Tim Schulz made the market case last week: your frontier provider now decides which capabilities you can build and deploy, so keep a fallback plan. Read his piece here: Your Frontier Provider Is Quietly Limiting Your Capability & Research. This is the deeper take, written for the people building security products on top of these models, focused on the vendor lens and the exposure.
Start with the timeline. On June 9, Anthropic released Fable 5, the most capable model it has ever made generally available. On June 12, the US government issued an export control directive, and Anthropic disabled Fable 5 and Mythos 5 for every customer worldwide. Three days. That is the entire useful life, so far, of the model a number of teams had already begun designing around.
For a vendor, that sequence is the whole argument. The capability you build on is not a fixed input. It can be narrowed by a classifier, gated to an invite list, or removed by a government letter, and none of those decisions run through your roadmap.
Topic-level filtering judges the subject. Security judges the intent. That gap is the problem, and it lands hardest on the people doing defensive work.
Fable 5 ships with classifiers that cover three areas: cybersecurity, biology and chemistry, and distillation, which is to say model development pipelines. Read that list again as a security vendor. It is a near-complete description of the working day: reverse-engineering a malware sample, analyzing exploit behavior, building and validating ML models, and doing the red and blue work that produces a defense. The classifier cannot tell a SOC analyst studying a sample from an adversary writing one, so it treats the subject as the risk and routes around it.
When a classifier fires, the request quietly falls back to Opus 4.8, a less capable model. You are notified, but you are not in control. Anthropic is candid that the safeguards are tuned conservatively, that they will sometimes catch harmless requests, and that they trigger in under 5% of sessions. Under 5% sounds small until it lands on the exact 5% your product depends on.
It also blocks the wrong population. The compliant vendor building legitimate tooling gets the fallback. The motivated attacker moves to open-weight models, self-hosted fine-tunes, and private criminal-market tools. Anthropic's own statement on the suspension makes this point for us: the disputed jailbreak surfaced only minor, already-known vulnerabilities that other public models find without any bypass.
Restricting a model does not delete the capability. It relocates it, often to where the defender is not allowed to follow.
There is a second cost beneath the first. Mythos-class models now carry a mandatory 30-day data retention requirement on all traffic, first-party and third-party, with no opt-out. Anthropic is explicit that it will not train on this data, that it has added access logging and deletion, and, just as explicitly, that the policy carries real costs with customers.
For a security vendor, that is the worst possible content to hand over without control: incident detail, malware samples, internal architecture, and the detection logic that is your actual product. Good intentions on the provider side do not change the posture your own compliance team and your own customers have to underwrite. "No opt-out" is a sentence that ends a lot of procurement conversations.
When the guardrails block the work and the data terms constrain the trust, builders stop tuning prompts and start rethinking the dependency.
The suspension proved Tim's point days after he made it. Access can change, and this time it changed in three days, by directive, with no notice, for reasons the provider itself publicly disputes.
Layer the gating on top. The full Mythos 5 capability sits behind Project Glasswing and an invite-only trusted access program run in consultation with the US government, with a separate invite program planned for biology. A seed-stage vendor with a legitimate use case can simply be outside the list. Even routine commercial access is in motion: Fable 5 is included on paid subscription plans only through June 22, then shifts to usage-credit metering on June 23. Pricing and availability move on the provider's calendar, not yours.
For a builder, that is a single point of failure sitting in the supply chain. If your differentiation depends on one model's top-tier capability, your differentiation is on loan.
None of this is an argument against safety, and it is not an argument against Anthropic. Reducing misuse uplift is a legitimate goal, defense in depth is a defensible strategy, and vendors carry real regulatory and reputational weight.
A security vendor cannot outsource its control layer to any single provider.
There are two honest paths, and they lead to the same place. You can stay closed and go multi-model, in which case you still need to enforce policy by intent rather than keyword, and you still need to see what the model actually does at runtime, because the provider's classifier is not your policy and its fallback is not your visibility. Or you can run open-weight models such as Gemma or Llama for full data custody and uninterrupted access, in which case you inherit model integrity risk, because an open-weight model pulled from a public repo can be backdoored before it ever runs. Either way, the control layer belongs to the team, not the vendor.
That is the assumption Starseer is built on:
The through-line is interpretability: judge intent and behavior by looking inside the model, not by guessing from the topic on the surface, and not by trusting a control layer you do not own.
The fix for guardrails without sight is not weaker safety. It is a control and visibility layer you own and can audit, sitting across every model you run, so that the next directive, classifier change, or pricing shift is an operational event rather than an existential one.