Data Protection Network

US lifts export ban on advanced AI tools

Anthropic reactivates Mythos 5 and Fable 5 after securing US government approval

The cyber security world was up in arms when the US Commerce Department imposed export restrictions on access to Anthropic’s most powerful AI tools – Claude Fable 5 and Claude Mythos 5. Concerns over national security were cited. But the export ban has now been lifted.

San Francisco based Anthropic has been allowed to restore access to its newest and most powerful AI models. The US government is said to be satisfied Anthropic has addressed risks these models could be used by hackers to exploit weaknesses in computer systems. The firm has also reportedly agreed to collaborate on future releases of AI models and alert the US government to any malicious activity, with the US reserving the right to reconsider restrictions if deemed necessary.

What do these models do and why is this significant?

Mythos 5 is an advanced, unrestricted version of Anthropic’s flagship Mythos-class AI, explicitly designed for high-stakes enterprise, cybersecurity, and biological research. One of its uses is to detect software vulnerabilities more effectively than any other model and, it’s said, better than all but the most skilled human experts. It’s widely seen as a game changer for enhancing cyber defences, but on the flipside, its capabilities make it very attractive to malicious actors who wish to use it for cyberattacks. Mythos 5 access is limited to a coalition of trusted partners, just as it was prior to the ban.

Fable 5 is a general purpose, public version of its more powerful Mythos AI designed for consumers as well as businesses. It’s said to be capable of deep reasoning and performing complex tasks independently. It can be used for complex coding, multi-step agentic tasks and long-form reasoning. It comes with hard limits around high-risk areas such as cybersecurity, biology and chemistry.

Concerns were originally raised when early versions of Mythos Preview and Mythos 5 discovered over 10,000 high or critical vulnerabilities across critical global software networks. The good news is Mythos 5 doesn’t just flag these vulnerabilities; it can also write remediation code, execute it in a secure environment and run its own validation tests. This compresses the traditional timeline between exploit discovery and patch deployment from weeks to seconds.

The threats

A big concern with Mythos-class AI lies in its ability to execute multi-stage, asynchronous agentic planning. If a malicious actor gained access to use these cyber capabilities, the threats could shift from human attacks to far quicker machine-speed attacks.

When adversaries mount a cyber-attack and successfully gain access, their next step is to “break out” – move laterally to find high value assets. The speed or “breakout time” determines how fast cyber defences need to respond to protect assets and reduce the costs and damages associated with a cyber breach. So if the speed of attack gets much quicker, defences will have very little time to respond. The impact for some organisations could be very serious.

Anthropic appear to be taking security seriously, but perhaps we should all be planning for a future when AI models are increasingly powerful, but might not benefit from such a high level of safeguards. The cyber threat is very real and only likely to increase.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).
Data Protection Network