to fix the bypass or pull the model, and Amodei refused; the export control followed "reluctantly," should lift "once the jailbreak is patched," and leaves "the ball in Anthropic's court."^[5] Anthropic's own statement similarly called the episode "a misunderstanding" and said the company was "working to restore access as soon as possible" - a version of events that a week of subsequent reporting has made look considerably less minor.^[1]

Anthropic sent senior technical staff to Washington for meetings with the Commerce Department and the Office of the National Cyber Director on Monday, June 16.^[6] Those talks did not produce a deal. By Wednesday the 18th, White House officials were telling WIRED that before Fable 5 could be re-released, Anthropic would need to ensure the model's guardrails could not be circumvented, period, rather than just patching the specific technique Amazon demonstrated.^[7] Independent security researchers promptly pointed out that universal jailbreak prevention is not achievable: because large language models are probabilistic, not deterministic, no company can guarantee what they will produce for every possible prompt.^[7] The administration, according to WIRED, views this as Anthropic's problem to fix.

A separate thread runs through Anthropic's largest investor. Amazon CEO Andy Jassy raised the jailbreak concern with administration officials after Amazon researchers used a series of prompts to elicit restricted information from the model.^[8] One source familiar with the company said Anthropic "was given 90 minutes to pull its newest model and was given no previous communication of a national security threat," a detail Anthropic's own account does not confirm.^[8]

Why the channel outlasts the dispute

It would be easy to file this as a fight between one company and one administration, sharpened by old friction. The friction is real: the Defense Department designated Anthropic a supply-chain risk in late February 2026 after talks between the two sides collapsed, and a lawsuit Anthropic filed to challenge that designation remains active.^[11] Egan notes the same designation.^[4] But the lasting result is not about Anthropic's standing in Washington. It is about what the episode showed can be done to any developer whose model is judged capable enough, and about what the negotiations themselves are producing.

Strip the episode to its moving parts. A discretionary authority, exercised by a single department, with no public rationale required and no finding of fact published, made a widely deployed American model unusable across the world in an afternoon. The remedy on offer is a private negotiation with no published rules, now in its second week. Egan's plea is for the missing half of the record: "The U.S. government has not publicized the order that it issued to Anthropic, the reason that the order was issued, or the legal basis for the order," he writes, adding that Commerce "can end speculation about its motivations and concerns with respect to Anthropic by issuing public guidance on the nature of the threat."^[4]

The regime that is emerging from this opacity is described bluntly by a former White House technology official who spoke to WIRED: "The Trump administration, frankly, should not have said that this was a voluntary regime. It seems very clear that what they are now doing is a licensing regime."^[7] Other AI labs have taken the lesson. Aidan Gomez, CEO of Cohere, summarized what executives are telling each other: "Advance notice, advance access. I think those are the primary asks that we've heard."^[7]

What it sits next to

President Trump signed an executive order on June 2 establishing a "voluntary" framework under which the federal government would receive early access to the most capable models, with an explicit carve-out stating it would not become a mandatory licensing regime.^[7] The Anthropic episode has tested both the "voluntary" label and the carve-out. A model whose developer chose not to submit could face exactly the mechanism applied here: a private letter, no public process, and an afternoon to comply.

None of the questions that follow from that have public answers. The administration has not said what compliance looks like, what the legal standard is, or what a successful patch would need to demonstrate. Ten days after the models went dark, the negotiations have shifted from "fix this jailbreak" to something closer to "prove you can be trusted with technology this powerful." That is not a conversation with a clear endpoint. The capability that earns a model a seat at the table is the same capability that puts it within reach of the switch. The switch, it turns out, does not require a law to throw.

AI Policy