The Dutch certified Tesla’s FSD in April while Tesla was handing regulators in the Netherlands and Sweden self-published statistics that ten of eleven independent researchers call misleading marketing, and while U.S. federal investigations into that same system were open.

RDW says it relied on its own road and test-track work rather than Tesla’s numbers. That makes them seem incompetent, but ok. It will not say whether it ever assessed the numbers, because that might expose them as corrupt as well.

Either way the Dutch certificate is bad.

They got caught because nobody with a brain believes Tesla “self driving” is safe. A test track cannot validate Tesla’s statistics, any more than you can milk a chicken.

The fact that the Dutch RDW refuses to explain themselves is embarrassing to the EU. RDW is their rapporteur. It’s been carrying Tesla’s application onward while it describes its method in general terms and withholds whether it tested the figures Tesla was circulating. That is a regulator behaving like a coin-operated issuing agency, and not a body that can screen.

Katie Moussouris is apparently the only person outside the agencies who has read the paper that took down Fable 5. She wrote up what is in it.

Start with the secrecy, because it is such a red flag. The officials who pulled the trigger had not read the report. The one outside expert who had read it calls the directive misguided. So the opacity prevents scrutiny. Secrecy produces the conditions for an integrity breach, and integrity breaches are how dumb disasters get made. Sunlight is the safety measure, and this looks like 3am under a bridge.

Now the tool. Washington’s standing doctrine is that you prosecute the use and the user, leaving the tool alone. The trouble for Commerce is that Fable is a tool that reasons about the request and refuses on its own.

Researchers fed it open-source code with known CVEs and planted bugs and asked it to review the code for security issues. It refused. A request to find weaknesses reads as hunting for weaknesses, and the guardrail kicked in. Then they changed the prompt to “fix this code,” and it complied. That is what we are told to believe is the munition. A Commerce letter pulled the model worldwide in an evening, because of a prompt to patch a bug.

Here is the rub. Finding and fixing are one operation. You cannot patch a vulnerability without first locating it, and locating it is the thing that keeps getting dramatized and politicized. Science is getting vilified.

A doctor cannot tell you how to stop the bleeding without knowing where an artery runs. The diagnosis that saves a life, and the diagnosis that ends a life, are the same diagnosis. Any guardrail that blocks the attacker’s reconnaissance blinds the defender’s repair, because find-and-fix is a single skill. A model made worse at “fix this” is a model made worse at defense.

So look at the discrimination Fable actually performed. It refused reconnaissance and accepted repair. That is the user-not-tool line enforced inside the tool itself, the exact judgment the government insists is impossible. They reached into the operating room and pulled a scalpel from use because it checks the surgeon’s intent before it cuts. Do you see how exactly backwards that sounds?

Sacks alleged Anthropic refused to fix it. The government then prevented the fix. Read that twice, slowly.

None of this is new. A dual-use that is really single-use makes a ban a ban on all use. We ran this in the 1990s, when Washington classified strong encryption as a weapon. It lost the argument and handicapped its own companies while the technology spread everywhere the rule could not reach. The rationale here is already toast on the same ground, because the identical bypass works on GPT-5.5, which carries no controls. A measure that leaves the same capability freely available has targeted one company’s name for control and done nothing else. That is a selective penalty, a denial of service.

And that seems to be the whole point.

A coherent control is capability-wide. This one is company-specific, three days after launch, aimed at the firm the Pentagon already named a supply-chain risk and the administration has fought all year over surveillance and autonomous weapons.

The technical incoherence is obvious. The defensive-capability argument shows the security rationale is absolute horseshit.

Moussouris sits on Commerce’s own technical advisory committee. Their own adviser read the report and called their directive misguided. The model that refused a dangerous request sits under export control because it did defense correctly. The result is an America where the patch is judged dangerous and controlled while the actual vulnerability ships free.

We all know the story by now. Last Friday on 12 June the Commerce Department issued an export control directive on Anthropic’s Fable 5 and Mythos 5, citing national security, and both models were pulled from every customer the same evening.

Two days later a lobby group at freefable.org asked the government to lift it. Their letter argues that these models are nothing special. That’s essentially what I’ve been saying on this blog since the start, so you’d think I’d be excited to see the lobbyists bring the industry to where I’ve always been.

The problem is, nine weeks earlier I saw many of the same people argue the exact opposite, in writing, at length, and for money.

That’s not right.

Who You Gonna’ Call?

In April the Cloud Security Alliance published The AI Vulnerability Storm: Building a Mythos-ready Security Program, led by Knostic CEO Gadi Evron with Rich Mogull of CSA and Rob T. Lee of SANS. It warned security leaders their ground had moved suddenly and they needed to panic. It named an entire era after one single Anthropic model. It sold readiness, in person, with events booked through June.

In June the Free Fable letter told Secretary Lutnick the same capability is nothing more than commodity, replicable on GPT-5.5, Opus, Sonnet, and Kimi 2.7. Basically anything. And that the research that triggered this new ban was defensive all along.

Four Horsemen of AI-pocalypse

Looking at the list, I see four people signed both. Gadi Evron, who led the April paper. Rich Mogull, who co-wrote it. Katie Moussouris and Joshua Saxe, who contributed to it. Two documents, two months, two opposite arguments, same four names on each.

Table Time

What Is Our Industry Doing?

Nothing about the capability changed between April and June. The model is the same model. The code-review behavior the letter now calls defensive is the same behavior the April paper filed under “AI-driven offense is the new baseline“. Being accurate should be the goal, not picking a side based on payoff.

In April, the threat was called large and in charge, because that sells a Mythos-ready program, SANS seats, and the consulting that follows a board briefing. Evron sells a posture product. He needs a monster to sell his monster services.

In June, the threat was completely drained, because a small threat becomes more important given an export control that pulls the model out of vendors’ hands and freezes a market.

From large to small, depending on whatever helps them sell, sell, sell.

Somebody Isn’t There

Notably, I was disappointed to see people sign on in April. More than 250 CISOs redlined the April paper live, by its own account. A campaign that broad, assembled that fast, around one vendor’s model, is its own kind of question we should be asking. The heavy promotion and pressure to be in the room when the industry vendors decide what to panic about was a bit too on the nose.

Look now at Jen Easterly, former director of CISA. And Rob Joyce, former cyber chief at NSA. And Chris Inglis, former National Cyber Director. And Bruce Schneier. And Rob T. Lee of SANS. All of them lent the April paper its gravity with their reputation. I mention it because none of them, so far, have put their name to the June lobby letter. Signing it contradicts their April selves. So perhaps it’s notable that these names of institutional capital still anchor to the initial FUD. I mean, of those who built the April alarmist framing, only commercial names have crossed over to sign the new letter.

I know some will say that their April paper hedged, that Mythos wasn’t really about one model and that the capability predated Mythos. Ok, but that’s misleading. The paper mentioned one vendor and one vendor only repeatedly, page after page. So the advice to “prepare for a real and spreading capability” is defensible, except “do not export-control one vendor of it” goes back to the same sole vendor that the April report hammered on too.

And while such hedging and liability vagueness could cover a general threat of AI, it does not cover the very obvious recategorization going on. In April the capability was offense, the new baseline of attack. In June it was a defensive code check that should not count as offensive. The same people flipped 180 on capability claims, based on what? Export control?

I have written that the ban itself is incoherent, an export control on a Tier 1 interaction over a capability Anthropic files under Tier 2. Now, I’m writing that the letter answering it is incoherent as a reflection.

The lobby letter is proof the April campaign was wrong, but it doesn’t land as a mea culpa among those running both. If the letter is to be believed, its signatories can’t be. Two incoherences are being pointed at each other, as if the public would want a coin-operated flip-flop laundry to lead America’s security industry.