Anthropic's newest models can help find software vulnerabilities and also help attackers exploit them. The U.S. pulled them offline over national security concerns, but competitors are reportedly close behind.
The U.S. government told Anthropic to pull its two newest AI models offline last week, citing national security concerns. The directive lands on one lab in a field of several, and security experts are already asking whether blocking a single vendor can slow a race that is already running across the industry.
The action targets Anthropic's Claude Fable 5 and Mythos 5, both of which the company describes as "dual use": the same queries that help cybersecurity professionals find software vulnerabilities can be used by attackers to exploit them. That is what makes the category dangerous, according to Wired's reporting on Anthropic's launch materials.
The Trump administration moved to restrict both models on the grounds that Fable 5's guardrails could be disabled to reach Mythos 5's capabilities, Wired reported. Anthropic took the models offline late last week and has been in talks with the White House since Friday, though no agreement has been announced that would let the company put them back.
But the action reaches only one lab in a competitive field. Tarah Wheeler, chief security officer at TPO Group, told Wired that the focus on Anthropic is shortsighted. "It's myopic in the extreme to think that no other competitors to Anthropic will develop similar capabilities to Mythos or even that they have not already done so," she said. "There are other companies hot on Anthropic's heels who probably have the capabilities, too, and are holding them in reserve."
Wheeler's point is the heart of the policy mismatch. Export controls work best when the controlled item is scarce or hard to reproduce. Frontier AI capabilities are neither. Anthropic debuted Mythos in April and privately released Mythos 5 last week to a small consortium called Project Glasswing, according to Wired. If competitors are sitting on similar models, as Wheeler suggests, the U.S. action functions less as a brake on the technology and more as a temporary inconvenience for one company.
That is not a reason to leave advanced capabilities unregulated. It is a reason to pick a regulatory tool that matches the structure of the field. Single-vendor export controls, by design, apply to one address. A multi-vendor race toward dual-use cyber and biological capabilities calls for governance that can reach the category: shared evaluation standards, mandatory pre-deployment testing for the highest-risk capabilities, and disclosure rules that apply to any lab reaching the threshold, not just the one that publishes first.
The current action, as Wired frames it, is built on a "coming no matter what" premise: the same dual-use capabilities that make Mythos 5 valuable to defenders will keep being developed, and the question is whether policy catches up or keeps running behind. Anthropic framed its own models in those terms at launch, warning that the line between protective and offensive use is a design problem, not a deployment choice.
The unanswered question is what governance, if any, is calibrated to a race with several entrants. Pulling one lab's models offline makes a statement. It does not, by itself, slow a field that is already moving.