This seems mostly correct. I am more optimistic that the White House will let Mythos, Fable, Sol and other models through after some delay, as it would be too painful to not do so on many levels.
This indeed actually happened today, see Andrew Curran's tweet about this, or Anthropic's tweet.
The picture of the actual letter is below:

So suppose, in theory SCOTUS told the American government that once an LLM exists, they could not in any way control what was done with it, because any use of an LLM is expressive speech.
But this is highly unlikely, unless our whole existing edifice of interpretation of the Constitution is overturned.
As things stand today, if it is ruled that the First Amendment issues are actually involved, this means that the strict scrutiny standard applies, as established by SCOTUS during FDR presidencies: https://en.wikipedia.org/wiki/Strict_scrutiny.
That should be quite sufficient to justify reasonable enforcement in the situations where it's vital.
(And these days, if courts do deviate from the existing practices in this area, it is unlikely to be in the direction of establishing more liberty.)
Excellent, the most aggressive offensive hacking organization on earth (the us government) has the best cyber models pressed into service for it while the rest of us can be relieved that if we don't catch them hacking us, we can pretend it isn't happening.
We, or at least ‘more than 100 American institutions,’ got Mythos back this week.
What we the people do not have is Fable or Sol.
While we wait for both Claude Fable 5 and GPT-5.6-Sol, today we instead got Claude Sonnet 5. As usual it will take a few days to get a handle on the new model. In this case, Anthropic is representing it as a cheaper and faster version of Opus 4.8, so even though the number says 5 this is a relatively minor development.
This post expands the Fable series to cover all further developments this week surrounding the Mythos Moment, and the various aspects of handling our new ad hoc licensing regime and figuring out policy going forward, and other aspects of policy as well.
This includes my notes on various rhetoric being pulled out, where I fear I end up saying similar things every so often, because we are doomed to repeat the cycle. I have accepted my role in that, but those are sections many of you can skip, and are marked in italics accordingly as per usual.
Table of Contents
You Should See The Other Guy
Important context for discussions these days:
Regulation is more needed when your model is more capable, or is closer to the frontier, and less needed otherwise. If you’re only producing Chinese-level results in America my understanding is you can do pretty much whatever you want. That doesn’t make our new restrictions good, but it puts it in perspective.
DeepMind Coders Of The World, Unite
Andreas Kirsch says that Google DeepMind and Demis Hassabis bet on a strong safety culture and good leadership built on trust, rather than on formal governance, and that when put to the test that failed. They still signed a Pentagon contract with enough weasel words that the Pentagon has all the leverage and can do whatever it wants. It does not matter what DeepMind’s people want, or that 600 employees signed a letter to not give in, because the government had too much leverage on Google, and the safety interests were abandoned.
The only way DeepMind’s employees would matter is if they were willing to use their leverage for real, and strike or quit. That didn’t happen this time.
Which is exactly why Kirsch and UTAW/CWU are fighting for Unite recognition, so they can fight for such things.
Report Your Incidents
Charlie Bullock highlights the new AI Incident Reporting Act, introduced by Rep Nate Moran (R-TX), which he says does a good job handling preemption, and uses a capabilities-based threshold for what is a covered model, which is tricky but in theory great.
Good Guy With An AI
The parallel with guns does not work the way you would like it to.
The situation in which the ‘bad guy’ and ‘good guy’ have access to the same model is not the good scenario. That’s the bad scenario.
It is not as bad as the ‘bad guy has the superior model’ scenario. But the whole idea behind our policy is that the good guy needs access to an actively superior model, first, because if everyone has the same starting pistol then the bad guys can do a lot of damage before the good guys are done patching.
Part of this is that previously, the bad guys had a talent deficit, since most people do not want to be the bad guy. You had one black hat and a lot of white hats. But if the bad guy can scale as large as the funding, because the AI minimizes the need for talent, and doing bad things gets you more money, you have a rather large problem.
The open model paradigm can, at most, provide equality here.
There are claims that ‘at the limit’ the offense-defense balance favors defense, and superior tools will make everything more secure in practice, not less secure. I am skeptical of this, because of the ability to use automated tools to concentrate fire, and because I don’t think full bulletproof is a thing for most important places. But even if it is true, you still need to get to that point.
Realistic defense optimism depends on the defenders being given advantages and us working hard to make it happen. It is not an outcome that happens for free.
Free As In To Give It A Shot
So far AI policy has been the Executive throwing its weight around and Congress being unable to act. What about the judiciary? The judiciary can act with speed in some cases, and its rulings could do some very bizarre things.
For example, the First Amendment was not at all designed for this moment, but it could get weird fast.
If we, the people – and yes, literally I mean any subset of humans, whether or not it is close to ‘those who are considered Americans today’ – want to maintain sovereignty in any meaningful sense, in the face of sufficiently advanced AI, that is going to mean a variety of controls on various aspects of such AIs. If we don’t do that, whatever else happens, such AIs will end up being the only ones potentially meaningfully sovereign.
In general and in practice in 2026, as a descriptive statement, I am more on the ‘not a suicide pact’ and ‘let him enforce it’ side of what I expect to be the judiciary’s role on this, where it counts, even if laws cannot be passed to override. Sufficiently crazy or unacceptable rulings in the AI space will get worked around, overridden or ignored.
Part of this is that I view a wide variety of things we already do, in non-AI contexts, as rather obviously unconstitutional, including a lot of ways we violate the First Amendment or claim to be ‘regulating interstate commerce’ and so on. That is both a descriptive statement of my view of the law as opposed to that of SCOTUS, and part of that is my normative support for much broader general free speech protections, and part of that is recognizing that these ships appear for now to have sailed, such that if the courts tried to enforce the actual words they would presumably fail.
Everything Is Both Speech And Computer
People are still determined to try. Thus, we are getting another round of people saying ‘code is speech.’ Technically yes of course code is speech, but a lot of things that we regulate these days are speech.
Some also now want to classify AI models themselves as speech and claim first amendment protections at the model level, such as Preston Byrne here.
I get where they are coming from, but there are lots of limits on things that are ‘similar levels of being speech.’ If we took everything that was ‘as much speech’ as an AI model, and said we could not restrict them, then our entire regulatory apparatus and civilization would work very differently.
Also, I do not think those advocating for the ‘freedom’ position understand the implications here, and are being insufficiently careful what they wish for, if this actually proved to have teeth, as opposed to ‘we control various levers of power over you so you will do what we say regardless.’
As I said above, I don’t think that holds as a practical matter of law, but courts surprise me reasonably often.
So suppose, in theory SCOTUS told the American government that once an LLM exists, they could not in any way control what was done with it, because any use of an LLM is expressive speech. And let us suppose, because of reasons, that there is no way around this in practice.
The obvious response of a government like ours – which to be clear I am not endorsing, I am only predicting, this is not normative – would be to prevent you from training a sufficiently advanced LLM, since this is too dangerous a thing to exist with zero controls on it.
Similarly, if once you get your hands on the LLM you can do what you want with it, then once the government has sufficiently woken up and the LLM is sufficiently capable, the battle would shift to not letting you get your hands on it unless you were someone it can control, or making you unable to run it in the first place.
The government is going to use the tools it has available. When you take away tools, it doesn’t drop the matter, it grabs whatever is left. The next issue is similar, if we can’t have independent regulators then we don’t get nothing. We get dependent regulators.
Lambs To The Slaughter
To that point, SCOTUS is if anything making this harder this week, not easier.
The 6-3 ruling in Slaughter v Trump overruling Humphrey’s Executor was not a surprise, but the quest for non-political regulations of all kinds got a lot harder this week.
SCOTUS has ruled that the President can fire, at any time, for any reason, anyone involved that he damn well pleases, with the exception of the Federal Reserve, which is, you know, because of reasons, the historical tradition and all that.
I think this is a rather terrible ruling in terms of its implications, and also on its merits, that will have far reaching consequences in other areas, and it also rules out what we would want to do to regulate AI without turning it into a political football or partisan weapon.
Dean Ball disagrees with me and agrees with SCOTUS’s decision more generally, advocating ‘stripping away the fiction’ of nonpartisan agencies like FTC and SEC, and owning that they are partisan. In those cases especially, I strongly disagree. I think that even ‘the fiction of’ such non-partisanship is vital, and we should not return to a spoils system where the tools of financial and speech regulation are used openly for partisan advantage. Even if they’re going to somewhat be used this anyway, having to somewhat hide and be ashamed of, and not having the direct leverage, mitigates the damage.
How can we have a legitimate government, respected by the people, when it is known that such agencies are being used to hunt the President’s political opponents and favor his friends and those who pay him money? Do you think that, if a Democrat were to retake the White House, that this would not happen in reverse?
I used to think it was good to strip away hypocrisy in such spots. Now I have a better appreciation for Levels of Friction and what happens when you create common knowledge that the norms do not hold, and I no longer think that.
In the case of AI, I don’t agree but I see practical reasons why this is reasonable, such as the need to pay dearly for expertise. But that completely doesn’t work for FTC or SEC?
Perhaps (mostly kidding) we can move CAISI inside the Federal Reserve? I presume I am kidding, but also the main disaster scenario currently being contemplated is that cyber attacks compromise banks or the money supply. If we can place CAISI in Commerce, where it already clearly doesn’t really belong, why not the Fed?
Unfortunately, due to the Fed’s limited powers, we cannot move the actual AI regulator itself inside the Fed. We could in theory still move CAISI, if Congress wanted to, since it only provides information that others use to regulate, but it involves a host of other problems and also asking Congress to do it.
A Sign Saying Beware Of The Leopard
The basic situation these days:
A lot of people are suggesting instead that the leading X-ray glasses manufacturer is to blame because it kept pointing out X-ray glasses can also see through your walls, whereas the glasses should instead pretend they cannot do this.
Those glasses can, for example, be used to wipe out bank accounts, among other things, as he demonstrated to a Republican congressman.
Whereas Congress is on the level of ‘wait, the x-ray glasses are supposed to be AI?’
The new capabilities are scary, in large part because the people being scared did not even know about most of the old capabilities.
The Once And Present Mythos
The play by play:
We do at least have Mythos 5 back, for ‘more than 100 US institutions, including major companies and government agencies’ as well as all Anthropic employees. Here is the front page of the letter Lutnick sent, without its Appendix A listing the institutions involved.
Fable 5 appears to be on track to return soon according to Axios, saying the Trump administration was as of Saturday close to restoring access. Success however depends on the NSA and Pentagon giving the green light, and relations with the Pentagon are Not Great, Bob.
I had not realized that throughout the whole Fable situation CAISI has been halted.
Does this all at least mean they care now?
Kinda. On some levels, yes. On other levels, no.
America takes a few narrow particular worries seriously now, but is definitely not thinking seriously about the problem of sufficiently advanced intelligence in general.
I mean, look, massive emergency mRNA vaccine factories are obviously a great idea, but also well outside the amount to which we are taking the situation seriously.
What Is To Be Done
Dean Ball offers two essays in one.
The first is his description of the current state of affairs regarding Mythos and Sol.
I would summarize his overview as:
This seems mostly correct. I am more optimistic that the White House will let Mythos, Fable, Sol and other models through after some delay, as it would be too painful to not do so on many levels. And I do think that some amount of restrictions on access to the exact frontier is inevitable and necessary, and I am more optimistic that good versions of this can exist. Otherwise, basically, yes.
The second half is what should be done about the situation.
That seems like a reasonable place to start. I’d very much consider it ‘the least you can do,’ at most an MVP (minimum viable product), and go from there. Longer term we are going to need to smash the Overton Window and do things that are not so cheap.
Distillation
Anthropic has formally accused Alibaba of massive distillation attacks on Claude, via almost 25,000 fraudulent accounts generating outputs for this purpose.
Even if you think there is nothing inherently wrong with distillation on incidental outputs, doing this systematically to generate specific training data using 25,000 fraudulent accounts is very direct and massive fraud and violation of the terms of service, not by a regular user but by a major international corporation.
If you say ‘well they trained on books and other data that wasn’t theirs so now we should get to defraud them and steal from them,’ then I disagree in the strongest possible terms, and believe that at best you are conflating very different things.
I reject any and all versions of ‘this other person did this other bad thing so I get to take their stuff or their work, or otherwise do whatever I want to them.’
If Anthropic was objecting to Alibaba training on Claude outputs that already exist in the wild, rather than generating outputs for this purpose, then I think you would have a potentially valid parallel.
As a reminder, Google has an announced policy that it uses intentional silent degradation of outputs in response to distillation attacks on Gemini, and everyone seems fine with that. Anthropic presumably cannot follow suit given the historical circumstances here, but I think for known distillation attempts in particular (as opposed to other forms of AI research) this is exactly the right response, and indeed by far the best plausibly effective response. The only other way to prevent this is to require proper access controls and use KYC. Whereas if you simply don’t want to help others do work, you should simply refuse or drop down to a previous model.
In theory Anthropic could have sued in court instead. The CCP would never cooperate, but Alibaba is big enough that American courts can potentially reach it anyway. Many years later maybe that gets them some damages, but that money is unlikely to matter, and realistically the courts are not going to move fast enough or treat this sufficiently seriously, or be able to get enforceable injunctions.
There is an unsubstantiated rumor that GLM has an internal router behind their coding plan, where if you make an out of distribution query they route it to Claude Code to use for distillation, which justifies them paying the API cost of doing so. I doubt this is actually happening, but is worth noting as a conceptual idea.
What Would Banning Open Source Even Mean
Last week I discussed what it would look like if the USA wanted to ‘ban open source.’
As Yo Shavit points out, the only way to do this and actually stop the relevant threat models would involve Chinese and other international cooperation. Otherwise, you can mess up American ability to use such models, but that wasn’t the concern.
The exception, and the way in which ‘ban open source’ is a coherent concept, is the sense in which it is already banned: You cannot open source a truly frontier model, any more than you can serve it to customers without the White House’s permission.
This has been true for a while now, but it never came up because the economics do not make sense. The moment you have an actually frontier model, you try to charge money for it. But if Anthropic or OpenAI got the urge to put their good stuff on HuggingFace for some reason, they would find out they are very much not allowed to do that.
Open Weight Models Are Unsafe And Nothing Can Fix This
One reason is that if you put restrictions in, it is rather easy and cheap to take them out again. Obliteratus is one way to do that in many cases.
The other reason is simpler: There’s nothing to fix. The lack of ‘safety’ is the point.
Which, to be clear, is absolutely a great thing in many contexts. If you know what you are doing you absolutely do often want the ‘unsafe’ version of the thing. It’s a poor atom blaster that won’t point both ways, intelligence is not type safe, and so on.
That’s exactly why some people want the open models. The meme version is this:
Open model advocates don’t claim these things are false. They’re just the happy guy. They don’t want anyone monitoring their usage, revoking their access or updating (or preventing the removal or circumvention of) safety guardrails.
They want powerful AIs that will do whatever the user wants them to do, full stop.
What they’re big mad about is the idea that this could also have downsides.
If such AIs are Sufficiently Advanced AIs, then that implies the ability to do a number of potentially highly dangerous things, including in cyber and bio, and up to and including going fully rogue or going out to pursue maximalist goals by any means, regardless of whether those asking are ‘little tech’ startups in the Valley, North Korean hackers, AI successionists or omnicidal terrorists. Doesn’t matter.
Quite frankly, among certain crowds, people just aren’t taking any of this seriously, and hopefully this can help you understand how much to not take those people’s demands seriously either, other than as vibes:
I assure you that no, you do not want them to dump Mythos onto Hugging Face, you would not like what happened to your life next.