Author: gem

Anthropic, June 12, 2026

“The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance. Access to all other Anthropic models will not be affected.“

By now you probably know that BIML believes the “Mythos is too dangerous to release” thing was mostly great marketing spin. We made our position on this clear way back in April and even said so to the NY Times. Sure, advanced LLM models can be helpful if you want to break software, but they can be just as helpful fixing software security problems. Bottom line for BIML based on lots of conversations with hands on hackers and software security types: we don’t find Mythos much more dangerous than any other advanced LLM models. And just so you know, we are used to this “tools go both ways” thing in software security.

Further, we don’t think anyone has a clue about how to measure or compare the security of LLMs. That’s what our latest big paper, No Security Meter for AI, is all about. Give it a read. What makes Mythos more dangerous than, say Opus 4.8? Nobody knows how to measure that. Really. Not even Anthropic.

So what about this export control situation? According to David Sacks, a Fable 5 jailbreak (intentionally tickled by trusted advisor “red teaming”) caused the government to step in and declare certain models munitions. The logic seems to go, if you can jailbreak Fable 5, you get Mythos-level “cyber cyber.” Anthropic disagreed that the jailbreak is serious, the Administration put on the export control restriction, and here we are.

Huge irony number one is that Anthopic was the one who started all this with the “too dangerous to release” spin. I guess the US government people who made this decision have not kept up with their BIML reading! Alas. Anthropic is now lying in the bed they made.

Though this sort of thing may come as a shock to non-security people, lots of us old school security people remember the crypto wars (before “crypto” came to mean high bullshit “currency”) and what happened when the US Government banned the export of certain kinds of cryptographic algorithms. Bottom line, that didn’t work at all and it made the US Government look pretty silly for trying to outlaw certain kinds of math. Deja vu all over again. Outlawing software?? What?

Huge irony number two is that the US Government may be accidentally crippling US AI by stepping in with a barely-thought-through export control restrictions. Which foreign governments and companies want to be subject to the whims of the current administration when it comes to AI? Better to use Chinese models or open weight models. (You rememebr what happened when the US government tried to outlaw math, right? It greatly helped foreign companies take market share.) Starseer’s guest blog post, Your Frontier Provider Is Quietly Limiting Your Capability & Research, pursues this angle but from a pure business perspective.

Anyway, we’re not sure which irony is more delicious. I guess using security FUD is a terrible idea for both companies and governments.

Ultimately, at BIML we believe everyone should just fix the damn software instead of trying to control powerful tools that find bugs. We want our Fable 5 access back too.

We think this blog entry by starseer.ai CEO Tim Schulz is important enough that we asked for permission to reprint it here. Do us a favor and check out starseer’s white box offerings—opening the black box of AI so you know what’s going on in there. REQUEST A STARSEER DEMO.

Anthropic’s latest release changes the relationship between the company and the people who build on its models. With this release, Anthropic is increasingly deciding what kinds of work its models will and will not do. There has always been some version of this around NSFW or clearly abusive use. The new release goes further: the guardrails are deliberately broad and flag a wide range of biology and cybersecurity questions, along with work that resembles AI and ML model development pipelines.

These restrictions are framed as AI safety. In practice they constrain what customers, including legitimate businesses, can do with a frontier model. That is a real problem for anyone whose business case depends on those capabilities.

Gatekeeping, by design

Project Glasswing is an example of the pattern. Early access went to the largest players, so a smaller company with a legitimate use case may simply be left out. The refusals do not just hit commercial use. They also reach research startups and academic institutions using AI to push toward cures for disease and other illnesses.

Anthropic’s own Fable release showcased exactly these capabilities, then gated them. According to Anthropic’s Fable 5 and Mythos 5 announcement, the Mythos-class model accelerated parts of drug design by roughly tenfold, designed proteins autonomously, and produced strong drug candidates for nine of fourteen protein targets.

Anthropic then routed most biology and chemistry requests on the public model to the older, less capable Opus 4.8, with full access gated behind a vetted, invite-only program. In effect, Anthropic is positioning itself as the gatekeeper for who may use frontier research capability in this domain. That is a chilling prospect for independent research.

This is a reliability problem

If Anthropic decides a use case overlapping with your business is now off-limits, you have little recourse. It points to a future where a handful of frontier providers become a hard dependency for how organizations deploy AI and agents, which should be a wake-up call.

Anyone building on frontier models needs to be testing alternatives and maintaining a fallback plan, because access can change. Models can be shut off, or a provider can dial up more restrictive classifiers for a period, for instance if a capability starts being used in active attacks, disrupting everyone on the service.

Until recently, the working assumption for most businesses was that frontier access was largely a matter of being able to pay for it. That is no longer the case.

Watching the sorting of who gets frontier access

Expect a continually expanding list of things Anthropic will not let you do. I am skeptical this actually stops sophisticated nation-state actors, since the top tier already has access to these capabilities. Access now depends heavily on your specific use case, and we are watching a sorting of who gets true frontier access. Frontier red teams, for instance, have long had pre-safety-training checkpoints that ordinary commercial customers never see.

As these companies head toward IPO and settle into a role as underlying infrastructure, customers will need real reliability guarantees. The current pace of change in capabilities and guardrails works against that. Anthropic has already walked back one of these guardrails, the one affecting ML work, so that it at least notifies you when your output is being degraded. But this is a policy posture that every enterprise will now have to set its own comfort level around, given how fast a major provider can shift the rules.

BIML’s thoughts about Paprenot’s eye-opening worm paper captured by Fortune. Sharon Goldman in one of the best AI security (MLsec) reporters out there.

Read the story here.

This long conversation on the Data Culture podcast features a great overview of the work we do at BIML, including coverage of why we are a non-profit. Have a listen..

Who dat?

BIML of course…in very good company.

Lots of old friends.

Alex Presiding.

And some takeaway messages encoded in bits.

Do you remember the Morris worm? Because we do. We watched it take the Internet by storm in 1988 when the net was small and mostly .edu sites connected with UUCP (there were only around 60,000 computers on the net those days). It was a big day in Net history and a watchman’s cry for the rising importance of computer security. Turns out that connected computers are subject to automated network-based attacks. Overnight, computer viruses escaped the sneaker net and grew wings.

Fast forward 38 years. Today there are 6 billion or so people on the Internet, often using multiple devices. And worms have evolved through SQL Slammer, Conficker, Stuxnet, and WannaCry—which all targeted exactly one bug—to Agentic AI controlled worms that grind on a target looking for ANY BUG. The viruses that grew wings in 1988 have developed relentless little brains.

This is Papernot at his best, reminding us why Machine Learning Security is crucially important. We’ll have a closer look this week and possibly revisit our annotated bibliography’s TOP 5.

Here is the abstract from the academic paper. We are tempted to call this new worm concept “Morris.”

A computer worm is malware that spreads on a network by replicating itself from one machine to another. Traditional worms, like WannaCry, exploited predetermined vulnerabilities, and their spread can be halted by patching those vulnerabilities. Here we show that artificial intelligence (AI) agents enable a fundamentally new threat: a worm that generates tailored attack strategies to each target it encounters. The worm parasitically uses compromised machines to run open-weight large language models (LLMs) to sustain its reasoning, or extend its reach for further attacks. Deployed on a network of machines spanning Linux, Windows, and IoT (Internet of Things) devices, the worm propagated by exploiting common, real-world corporate network vulnerabilities. Since the worm is powered by stolen compute, the attacker’s marginal cost per new infection is zero. This creates a destabilizing economic asymmetry between attackers and defenders. Moreover, because the worm requires no commercial AI platform, centralized safety controls, such as service refusals or rate limiting, are structurally irrelevant. Our results demonstrate that self-sustaining AI-driven cyber-threats are no longer theoretical. We must prepare for autonomous generative adversaries: malware systems that propagate without human operators and are defined not by fixed exploit code, but by the capacity to reason about targets, adapt to observations, and synthesize attack logic in real time.

Thirty-eight years after 1988, we now have AI enabled malicious code leveraging the Trinity of Trouble with automated goal-driven intelligence for next to no cost. Expect things to change.

This story was broken in the New York Times by Cade Metz who provides an excellent story.

Cynthia Brumfield wrote an excellent, in-depth article for CSO on recursive pollution that is well worth a read. At BIML, we still believe recursive pollution is the #1 risk for LLM technology. Recursive pollution subtle and nowhere near as sexy as prompt injection, but it leads to insidious wrongness.

Read the article here.

BIML is proud to host Patrick McDaniel, an OG of machine learning security (prominently featured in the BIML TOP 5) and a Dean of Research at Wisconsin, for a visit to the BIML Barn. Patrick arrived in Berryville late on Thursday and was greeted with a Liberal or two on the porch. We stayed up way too late talking about AI and security.

In the morning after breakfast, we spent much of the Friday research discussion going over our soon to be released paper No Security Meter for AI. Patrick has been thinking about measuring ML behavior for a long time, and was an early proponent of a whitebox approach. He had lots of very useful feedback for us.

Does science really get done around the kitchen table? Why yes. Yes it does. (And technical talks really get delivered in the BIML Barn.)

We ventured into greater metropolitan Berryville for lunch and coffee.

And then Patrick delivered a new talk as a BIML in the Barn feature to be released on May 13th. Patrick’s talk really surprised us and in very important philosophical ways.

After the talk we shared a cocktail on the patio. Maybelline is an honorary BIML dog.

Patrick enjoys a well-deserved Lemon Mint Fizz.

And then it was off to dinner with BIML spouses at Huntōn in Leesburg.

Fantastic visit. These kinds of human interaction are absolutely critical as we construct a reasonable approach to machine learning security.

Gary McGraw, cofounder of the Berryville Institute of Machine Learning, pointed to a core gap: Today’s benchmarks tend to measure how well AI systems can perform security tasks—not how secure the systems themselves are. Companies need to keep that distinction in mind when evaluating their tools and defenses.

McGraw warned as far back as 2019 that securing machine learning systems would be “one of the defining cybersecurity struggles of the next decade.” That moment has now arrived.

“These meetings are a way to remind ourselves of the fundamentals,” he said, “as we try to define what machine learning security actually is.”

What was to be a more standard copy of the BIML risk talk, instead was transformed into a debut of BIML’s forthcoming paper No Security Meter for AI. (expected mid-May) for an audience of NIST computer scientists.

It’s always fun to debut a talk for an audience that is engaged and knowledgeable.

While we were inside the very industrial Chemistry building for a talk that was 80% zoom, it rained outside.