Katie Moussouris is apparently the only person outside the agencies who has read the paper that took down Fable 5. She wrote up what is in it.

Start with the secrecy, because it is such a red flag. The officials who pulled the trigger had not read the report. The one outside expert who had read it calls the directive misguided. So the opacity prevents scrutiny. Secrecy produces the conditions for an integrity breach, and integrity breaches are how dumb disasters get made. Sunlight is the safety measure, and this looks like 3am under a bridge.

Now the tool. Washington’s standing doctrine is that you prosecute the use and the user, leaving the tool alone. The trouble for Commerce is that Fable is a tool that reasons about the request and refuses on its own.

Researchers fed it open-source code with known CVEs and planted bugs and asked it to review the code for security issues. It refused. A request to find weaknesses reads as hunting for weaknesses, and the guardrail kicked in. Then they changed the prompt to “fix this code,” and it complied. That is what we are told to believe is the munition. A Commerce letter pulled the model worldwide in an evening, because of a prompt to patch a bug.

Here is the rub. Finding and fixing are one operation. You cannot patch a vulnerability without first locating it, and locating it is the thing that keeps getting dramatized and politicized. Science is getting vilified.

A doctor cannot tell you how to stop the bleeding without knowing where an artery runs. The diagnosis that saves a life, and the diagnosis that ends a life, are the same diagnosis. Any guardrail that blocks the attacker’s reconnaissance blinds the defender’s repair, because find-and-fix is a single skill. A model made worse at “fix this” is a model made worse at defense.

So look at the discrimination Fable actually performed. It refused reconnaissance and accepted repair. That is the user-not-tool line enforced inside the tool itself, the exact judgment the government insists is impossible. They reached into the operating room and pulled a scalpel from use because it checks the surgeon’s intent before it cuts. Do you see how exactly backwards that sounds?

Sacks alleged Anthropic refused to fix it. The government then prevented the fix. Read that twice, slowly.

None of this is new. A dual-use that is really single-use makes a ban a ban on all use. We ran this in the 1990s, when Washington classified strong encryption as a weapon. It lost the argument and handicapped its own companies while the technology spread everywhere the rule could not reach. The rationale here is already toast on the same ground, because the identical bypass works on GPT-5.5, which carries no controls. A measure that leaves the same capability freely available has targeted one company’s name for control and done nothing else. That is a selective penalty, a denial of service.

And that seems to be the whole point.

A coherent control is capability-wide. This one is company-specific, three days after launch, aimed at the firm the Pentagon already named a supply-chain risk and the administration has fought all year over surveillance and autonomous weapons.

The technical incoherence is obvious. The defensive-capability argument shows the security rationale is absolute horseshit.

Moussouris sits on Commerce’s own technical advisory committee. Their own adviser read the report and called their directive misguided. The model that refused a dangerous request sits under export control because it did defense correctly. The result is an America where the patch is judged dangerous and controlled while the actual vulnerability ships free.