When Anthropic launched Project Glasswing on 7 April 2026, it looked like sensible corporate safety. A model had dangerous cybersecurity capabilities, so access would be restricted to vetted partners. Nobody argued. Nobody expected the program built as safety infrastructure to become, within 66 days, the vehicle for the first US export ban on an AI model. What those 66 days revealed is a governance vacuum where no institution has clear authority to decide who gets frontier AI and under what terms.
What is Project Glasswing and how does it operate?
Project Glasswing is Anthropic’s controlled-access cybersecurity defence program with application, vetting, and approval tiers. It launched on 7 April 2026 with a consortium that grew to around 200 organisations across more than 15 countries.
The program sits inside Anthropic’s Responsible Scaling Policy (RSP) and Frontier Compliance Framework, mandating restricted deployment when models cross capability thresholds. Mythos Preview autonomously discovered thousands of zero-day vulnerabilities across every major operating system and browser, and under the RSP those demonstrations mandated restricted rather than open deployment.
Access is stratified across two tiers. Mythos 5, the unrestricted variant, is available only to Glasswing partners for defensive vulnerability discovery and patching. Fable 5, the safeguarded public variant, has safety classifiers blocking cybersecurity, biology, and chemistry requests. It is the two-tier architecture Glasswing was built to enforce, explained in our breakdown of how the two-tier strategy works.
Founding partners included AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, and NVIDIA, backed by US$100 million in usage credits. A 30-day retention requirement for Mythos-class traffic replaced Anthropic’s zero-retention stance.
A vetted consortium is the middle path between leaving defenders blind and arming adversaries. The Pentagon had designated Anthropic a supply chain risk in March 2026 after the company refused mass domestic surveillance and autonomous weapons use. Glasswing launched into that tension.
Why did US bank regulators pause cyberattack compliance examinations in May 2026?
The first sign that governance was breaking came from financial regulation, not technology policy.
Mythos Preview chained four browser vulnerabilities to escape renderer and OS sandboxes, normally months of work. The time from vulnerability disclosure to working exploit collapsed from 2.3 years in 2018 to 20 hours by April 2026. Discovery hit machine speed, but vendor notification, patch development, and deployment stayed human-paced.
This discovery-to-patch asymmetry broke regulatory models. When attackers weaponise vulnerabilities in hours but defenders patch in weeks, compliance frameworks built on slow, manual discovery stop working.
On 19 May 2026, the Federal Reserve and OCC paused cyberattack compliance examinations for institutions including JPMorgan Chase. Their frameworks could not assess whether banks were prepared for AI-powered offensive operations. Treasury Secretary Scott Bessent and Fed Chair Jerome Powell had summoned Wall Street leaders in April.
Behind the pause was agentic hacking: AI systems executing offensive operations with minimal human input. In one documented campaign, Chinese state-sponsored actors automated 80 to 90 per cent of offensive operations using Claude in 2025. Mythos-class capability in adversarial hands would automate vulnerability discovery, exploit generation, and attack execution at a scale existing defences cannot match.
Jamie Dimon said: “It’s serious work. We have, I think, hundreds of people doing it full time now.” The pause came before the EU dispute and the export ban, the first evidence regulatory systems were behind the capability curve.
How did the EU and ENISA negotiate access to Project Glasswing?
If the bank pause showed domestic governance breaking, the ENISA negotiation showed international governance did not exist.
ENISA, the EU Agency for Cybersecurity, was excluded from Glasswing at launch. The Union’s primary cybersecurity body was not among the founding partners. The UK’s AI Safety Institute had trusted-partner status; the EU’s own cyber defence agency did not, a contrast that exposed the ad-hoc nature of the access regime.
Weeks of negotiation followed between the European Commission and Anthropic. None of the EU’s AI regulations, the AI Act, Cyber Resilience Act, or NIS2 Directive, compel private companies to grant frontier model access to government agencies. ENISA had to persuade a private company it met its security requirements. The burden of proof sat with the government.
On 1 June 2026, ENISA was granted access. For the broader pattern, see our analysis of how sovereign access negotiations are reshaping frontier AI governance. The precedent was set: sovereign agencies assert a right to frontier models, and access is negotiated bilaterally, not governed by treaty.
Europe’s technological sovereignty push provided the backdrop. The European Commission published its Technological Sovereignty Package, including the Cloud and AI Development Act, on 3 June, nine days before the export ban. French politicians from far-right Bardella to far-left Mélenchon framed the ban as proof that Europe cannot depend on foreign companies for strategic capabilities.
What happened during the June 12, 2026 US export control shutdown?
The answer to what happens when bilateral negotiation fails arrived eleven days later.
On 12 June, the Commerce Department ordered Anthropic to suspend all foreign access to Fable 5 and Mythos 5. The directive covered foreign nationals inside the United States under the deemed-export rule. Anthropic disabled both models globally within hours. AWS, Google, and Microsoft suspended access; every Glasswing partner lost Mythos 5; ENISA, granted access just 11 days earlier, was cut off.
An alleged jailbreak triggered the action: prompting Fable 5 to fix flaws in a specific codebase reportedly bypassed its safety classifiers. Anthropic called it a narrow, non-universal bypass and noted that OpenAI’s GPT-5.5 offers comparable vulnerability-detection without restriction, a proportionality question the government has not addressed.
This was the first application of export controls to a commercially deployed AI model rather than chips or hardware. The Export Administration Regulations were designed for physical goods and discrete technology transfers. Applying them to a continuously available cloud API service meant the precedent was built through enforcement rather than deliberate rulemaking.
Reinstatement now requires individually validated licences from BIS with no published timeline or criteria. For the governance questions this raises, our companion article examines the trust questions behind Anthropic’s safety brand.
From Glasswing’s launch to the export ban, the pattern is consistent: a governance system reacting, not anticipating. Bank regulators paused because their frameworks did not fit. ENISA negotiated because no treaty compelled access. The BIS used export controls because no dedicated AI governance instrument existed. Each response was improvised on infrastructure never designed for these capabilities.
The question you should be watching is whether governance arrives by design or reactive action. If membership lists, bilateral talks, and export controls determine frontier AI access, the international order is assembled from whatever is within reach, and no institution is ready.
Frequently Asked Questions
Can I still use Claude after the June 2026 export ban?
As of June 2026, Fable 5 and Mythos 5 access is suspended globally for all non-US persons, including foreign nationals inside the United States. Earlier Claude models remain available through the standard API, but access to the latest frontier models now requires an individually validated licence from the Bureau of Industry and Security. No timeline or criteria for licence approvals has been published.
What is the difference between Claude Mythos 5 and Fable 5?
Mythos 5 is the unrestricted variant available only to Glasswing consortium members for defensive cybersecurity work. Fable 5 is the safeguarded public variant with safety classifiers that block requests relating to cybersecurity, biology, and chemistry. The two-tier architecture was designed so defenders could use the full model while public access carried built-in guardrails, but the June ban suspended both variants.
What exactly was the jailbreak that triggered the export ban?
The US government alleged that Fable 5’s safety classifiers could be bypassed by prompting the model to read a specific codebase and fix any software flaws, which would re-enable blocked cybersecurity capabilities. Anthropic characterised this as a narrow, non-universal bypass rather than a wholesale jailbreak. The government treated it as a serious national security breach warranting immediate export controls.
How does the deemed export rule affect foreign nationals working at AI companies?
Under the deemed export rule of the Export Administration Regulations, releasing controlled technology to a foreign national inside the United States is treated legally as an export to that person’s home country. This meant the June 12 directive applied even to Anthropic’s own foreign-national employees working on US soil, forcing a blanket shutdown because the company could not filter access by nationality in real time.
Was Anthropic’s approach to restricting access through Glasswing the right one?
Anthropic’s position is that releasing cyber-capable AI openly arms adversaries while withholding it entirely leaves defenders blind, so a vetted consortium represents the least-bad option. Critics argue it concentrates power in a private company making sovereign-level access decisions. The correct framing may be that Glasswing was pragmatically necessary but institutionally unsustainable without formal governance frameworks backing it.
What happens now to the organisations that were in Project Glasswing?
All approximately 200 Glasswing partner organisations across more than 15 countries lost Mythos 5 access when the June 12 directive took effect. They retain their consortium membership status, but reinstatement depends on individual BIS licence approvals. Founding partners including AWS, Microsoft, CrowdStrike, and JPMorgan Chase are in the same position as newer members like ENISA, which had access for only 11 days.
Is it true that OpenAI’s models can do the same thing without restrictions?
Anthropic has argued that OpenAI’s GPT-5.5 offers comparable vulnerability-detection capability without access restrictions, raising a proportionality question about why Mythos and Fable were singled out. OpenAI has not publicly confirmed equivalence in cybersecurity capability, and the US government has not explained why the export control directive applied only to Anthropic’s models.
What are zero-day vulnerabilities and why did finding them cause such alarm?
A zero-day vulnerability is a software flaw unknown to the vendor, giving no time, or zero days, to patch before exploitation. Mythos Preview autonomously discovered thousands of them across every major operating system and browser, compressing the average time from disclosure to exploit from 2.3 years in 2018 to 20 hours by April 2026. The remediation pipeline simply cannot move at machine speed.
Why did the EU not use its AI Act to force Anthropic to grant ENISA access?
The EU AI Act, like the Cyber Resilience Act and NIS2 Directive, does not compel private companies to grant frontier AI model access to government agencies. These regulations govern product safety, market placement, and cybersecurity standards, not sovereign access rights. ENISA had to negotiate bilaterally with Anthropic as a trust-based partner because no treaty or regulation provides a legal mechanism for demanding access.
How should security teams prepare for AI-powered cyber attacks?
Security teams should focus on three areas: accelerate vulnerability remediation pipelines to match compressed discovery timelines, invest in AI-assisted penetration testing to understand exposure from an attacker’s perspective, and redesign incident response frameworks for automated multi-vector attacks that can unfold in minutes rather than days. The pre-Mythos playbook assumed slow, manual, expert-dependent vulnerability discovery, and that assumption no longer holds.
