Here’s why locking up America’s most safety-obsessed lab may hand the future to the labs that care least, and what it means for the tools on your desk.

I’ll admit something that is going to annoy people who usually agree with me. For two years I have been the person at the dinner table saying slow down — the one muttering about guardrails while everyone else marvels at what the new model can do, the one who thinks “move fast and break things” is a terrible philosophy when the thing you might break is, say, the power grid or a teenager’s mental health. I am not the frontier labs’ biggest cheerleader. So it is a strange thing to sit down and write the sentence I’m about to write.

This week, the United States government punished an American AI company for being too careful — and I think it got the calculation exactly backwards.

Here is what happened, because the speed of it matters. On Friday, Anthropic — the lab that markets itself, more than any other, on safety — says it received an order from the U.S. government to suspend all access to two of its models “by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees”. Not foreign governments. Not sanctioned entities. Any foreigner — including the company’s own engineers on work visas, sitting in California. The notice landed, by Anthropic’s account, at 5:21 p.m. Because the company could not surgically wall off only non-citizens, it did the only thing it could: it abruptly disabled the models “for all our customers to ensure compliance”. One Friday afternoon, a company hit the kill switch on its own best product.

So far, this sounds like a dry story about export paperwork. It is not. It is a story about whether you can put a fence around knowledge — and what happens to the people who build the most responsible version of that knowledge when you try.

First, the part that is not in dispute

Let’s establish the facts before we argue about them.

Last week Anthropic launched two new models, Claude Fable 5 and Claude Mythos 5. Mythos is the eyebrow-raiser: the company calls it, in its own words, the model with “the strongest cybersecurity capabilities of any model in the world,” one that can “excel at discovering and exploiting software vulnerabilities.” Read that twice. A tool that finds the hidden flaws in software faster than almost any human — which is wonderful if you’re defending a hospital network, and terrifying if you’re attacking one. (Keep that double-edge in mind; the whole argument turns on it.) Fable 5 is the tamer, public sibling, and notably, when you ask it something dangerous, its safety system “automatically” hands the question off to the older, more cautious Claude Opus 4.8 instead. In other words, Anthropic built the brakes into the car.

Then, on Friday, the U.S. Commerce Department “used national security export controls to bar the company” from letting foreigners touch either model. What was the trigger? Here the official story gets thin. Anthropic says the government gave it only verbal evidence of a “narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws”. Sit with that for a second. The alarming capability is… asking an AI to read code and patch the bugs. That is the single most ordinary thing a working programmer does. According to Al Jazeera, the government’s letter “did not explain the government’s specific security concern in detail”.

To be clear about the novelty here: for years, Washington’s AI strategy was to control the chips — the physical sand that the models are trained on. This is something new. This is an attempt to put a fence around the model itself — the weights, the math, the trained mind. And the United States has reached for that exact lever before, briefly. In January 2025, the Commerce Department wrote a rule that added “a new control on artificial intelligence (AI) model weights” — the first of its kind. Then, four months later, it thought better of it and rescinded the whole framework “before” its compliance date. The lever was built, tested, and quietly put back on the shelf. Now it’s been yanked again — this time aimed at one company, over a single weekend.

So the government is just being prudent. Right?

Let me make the strongest case for the other side, because it deserves one and the people making it are not fools.

A model that can autonomously hunt for and exploit software vulnerabilities is, genuinely, a dual-use technology — closer to a weapons system than to a word processor. Anthropic itself concedes its Mythos-class models can make cyberattacks “substantially easier and cheaper to commit.” If you are a national-security official, the idea of a foreign intelligence service renting a superhuman vulnerability-finder by the hour is a legitimate nightmare. There is a serious, non-paranoid argument — made by careful analysts at places like the Carnegie Endowment, who note that keeping the most advanced systems among “the United States or its closest security partners may provide significant defensive advantages” — that some capabilities are dangerous enough to deserve a border.

I take that seriously. If the question were “should the most powerful cyber-offensive AI on Earth be available to anyone with a credit card?” my answer would not be a breezy of course.

But here is where the prudence argument falls apart on contact with reality. The fence only works if it actually keeps the dangerous thing inside. And the entire history of trying to wall off math says it does not.

We have run this exact experiment before

Here is where things get interesting — and where I’d ask you to time-travel with me to the 1990s, because we have already lived through this movie once. It was called the Crypto Wars, and the plot is almost eerily familiar.

Back then, the dangerous technology wasn’t AI — it was strong encryption. The math that today protects your bank login and your messages was, in the eyes of the U.S. government, a weapon. Literally. Encryption was classified as a munition. When a Berkeley math student named Daniel Bernstein wanted to publish an algorithm he’d written, the government’s position was that he would have to register “as an arms dealer” and “obtain from the government a license to publish his ideas”. A graduate student. Publishing equations. Treated as an international arms trafficker.

Does that sound absurd now? It should. And it sounded absurd to a lot of serious people then, too — including the industry’s own security experts. In the Bernstein litigation, a coalition that included RSA Data Security and former intelligence officials filed a brief arguing that the export controls “actually undermine the national security … by encouraging good crypto software to be built outside the United States.” Their warning was blunt: wall the capability off at home, and foreign developers “may well attempt to step into the vacuum”. The customers don’t disappear. They just buy elsewhere.

And how did the great experiment in controlling exportable math end? Not with a triumphant containment. It ended, by the turn of the millennium, with the government quietly relaxing the export restrictions — because the controls had become both unenforceable and self-defeating. The encryption spread anyway. It always does. You cannot un-invent an idea, and you cannot stop a number from crossing a border. The only thing the controls reliably accomplished was handicapping the American companies that were trying to follow the rules.

Swap “encryption” for “model weights,” and you have read this week’s headlines.

Now imagine where this goes

Play it forward — not in some sci-fi register, but in the boring, plausible way these things actually unfold.

It’s three months from now. A cancer researcher in Toronto who’d been using Fable to comb through genomics data is locked out mid-project. A startup in Lagos that built its customer support on the model goes dark overnight. And the Anthropic engineer on an H-1B who helped build the safety system? She can’t log into her own creation, because she was born in the wrong country. None of these people are a threat to anyone. They are simply the people a blunt instrument actually hits.

Meanwhile — and this is the part that should worry the hawks most — the capability does not vanish. It migrates. Because here is a number worth tattooing on the wrist of every official who thinks a wall will hold: Chinese open-source AI models already account for “nearly 30 per cent of total global use of the technology”. Thirty percent — and climbing — of the world is already reaching for models you cannot put an American fence around, because their weights are published for anyone to download. Tell the world it can’t have the careful, safety-wrapped American model, and you have not removed the demand for frontier AI. You have simply addressed it to a different return address — one with no Opus-4.8 brake pedal, no safety classifier, no off switch you control.

Now imagine the second-order move. Allied governments — Britain, India, the Gulf states, the EU — watch America yank a commercial product from their researchers with no warning and conclude, reasonably, that depending on U.S. AI is a strategic risk. So they fund their own. “AI sovereignty” stops being a slogan and becomes a budget line. A decade from now, the safety norms that Anthropic spent years championing don’t travel the world inside the best models — because the best models, in half the world, are no longer American.

And the cruelest twist of all: what does this teach the next lab? Anthropic is the company that released its most powerful model to the public “with guardrails,” after pleading with the industry to agree on “a coordinated brake pedal on frontier AI development”. It got punished anyway. The lesson a rational competitor draws is not be more careful. It’s be more quiet. Don’t publish the capability. Don’t advertise the safety research that reveals what your model can do. Transparency, it turns out, gets you nationalized; opacity gets you market share.

And this isn’t the first warning shot

If this were a one-off — an overcautious official overreacting to a scary demo on a Friday — I’d file it under bureaucratic clumsiness and move on. But it fits a pattern.

Only months ago, the same administration came down on the same company from a different direction. When the Department of War demanded that Anthropic remove its safeguards and accept “any lawful use,” the company refused two use cases in particular — mass domestic surveillance and fully autonomous weapons — on the ground that “frontier AI systems are simply not reliable enough” to hand a kill decision to a machine. The government’s response to that act of caution was to threaten to brand Anthropic “a ‘supply chain risk’ — a label reserved for US adversaries, never before applied to an American company”.

Read those two episodes together. A company says we won’t build autonomous weapons because the tech isn’t reliable enough and gets called a national-security risk. A company builds a powerful model with the safety brakes engaged and gets cut off at the knees. Whatever the intent, the signal being broadcast to every AI lab in America is unmistakable: caution is not rewarded here. It is penalized.

What the smart people are saying

This is the rare issue where the analysts who agree on almost nothing else start to converge — which is usually a sign there’s something real underneath.

From the skeptic-of-controls side, researchers at the Center for AI Policy and Yale have warned that export controls on models would “stifle domestic innovation and erode U.S. leadership,” all while being “particularly vulnerable to circumvention”. From the sober center, the same Carnegie analysis that grants the defensive logic also concedes that “unilateral U.S. export controls may simply cause American firms to lose market share to foreign competitors” and “accelerate other countries’ development of independent” supply chains. And the civil-liberties tradition — the Electronic Frontier Foundation, which won the encryption fight a generation ago — has been screaming the punchline the entire time: you can’t classify knowledge into a cage.

Notice what unites them. It isn’t naïveté about national security. It’s a hard-won understanding that the enforceability is the whole game — and digital capability, unlike a missile or a centrifuge, copies for free and crosses borders at the speed of light. A control you can’t enforce isn’t a security measure. It’s a tax on the law-abiding.

What does this mean for you?

You might be thinking: I’m not an AI company, and I’m not a foreign national. Why should I care? A few reasons, concrete and close to home.

• If you use AI tools for work, treat portability as a feature, not an afterthought. Friday proved that access to a model can vanish in an afternoon, for reasons that have nothing to do with you. Don’t hard-wire your business to a single model you can’t replace. Keep your prompts, your data, and your workflows in a form you could move.

• Watch how elastic the words “national security” turn out to be. This is the precedent that matters. If a commercial chatbot can be reclassified as a controlled weapon over a weekend, with a letter that “did not explain” itself, ask which other everyday software is one scary demo away from the same treatment.

• Learn the difference between safety and restriction — because officials will blur them. Anthropic building a brake pedal into its model is safety. The government cutting a Canadian cancer researcher off from that model is restriction. They are not the same thing, and a policy that punishes the first in the name of the second is getting it backwards.

• If you care about American competitiveness, say so out loud. The instinct to wall things off feels strong and patriotic. The history says it hollows out the very industry it’s meant to protect. That argument needs citizens making it, not just lobbyists.

The lesson, as I see it

I started by admitting I’m usually the one asking AI to slow down. I still am. The capabilities inside these models are real, and some of them genuinely frighten me. But there is a world of difference between governing a powerful technology and quarantining it — and only one of those is actually possible.

You cannot win the future by locking your best ideas in a vault and hoping the rest of the world forgets they exist. The Crypto Wars taught us that the wall doesn’t hold; it just decides who gets hurt while it’s up — and it’s never the adversary you were worried about. It’s the researcher, the ally, the rule-following company, and ultimately your own industry’s place in the world.

If a capability is too dangerous to share, the answer is to build it more safely and lead the standards for how the whole world uses it — not to hand that leadership to whoever is willing to be the least careful. We had, this week, the most safety-obsessed version of a frontier AI that exists. And our first instinct was to bury it. One can only hope we dig it back up before someone less scrupulous sells the world a version with no brakes at all.

The HAIA Foundation exists for exactly these moments — when a fast decision in a quiet room reshapes how the rest of us get to live with intelligent machines. If this clarified something, forward it to one person who still thinks “national security” and “national interest” are always the same sentence. We’re keeping watch, over on our Substack.