AI policy and cybersecurity are at center stage in the debate over export controls on Anthropic’s Fable 5 and Mythos 5. A coalition of leaders from technology firms and cybersecurity researchers argues that restricting access hurts defenders more than it hurts attackers. In 2026, as the world races toward smarter defenses and faster patch cycles, this coalition pushes back with a mix of optimism and data-driven humor.
The group sent a letter to US Commerce Secretary Howard Lutnick and National Cyber Director Cairncross asking to lift export control directives on Anthropic’s Fable and Mythos large language models and to commit to an open, scientific and transparent process of handling risk assessments in the future. They argue that AI policy decisions should not disarm the good guys. AI policy and cybersecurity are intertwined as AI tools reshape how defenders detect and fix flaws, and the best outcome comes from access paired with responsibility.
Axios notes that the central argument is broader than one company: the concerns about AI risks span across major models, not just Anthropic’s. The letter emphasizes that restricting access does not reduce risk; it redistributes it and slows down defenders who must stay ahead of rapidly advancing adversaries, a cybersecurity reality that cannot be ignored.
Some specifics from the letter highlight that Anthropic’s Mythos-class models are strong at finding flaws and weaponizing exploits. Yet, these capabilities are not unique to a single vendor, and many undersigned practitioners routinely use other foundation and open-source models for security audits and red-teaming every day. Anthropic has built protections into Fable to deter cyber offensives, and those safeguards were described as so vigorous on launch that they became a humorous talking point in the cybersecurity community.
To empower coders and security teams, the authors urge AI policy to provide access to tools that help locate and fix flaws in both newly written and decades of legacy code faster than adversaries—without inviting abuse. This view recognizes that cybersecurity is a shared responsibility across research and practice.
The letter also notes that the Chinese open-weight models are only months behind the best American models, and those raw capabilities are not a secret. Pulling defensive capabilities away without a clear, justified reason risks an asymmetry that favors attackers rather than defenders. The request is not to ban research but to ensure a science-based, open process for risk assessment going forward.
AI policy: practical implications
From a practical stance in 2026, the authors argue that policy should rest on solid scientific evaluations and active input from industry and academia. They urge a transparent, participatory rule-making process and careful, timely remediation when issues are found. The aim is simple: keep critical software secure while preserving the speed and creativity of cybersecurity research.
cybersecurity realities continue to shape how policy is written. Policymakers must balance openness with guardrails, ensuring defenders can access advanced tooling while keeping research responsible. The 2026 landscape shows a global push toward shared risk assessment and open tooling rather than blanket bans.
Cybersecurity realities shaping policy choices
In concrete terms, the coalition calls for four core pillars: policy grounded in scientific evaluations developed with input from industry and academia; created through a democratic rule-making process for policy that reflects real-world cybersecurity needs; enforced transparently with appropriate remediation timelines to keep systems safe while preserving innovation in cybersecurity; and used only to the minimal extent necessary to ensure the safety of the public when applying policy.
In addition, the coalition emphasizes that openness accelerates improvement and that safety can coexist with innovation when policy is science-based and openly communicated.
AI policy and practical steps for defenders
Practically, organizations should adopt a staged approach to AI risk: assess, test, remediate, and document. Start with small pilots in controlled environments, expand to broader usage with strict access controls, and maintain transparent reporting of findings and fixes for cybersecurity outcomes.
These steps help teams stay ahead of threats while ensuring AI research remains responsible and auditable.
In closing, regulation can protect critical infrastructure without stifling discovery, provided AI policy stays aligned with solid evidence and cybersecurity realities. The authors encourage ongoing dialogue among policymakers, industry players, and researchers, favoring pilots that demonstrate risk management in action over broad bans.
We invite readers to share their thoughts in the comments below.
Thank you to Axios for the original reporting that inspired this recap: Axios coverage.
References
- Times of India — Tech CEOs, security researchers letter to US Commerce secretary on Anthropic risk
- Axios coverage
- NIST AI risk management framework
- OSTP AI safety guidance