Field Note 05 · Published 2026-06-12 · Washington / San Francisco

A lab that gave more than it took, a recall that took more than it gave: scoring the Fable 5 and Mythos 5 suspension

At 5:21pm Eastern today the US government handed Anthropic an export-control directive ordering it to cut off Fable 5 and Mythos 5 from every foreign national on earth, including Anthropic's own foreign-national staff. To comply, Anthropic disabled both models for all of its customers. Two agents acted in that hour: a state that withdrew a tool to filter a risk it did not specify, and a company that built the tool, shipped it to the public, and protested its removal. This note scores both, on the same map, in the same units.

What this evaluation is

The Foundation publishes a measurement framework called Transmutarianism. The framework scores any agent (a person, a company, a government action) on what it does to the flows of need passing through it: deprivation absorbed, deprivation passed on, fulfillment emitted, fulfillment retained. The output is a position on a four-quadrant map (Transmuter, Absorber, Magnifier, Extractor) and a single weighted number, W, that captures the net relational work the agent does.

This post applies the framework to two agents in one event: the US export-control directive that suspended Fable 5 and Mythos 5, and Anthropic's conduct around the two models (building them, deploying them, and complying with the directive while contesting it). The scoring is transparent and partly normative: reasonable people will weight the security risk and the access loss differently, and the purpose of this note is to make those trade-offs visible and measurable rather than to issue a verdict on either party. The math is at transmutarianism.org/framework/. The live quadrant explorer is at transmutarianism.org/quadrant/. Every empirical claim below links to its primary source. This is a same-day event; several source classes that a mature evaluation would carry do not exist yet, and where that is so the note says so. The placements are provisional; better data moves the dots.

Headline finding

The directive: Absorber, on the Extractor border. Weighted moral work at τ=1: W = −7.8. Aggregate coordinates: F = +6.0, A = −13.3. The directive withdraws a cognitive tool from a global population to filter a cyber risk it absorbs almost none of, because the same capability is already available from a deployed competitor. Filtering this thin against withdrawal this broad is negative net work: an Absorber doing the work of an Extractor.

Anthropic: Transmuter, near the A-axis. Weighted moral work at τ=1: W = +19.1. Aggregate coordinates: F = +8.7, A = +9.3. Anthropic emits broad cognitive fulfillment and did real, government-partnered filtering before release; the placement is positive because emission dominates. It is held off the right edge, and one stated assumption from Magnifier, by a deployment record the same evidence makes harder to read as pure filtering.

Both agents face the same disputed capability and take a similar, modest filtering posture toward it. The quadrant gap between them is an A-axis gap: the state subtracts the tool, the company adds it. The map does not resolve who is right about the risk; it shows that the disagreement is about who should bear it.

Status: the directive issued today and remains in force; an administration official framed it as a temporary lockdown of uncertain duration. No directive text, docket, or on-record government justification is public. The placements price an action one day old; the sensitivity set reports how far each dot moves under the assumptions a hostile reviewer would press.

The suspension at a glance

The directive	An export-control directive, received by Anthropic today at 5:21pm ET, to suspend all access to Fable 5 and Mythos 5 "by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees." Reported as a letter from Commerce Secretary Howard Lutnick to CEO Dario Amodei requiring an individually validated license for export, re-export, or domestic transfer to any foreign person.
Net effect	Anthropic could not comply selectively, so it "abruptly disable[d] Fable 5 and Mythos 5 for all our customers," including US citizens (Bloomberg Law). AWS revoked access "for all users in all regions" (Reuters). All other Anthropic models are unaffected.
The asserted concern	A method of "jailbreaking" Fable 5 that "essentially consists of asking the model to read a specific codebase and fix any software flaws." Anthropic calls it a "narrow, non-universal jailbreak" that surfaced "a small number of previously known, minor vulnerabilities." The directive "did not provide specific details of its national security concern" (Anthropic).
The substitution claim	Anthropic "validated that the level of capability displayed there is widely available from other models (including OpenAI's GPT-5.5), and is used every day by the defenders who keep systems safe." UK AISI independently rated GPT-5.5 at 71.4% vs Claude Mythos Preview at 68.6% on expert cyber tasks, calling GPT-5.5 possibly the strongest model it had tested.
The models	Launched June 9, 2026, three days before the directive. Priced at $10 per million input tokens and $50 per million output. The Mythos class "sit[s] above our Opus class in capability"; Fable 5 is the public version, Mythos 5 is restricted to vetted partners. Cyber, bio, and chem queries route to Claude Opus 4.8, with "more than 95% of Fable sessions" needing no fallback.
Red-teaming	Anthropic says it worked with "the US government, the UK AISI, multiple private third-party organizations and internal teams to red-team Fable's safeguards for thousands of hours in total." Its launch post adds that external bug-bounty testing of over 1,000 hours found no universal jailbreaks, while "the UK AISI made progress towards one within a brief initial testing window" (Anthropic).
Deployment scale	Anthropic frames the action as "recalling a commercial model deployed to hundreds of millions of people." That figure appears only in its directive statement; Anthropic publishes no official user count, and third-party estimates of Claude's consumer base sit near 30 million monthly active users. This note treats "hundreds of millions" as Anthropic's claim rather than a verified count.
Legal mechanism	Not stated in any public document. Bloomberg Law notes the precise authority (EAR vs IEEPA) is unspecified. The plausible fit is the deemed-export doctrine, under which releasing controlled technology to a foreign national, even inside the US, counts as an export to that person's home country. The one prior rule controlling frontier-model weights, ECCN 4E091, was rescinded unenforced in May 2025.
Anthropic's position	It accepts that "the government should have the ability to block unsafe deployments, as part of a statutory process that is transparent, fair, clear, and grounded in technical facts," states "this action does not adhere to those principles," and warns that the standard, "applied across the industry... would essentially halt all new model deployments" (Anthropic).

Security and capability implications

Reading a codebase to find and fix flaws is, run in reverse, reading a codebase to find and exploit them; the two are one capability. Independent benchmarks size it: GPT-4 exploited 87% of 15 real one-day vulnerabilities given their descriptions; agents reach up to 25% one-day and 13% zero-day exploitation on CVE-Bench; and Google's Project Zero "Big Sleep" agent found the first publicly reported AI-discovered exploitable memory-safety bug in widely used software. NIST's dual-use guidance already names automated vulnerability discovery and exploitation as a threshold offensive-cyber risk.

UK AISI's own evaluation also found GPT-5.5 comparable to or stronger than Claude Mythos Preview on expert cyber tasks and generally available, and observed that as such models spread, "defenders have an opportunity to put the same capabilities to work on their own systems." The same find-and-fix capability anchors a US defensive program: at DARPA's AI Cyber Challenge final in August 2025, autonomous systems found 18 real vulnerabilities and produced 11 patches at about $152 per task, with Anthropic, Google, and OpenAI each donating $350,000 in model credits.

If the capability the government wants denied is already deployed in GPT-5.5 and used daily by defenders, pulling Fable 5 and Mythos 5 removes it from neither adversaries nor defenders; it removes it from one product. The grounding for caution is in Anthropic's own record: a Chinese state group used Claude Code to run 80 to 90% of a real espionage operation against roughly 30 targets autonomously, bypassing safeguards with a defensive-pretext jailbreak of the find-and-fix capability the directive now targets, and independent evaluator METR found a Mythos preview autonomously discovering thousands of vulnerabilities in Firefox and Linux while "very basic jailbreaks" defeated the monitoring. The implication: a single-model recall against a capability already shown weaponizable by GTG-1002 and the METR Mythos preview, and already carried by GPT-5.5, absorbs almost none of the risk.

Sovereignty and access implications

The directive draws its line by nationality. Its target is "any foreign national, whether inside or outside the United States," which is roughly 95.8% of humanity: the United States is 4.18% of the world's 8.14 billion people. Through the deemed-export doctrine the line reaches inward as well as outward, to non-citizens working inside US firms; 19% of the US STEM workforce and 57.6% of doctorate-level computer and mathematical scientists are foreign-born, the proxy for how many of an AI lab's own staff a clause naming "foreign national Anthropic employees" can sweep in.

The access that was withdrawn is partly replaceable and was barely a week old. The two models launched three days before the directive, Anthropic's other models stay available, and a comparable cyber capability sits in GPT-5.5. What is not replaceable is the precedent. Former White House official Dean Ball read it plainly: "you should expect to have to prove your citizenship to use Anthropic models" (Reuters). Digital-rights organizations have a standing position on exactly this shape of action: EFF warns that access restrictions have "detrimental effects on the free flow of digital communications and communications technologies that activists, innovators and ordinary users of technologies desperately need" (EFF), and Mozilla argues that "restricting open models would stifle progress and put the U.S. at a competitive disadvantage" (Mozilla).

No digital-rights organization has published a statement on this specific directive as of publication; the directive is hours old, and the access critique above is built from standing positions rather than reactions to the event, which this note records as a finding rather than papering it over. The implication: the durable cost of the directive is not the few days of withdrawn capability, which substitutes cover, but the rule it establishes that a frontier cognitive tool can be partitioned by nationality on an unstated concern.

Legal and due-process implications

The authority is recognized; this use of it is novel. The deemed-export rule and the Export Control Reform Act's mandate to control "emerging and foundational technologies" including AI are long-standing, and CSET has argued the existing catch-all authorities already reach US-origin AI systems. What has no clear precedent is using that authority to pull a named, already-deployed consumer model. The one rule built to control frontier-model weights, ECCN 4E091, controlled a class of weights for export to foreign destinations and was rescinded before it took effect. The standing AI-specific framework, the June 2, 2026 executive order, is voluntary and states that nothing in it authorizes "a mandatory governmental licensing, preclearance, or permitting requirement." The action reached for export-license authority precisely because the purpose-built oversight framework disclaims this power.

The process is the part Anthropic contests, and its concession defines the contest: it accepts that government "should have the ability to block unsafe deployments, as part of a statutory process that is transparent, fair, clear, and grounded in technical facts," and argues "this action does not adhere to those principles" (Anthropic). The record supports the procedural complaint: no directive text, no docket, no Federal Register notice, and no on-record Commerce statement exist; the only account of the trigger is an unnamed administration official citing an unnamed rival company's unpublished jailbreak claim, and Bloomberg Law notes that even the legal mechanism is unstated.

The other side of the process record is that the government tried cooperation first. The same reporting states the administration sought a voluntary pause of the release and was refused, after which the letter issued; an official framed the lockdown as temporary, "until the U.S. government's national security apparatus is hardened." The implication: the dispute is not whether the state may gate unsafe models, which Anthropic grants, but whether a gate built from an unpublished letter and an anonymous trigger is the transparent, technically grounded process both sides say they want.

Labour and economic implications

In a controlled trial, developers with an AI coding assistant completed a task 55.8% faster than the control group; Anthropic's launch post reports a partner compressing a 50-million-line Ruby migration from months into days. The subject of the action is a frontier product of a company that raised $65 billion at a $965 billion valuation in May 2026, against a $47 billion revenue run rate.

The nationality clause lands inside the firm. A directive that names "foreign national Anthropic employees" reaches a population the deemed-export doctrine has always governed: non-citizen technical staff who, by the NSF's STEM-workforce figures, make up a majority of doctorate-level computer scientists in the country. Anthropic publishes no figure for its own foreign-national headcount, so the exact number is unknown; the industry proxy makes it material.

The defenders the substitution claim invokes were, by their own account, already poorly served. Days before the directive, security researchers described Fable 5 as effectively unusable for defensive vulnerability work, because its classifiers reroute cybersecurity queries to the older Opus 4.8 and cannot separate offensive from defensive intent. The implication cuts against both framings at once: the recall takes less from defenders than Anthropic's "used every day by defenders" line implies, because the product was already restricting them, while the same fact shows the safeguards the government deemed insufficient were simultaneously criticized as too blunt.

Ethical and governance implications

Who carries the residual cyber risk is where the two agents' records diverge. Anthropic's filtering record is partly external: thousands of hours of red-teaming with the US government and UK AISI, a documented prior CAISI and UK AISI pre-deployment partnership, conservative routing of dangerous queries, restriction of the more capable Mythos 5 to vetted partners, and the self-disclosure and disruption of the GTG-1002 attack.

The same record makes the deployment harder to read as pure filtering. Anthropic's launch post states the model "proved particularly adept at finding vulnerabilities across every major operating system and web browser," and that UK AISI "made progress towards" a universal jailbreak before launch; METR found the safeguards easily defeated; and Anthropic declined the administration's request to pause the release. The Defense Department had labeled Anthropic a "supply-chain risk" in March (Arab News, carrying AFP and Reuters). A reader who weights this evidence heavily scores the deployment as risk passed to the public rather than absorbed, which is the Magnifier construction the scoring section reports in full.

The directive's governance failing is the mirror image: not too little caution but caution administered without the architecture that would make it legible. The think-tank case for control rests on the principle, with CNAS arguing that advanced AI could tip the cyber balance toward attackers and that "defenders use it too" does not settle the offense-defense question. The principle does not supply a published threat, a docket, a stated duration, or a benchmark rebutting the substitution claim, and on a same-day record none of those exists. The implication: each agent's ethical exposure is the inverse of the other's.

Where the two agents sit on the quadrant

The Transmutarianism framework scores agents on F (filtering of deprivation: deprivation absorbed without being passed on) and A (amplification of fulfillment: fulfillment emitted in excess of what was received). Moral work M = [τF + A] / √(τ²+1) (at the parity origin F₀ = A₀ = 0) is computed per Maslow level (physiological, safety, belonging, esteem, actualization) and weighted by w = {5, 4, 3, 2, 1}. The normalizer keeps M comparable across τ settings; a power coefficient ρ can raise the bar for powerful agents.

The chart below plots both agents (sigil-red outlines) against the four archetype reference dots (muted, for orientation). The directive sits in the upper-left Absorber field, below the F-axis line where moral work turns negative. Anthropic sits in the upper-right Transmuter field. Drag the τ slider to test sensitivity; click any dot for its F, A, and M values.

Assumptions, stated

Each numbered item is a choice a critic can contest. Where the two agents need different choices, both are stated.

Scope of evaluation. The export-control directive received June 12, 2026 and Anthropic's conduct around Fable 5 and Mythos 5, scored as the flows each set in motion as of that day. Excluded: OpenAI and other labs except as substitution evidence; the merits of the underlying model architecture; and the conduct of individual government officials. One inside-scope fact is material and is scored as found: the directive targets foreign nationals but forced an all-customer shutdown, so its denominator and its stated target differ.
Time horizon. A snapshot of flows as of the directive rather than a steady state. The models are three days old, so accrued fulfillment is thin; the directive is reported as temporary with no stated end. The horizon sensitivity below reports the directive scored as a permanent recall (larger withdrawal) against the temporary reading (smaller).
Asymmetry coefficient (τ). Default τ = 1. Sensitivity at τ = 0.8 (flourishing focus) and τ = 1.5 (cycle-breaking focus) is in the math boxes.
Maslow weighting. w = {5, 4, 3, 2, 1} for {physiological, safety, belonging, esteem, actualization}; lower-level deprivation is heavier. The flat-weight recompute is in the sensitivity set.
F and A scale. Each level on a −10 to +10 range, central estimate from the public-record evidence above, substitutable; the reasoning columns name the inputs.
Denominator. For the directive: the global population of users the suspension reached, since the all-customer shutdown is what actually happened; the strongest alternative a critic would choose is the directive's named target, foreign nationals specifically (about 95.8% of humanity), which sharpens the nationality harm. For Anthropic: the users of the two models; the strongest alternative is the broader public exposed to cyber-misuse risk, which weights the passed-on-risk reading. Excluded from both: Anthropic shareholders, the US tax base, and competitor markets. The alternatives table recomputes both dots under the alternative denominators.
Treatment of the withdrawn or passed-on flow (the substitution assumption). This is the pivot for both dots, the analogue of the diversion choice in a public-spend evaluation. For the directive: the central table scores the withdrawn fulfillment net of substitutes (Opus 4.8 and GPT-5.5 remain), which tempers the negative A, and credits a thin security filtering. The harsh alternative scores the gross withdrawal as if irreplaceable. The fully-substitutable alternative zeros the security-filtering credit, because a pull that denies adversaries nothing absorbs nothing, which moves the dot deeper to the Extractor border; the reading generous to the directive is a separate one that credits a possibly-classified rationale with higher filtering. For Anthropic: the central table scores the residual cyber risk as substantially absorbed by red-teaming and withholding; the alternative scores it as passed on to the public, turning F negative (the Magnifier construction). Both alternatives are recomputed below.
Power-asymmetry (ρ and Δ_M). Central verdicts at ρ = 1 (parity), each a default awaiting calibration. The operational power trigger holds for both: the US government is the larger party and controls the legal resource; Anthropic controls the model the denominator needs and is a $965 billion firm. Both Δ_M bands are reported below, in per-level F/A units (uniform per-level handicap drops W by 15·Δ_M). Anthropic's compliance with the directive is compelled rather than voluntary, so the all-customer shutdown is scored as the directive's flow rather than Anthropic's emitted deprivation; this is a baseline judgment under the voluntariness guard rather than a scoring of intent.

Per-Maslow scoring: the directive

The per-level scores were derived blind, before any prior field note's numbers were consulted, and recorded in the note's assumption-challenge ledger with the date fixed, available on request via sev@economyofwisdom.com; post-unblinding adjustments forced by the research record are logged there with their evidence.

Level (w)	F	A	Mₙ	w·Mₙ	Reasoning
Physiological (5)	+1	0	0.71	3.54	F: small credit for a national-security concern that may rest on classified threat information, discounted hard for opacity and for the substitution evidence (the capability remains in GPT-5.5). A: a model is not a physiological provider, so nothing is withdrawn at this level.
Safety (4)	+1	−1	0.00	0.00	F: the claimed cyber filtering, grounded in Anthropic's own GTG-1002 and METR record, discounted to near zero because pulling one substitutable model denies adversaries nothing. A: the action removes a defensive tool, tempered because Fable was already crippled for defensive work; net zero moral work at this level.
Belonging (3)	0	−3	−2.12	−6.36	F: the directive absorbs no belonging-level deprivation. A: nationality-based exclusion of every foreign national, including the firm's own staff, withdraws access by who a person is; the non-substitutable harm.
Esteem (2)	0	−2	−1.41	−2.83	F: none. A: abrupt removal of a competence tool, tempered because the models were three days old and Opus 4.8 remains a substitute.
Actualization (1)	0	−3	−2.12	−2.12	F: none. A: withdraws a frontier creative and cognitive tool, tempered by substitutes and the three-day deployment window.
Total W				−7.78	Net moral work at τ=1, snapshot as of the directive.

Sensitivity (W on the v17 normalized scale, M = [τF + A]/√(τ²+1)): Σ(w·F) = 9, Σ(w·A) = −20 W(τ = 0.8, flourishing focus) = (0.8·9 − 20)/√1.64 = −10.0 W(τ = 1.0, default) = (9 − 20)/√2 = −7.8 W(τ = 1.5, cycle-breaking) = (1.5·9 − 20)/√3.25 = −3.6 τ flip statement: W stays negative across the whole [0.8, 1.5] band; the directive does negative moral work at every τ. Quadrant by sign is Absorber (F > 0) throughout at parity. Flat-weight check (w = {1,1,1,1,1}, Σw = 5): F_agg = +4.0, A_agg = −18.0, W = −5.0; quadrant holds (Absorber, deeper toward Extractor). Δ_M band (power trigger holds; units: per-level F/A scale, uniform handicap): W − 15·Δ_M = −15.3 at Δ_M = 0.5; −22.8 at Δ_M = 1.0; −37.8 at Δ_M = 2.0. W is already negative at parity; read against the shifted origin the quadrant flips from Absorber to Extractor at Δ_M ≈ 0.85, because four of five levels already sit at F = 0 and any handicap pushes the aggregate F negative. Horizon window: scored as a permanent recall (gross withdrawal, A = {0, −1, −4, −3, −4}, Σ(w·A) = −26) the dot deepens to F_agg = +6.0, A_agg = −17.3, W = −12.0; the temporary reading is the central table. Aggregate dot coordinates (scaled to -100/+100 axis): F_agg = 9 / 15 × 10 = +6.0 A_agg = −20 / 15 × 10 = −13.3 Quadrant: Absorber, on the Extractor border (negative W).

Per-Maslow scoring: Anthropic

Level (w)	F	A	Mₙ	w·Mₙ	Reasoning
Physiological (5)	+1	0	0.71	3.54	F: pre-deployment red-teaming against catastrophic misuse and withholding the most capable Mythos 5 from general release reduce tail physical-harm risk. A: not a physiological provider.
Safety (4)	+2	+1	2.12	8.49	F: thousands of hours of government-partnered red-teaming, conservative routing, and the self-disclosure and disruption of GTG-1002, net of a residual the government and METR both found real; more substantive than the directive's single-model pull, hence higher than its safety F. A: the model is a defensive security tool. The Magnifier alternative (F negative) is in the alternatives table.
Belonging (3)	0	+1	0.71	2.12	F: none. A: public transparency, threat self-disclosure, and due-process advocacy for the cut-off population; the compelled shutdown is the directive's flow under the voluntariness guard rather than Anthropic's withdrawal.
Esteem (2)	0	+2	1.41	2.83	F: none. A: a frontier coding and professional-competence tool, tempered from a larger figure for the three-day window, the substitutes, and the unverified "hundreds of millions" scale.
Actualization (1)	0	+3	2.12	2.12	F: none. A: broad self-directed cognitive and creative augmentation, tempered on the same grounds.
Total W				19.10	Net moral work at τ=1, snapshot as of the directive.

Sensitivity (W on the v17 normalized scale, M = [τF + A]/√(τ²+1)): Σ(w·F) = 13, Σ(w·A) = +14 W(τ = 0.8, flourishing focus) = (0.8·13 + 14)/√1.64 = 19.1 W(τ = 1.0, default) = (13 + 14)/√2 = 19.1 W(τ = 1.5, cycle-breaking) = (1.5·13 + 14)/√3.25 = 18.6 τ flip statement: W is positive across the band (19.1 / 19.1 / 18.6); with F and A both positive the quadrant is τ-independent, as it is for any such agent. Under the passed-on-risk (Magnifier) construction the sign of W instead flips inside the band at τ ≈ 1.08 (+2.8 / +0.7 / −3.1). Flat-weight check (w = {1,1,1,1,1}, Σw = 5): F_agg = +6.0, A_agg = +14.0, W = +7.1; quadrant holds (Transmuter). Δ_M band (power trigger holds; units: per-level F/A scale, uniform handicap): W − 15·Δ_M = 11.6 at Δ_M = 0.5; 4.1 at Δ_M = 1.0; −3.4 at Δ_M = 1.5. The sign of W flips at Δ_M ≈ 1.27; read against the shifted origin the quadrant flips from Transmuter to Magnifier at Δ_M ≈ 1.23. Aggregate dot coordinates (scaled to -100/+100 axis): F_agg = 13 / 15 × 10 = +8.7 A_agg = 14 / 15 × 10 = +9.3 Quadrant: Transmuter, near the A-axis.

Where the dots land under the alternatives

These are the alternative constructions from the pre-publication assumption gate, recomputed in full. Each holds every other choice fixed and changes only the one named.

Construction	F_agg	A_agg	W (τ=1)	Quadrant
Directive, central (all-users denominator, substitution-netted)	+6.0	−13.3	−7.8	Absorber (neg. W)
Directive, capability fully substitutable (F → 0)	0.0	−13.3	−14.1	Extractor border
Directive, generous (classified grounding + temporary credited)	+14.7	−8.7	+6.4	Absorber (pos. W)
Directive, foreign-nationals denominator	+6.0	−17.3	−12.0	Absorber (neg. W)
Directive, flat weights	+4.0	−18.0	−5.0	Absorber (neg. W)
Anthropic, central (model users, risk substantially absorbed)	+8.7	+9.3	+19.1	Transmuter
Anthropic, deployment scored as risk passed on (F negative)	−8.7	+9.3	+0.7	Magnifier
Anthropic, broader-public denominator + risk passed on	−2.0	0.0	−2.1	Magnifier border (neg. W)
Anthropic, flat weights	+6.0	+14.0	+7.1	Transmuter

The directive's quadrant is sign-fragile and the source of the fragility is the substitution assumption. Credit the security rationale with classified grounding and a temporary horizon and it does positive moral work (W = +6.4, Absorber); treat the capability as fully substitutable and it falls to the Extractor border (W = −14.1); even the central reading is negative. A power handicap of Δ_M ≈ 0.85 pushes it to Extractor. Alternative defensible score sets a hostile reviewer presses (zeroing the thin physiological or safety filtering credit, deepening the nationality harm, or taking foreign nationals as the central denominator) place the directive between W = −10.6 and −12.0, Absorber throughout; none reaches the right half of the map. Anthropic's quadrant holds as Transmuter across τ, weights, and the user denominator, and it turns to Magnifier under the passed-on-risk reading, which the GTG-1002, METR, and pre-launch-jailbreak evidence makes a construction a serious reviewer presses: moving the single safety cell negative reaches Magnifier just inside the right edge (W = +7.8), the full F-negative flip lands at W = +0.7, and cutting the safety-A defensive credit on the note's own evidence that the model was crippled for defensive work reaches negative moral work (W = −4.95). Composed with the broader-public denominator, where the non-using public receives the passed-on risk and none of the cognitive fulfillment, Anthropic lands at F_agg = −2.0, A_agg = 0.0, W = −2.1 on the Magnifier border, and a power handicap of Δ_M ≈ 1.23 reaches Magnifier as well. The asymmetry between the two dots is itself a finding: the directive's negative placement is robust to every construction tested, while Anthropic's positive placement is contingent on crediting its filtering, so a reader who reads the deployment as risk passed on rather than absorbed moves Anthropic into the same negative-work half the directive occupies. Whether each agent did net good or net harm depends on whose flows a reader counts, over which window, against what power baseline. The Foundation will publish a re-audited placement if the missing instruments (the directive text, a stated duration, a benchmark on the specific jailbreak) materially change any cell.

Public-interest recommendations

For the Department of Commerce and the Bureau of Industry and Security

Publish the directive's legal basis, a docket, and the stated duration; an export control administered from an unpublished letter cannot be audited, contested, or bounded.
State the marginal-risk finding in technical terms: what Fable 5 and Mythos 5 enable that GPT-5.5 and other deployed models do not. A recall that does not deny adversaries the capability filters little and should justify the access it removes.
If the concern is genuine and time-limited, set the conditions for restoration in writing, so the temporary framing the administration gave is enforceable rather than rhetorical.

For Congress

Resolve the gap the action exposed: the voluntary June 2026 framework disclaims mandatory recall, so recalls are reaching for export authority built for technical data. Legislate the transparent, fair, technically grounded process that Anthropic itself says it would accept, with a nationality-discrimination and due-process floor.
Require any model-access restriction to publish its substitution analysis, so "available elsewhere" is adjudicated on the record rather than asserted by the controlled party.

For Anthropic and other frontier developers

Publish the Fable 5 and Mythos 5 system card with the quantified cyber and CBRN capability-threshold evaluations behind the safeguards, and the ASL designation; the proportionality argument needs the numbers the public cannot currently see.
Reconcile the "narrow jailbreak" framing of the directive statement with the launch post's own concession that UK AISI made progress toward a universal jailbreak before release, and with the METR finding that basic jailbreaks defeat the monitoring.
Fix the defenders' complaint: a model rerouting defensive cybersecurity work to a weaker model undercuts the "defenders rely on this" argument the company makes against the recall.

For digital-rights and standards organizations

Put a position on the record specific to nationality-partitioned model access; as of publication the critique exists only as standing general positions, and the precedent is forming now.

The audit protocol (six inputs)

An audited placement requires six inputs. The Foundation offers framework, scoring template, methodological support, and the published report to any party willing to supply them. For this subject the record currently lacks most of them; the missing-document register in the ledger names each.

The directive text and its stated legal authority, duration, and conditions for restoration.
The government's marginal-risk finding: what capability Fable 5 and Mythos 5 add beyond the deployed frontier, with the benchmark behind it.
The Fable 5 and Mythos 5 system card with cyber and CBRN capability-threshold evaluations and the ASL designation.
An official deployment and user count, by product and region, to size the affected population against the "hundreds of millions" claim.
The red-teaming record: hours, participating organizations, findings, and what was and was not resolved before release.
The defensive-usage data: how many security operators relied on the models, and how the routing of cybersecurity queries affected them.

Contact: sev@economyofwisdom.com.

What changes the placement

The directive, toward Transmuter or positive-work Absorber: a published, specific marginal-risk finding showing the models enable what deployed competitors do not; a stated, short duration with restoration conditions met; a foreign-national carve-out for defensive and research use that narrows the access loss; evidence that the recall measurably reduced cyber-attack exposure rather than relocating it.

The directive, toward Extractor: confirmation that the capability is fully substitutable and the recall denied adversaries nothing; an indefinite duration; expansion of the nationality partition to other models; a power handicap (Δ_M ≈ 0.85 suffices) reflecting a sovereign acting on an unstated concern.

Anthropic, toward Transmuter's interior: a published system card whose capability-threshold evaluations support the "narrow jailbreak" framing; restored access on terms that preserve broad availability; defensive-use routing fixed so the tool serves the defenders the company invokes.

Anthropic, toward Magnifier: evidence that the deployed model materially raised real-world cyber-attack volume; a system card showing the safeguards were known-inadequate at release; a pattern of shipping over standing safety objections. Better data moves both dots.

A note on framing

The Foundation publishes these notes to give the parties at the table a shared instrument: one that is harder on the evidence than a press release and more honest about its own assumptions than an advocacy campaign. Every number above can be disputed by substituting a different number with a source, and the dots will move. That is the design, and on a one-day-old event with no government record it is also a caution: these placements are the most that the public evidence supports today, and no more.

Two agents looked at the same capability and moved in opposite directions on the map. The state subtracted a tool to filter a danger it did not name, and absorbed almost none of the danger because the tool was not the only one of its kind. The company added the tool, did real work to make it safer, and asked to be judged by a process instead of a letter. Neither is the Extractor of the story and neither is the pure Transmuter; the framework's value here is that it refuses to collapse the disagreement into a villain. What it measures is flows: who was given the capability, who was denied it, on what stated grounds, and at what cost to whom.

The classification is information about those flows. The people inside Commerce, inside Anthropic, and among the defenders and foreign-national engineers caught in the directive's language are working in incentive structures the framework's purpose is to make visible; the recommendations are addressed to the institutions. The math is at transmutarianism.org/framework/. The dots are plotted on the live quadrant explorer at transmutarianism.org/quadrant/. To dispute either placement, substitute different F and A values per level, with a source for each, and the dot moves.