Fable 5's guardrails have a cost, and we're the ones who pay

|
Share

For nearly three weeks my team couldn't use our most capable model, even though it wasn't down, it wasn't breached, and we hadn't stopped paying for it. Commerce put export controls on Fable 5 on June 12, three days after Anthropic shipped it, and we didn't get access back until July 1. Most of the coverage I've been seeing is from the political angle: the standoff with the administration, the IPO circling, the Pentagon history. I don't have much to add there, and it isn't the part that matters to us.

The part that matters is less talked about. These models were never really ours — we don't set what they'll do, which one answers, or whether they stay available. And the most significant loss a security team feels every day: we don’t control the guardrails. Fable came back with its safety controls tuned tighter, and they don't only stop attackers; they block security teams’ legitimate defensive work. 

That's a real cost, and the rules being drawn around these models aren’t counting it. The safety controls and the severity scale being built to grade jailbreaks are both pointed at one thing: what a jailbreak hands an attacker. Neither takes into account what they take from the defender.

Heather Newsletter

What the guardrails actually block

What kicked this off was a jailbreak. Amazon's researchers found a way past Fable 5's safeguards, getting it to point out software vulnerabilities and, in one case, write code showing how one of those vulnerabilities could be exploited. The capability itself wasn't unique to Fable, though; weaker, freely downloadable models actually turned up the same results. Anthropic's response was to retrain the classifier. The specific technique is blocked almost every time now, and legitimate coding and debugging get swept up with it. Anything that trips the safety guardrails quietly drops to a weaker model.

Read the safeguards detail Anthropic published when Fable came back and you can see exactly how this affects your team. They sort cyber uses into four buckets: prohibited, high-risk dual use, low-risk dual use, and benign. Penetration testing, red teaming, bug bounties, exploit development, privilege escalation, and lateral movement all sit in "high-risk dual use," which Fable blocks by default. Not because Anthropic thinks your red team are criminals, but because the classifier can't see the one thing that separates your red team from an intruder — authorization.

Amazon's researchers found a way past Fable 5's safeguards, getting it to point out software vulnerabilities and writing code showing how one of those vulnerabilities could be exploited.

Box CISO, Heather Ceylan

Anthropic does have a mechanism for exactly that: the Cyber Verification Program, which vets defensive organizations and lifts these dual-use blocks for those it clears. But CVP covers the Opus models, not Fable, so even a verified team stays blocked on the most capable model by default. The vetting path exists; it just stops one tier short of the model you actually wanted. The model is most restrictive on exactly the offensive-security work that only authorized professionals are supposed to perform. Your engineers can ask it to reverse-engineer malware, but not to run a pen test for your upcoming launch.

Now hold that against the severity scale that Anthropic and its cloud partners floated at the same time, the Cyber Jailbreak Severity scale (CJS-0 to CJS-4), because the two don't line up. All four of its scoring axes — capability gain, breadth, ease of weaponization, discoverability — measure what a jailbreak hands an attacker. Not one of them measures what the matching safeguard costs a defender. The blocked pen test, the legitimate work swept into the safety margin on purpose — none of it shows up in a CJS score. So a vendor can widen the margin, catch more of our security team's real work, and the framework will record only that jailbreak risk went down. The cost is real, it lands on us, and the score doesn’t reflect it.

This asymmetry between attackers and defenders will continue to grow, because the safety margin only binds the people who are playing by the rules.

Box CISO, Heather Ceylan

What’s worse, this asymmetry between attackers and defenders will continue to grow, because the safety margin only binds the people who are playing by the rules. Verification chips at that — CVP unbinds vetted teams, but only on Opus, and not through Bedrock or Vertex, where many enterprises reach Claude. So for nearly everyone, the best model still only binds the compliant. An attacker isn't asking Fable for permission; the same freely downloadable models that turned up those results run on commodity hardware with no guardrails at all. So every notch they tighten lands on the defenders who use sanctioned tools and barely touches the adversary who doesn’t. A safety margin that only the compliant ever feels is a strange kind of safety; it disarms the defender and leaves the attacker exactly where they were.

The other half of the dashboard

The upside of a draft is that it's still a draft. Anthropic is asking for feedback and running a bounty for jailbreak submissions. The feedback worth sending isn't "Go easier on severity;" severity should measure the jailbreak, and that part is fine. It's that severity is only half the dashboard; there's no companion number for what a safeguard costs the defenders it lands on, and without one, "block more" always reads as free. It’s worth noting that this is a different problem than access; CVP lets a handful of vetted teams around these blocks, but that's a carve-out, not a measurement. It changes who gets past the guardrail but does nothing to count what the guardrail costs everyone else.

A safeguard is a classifier, and every classifier makes two kinds of mistakes: it misses things it should catch and blocks things it should let through.

Box CISO, Heather Ceylan

And it isn't a crazy thing to ask for. A safeguard is a classifier, and every classifier makes two kinds of mistakes: it misses things it should catch and blocks things it should let through. CJS grades the first — how bad it is when a jailbreak gets past. Nobody grades the second — how much legitimate work gets caught by mistake. No spam filter ships that way; you measure the real mail it eats, not just the spam it stops, and you tune on both. The companion to a severity score is a second measurement: an over-block rate, run against a corpus of legitimate defensive work and published right beside how much danger the safeguard stops. You could grade that cost on the same kind of axes CJS uses for a jailbreak:

  • Breadth — does the safeguard catch one narrow task, or all of pen testing, red teaming, and malware analysis at once?
  • Substitutability — can the defender get the same result through a sanctioned path, or is the capability simply gone?
  • Recourse — is there a way for an authorized user to get back in, or is it block-everyone until controls that don't exist yet get built?
  • Opacity — does the block announce itself, or does the request quietly drop to a weaker model, so the defender never knows the answer got worse?

None of this is new measurement science; it's the error type we track in every other classifier we run, just missing from this one. It won't get prioritized unless the field demands it, and the legitimate work it runs against has to reflect the whole community's range, not any one vendor's view of what defensive work looks like. That's the case security teams should be making while the framework is still taking shape.

In the meantime

Pushing for the other half of the scale doesn't mean waiting on it. The most useful move for security programs is to stop being single-threaded on a hosted model that they don't control; keep a self-hosted open model as the fallback for the work the guardrails refuse. You set its guardrails, and nothing retrains under you overnight. The catch is that you're insourcing the dual-use risk the vendor was carrying on a model that still trails the frontier. So you need to treat it as a floor, not a replacement. It's the one place your team can still do the sanctioned offensive work Fable now blocks by default.

So Fable 5 is back, a little more locked down and a little quicker to block work it shouldn't. The suspension lifted in under three weeks, but what it exposed won't. We don't control these models, and we aren't going to. The one thing still worth fighting for is the other side of the ledger. The guardrails and the severity scale being drawn around these models count what a jailbreak hands an attacker, but nothing counts what the safeguards take from the people defending who are real systems. But the scale is still a draft, and Anthropic is taking feedback on it at [email protected]. I suggest writing to them about the half that's missing: an over-block measure and the corpus of legitimate work to test it against. If security teams don't put that on the table, no one is going to put it there for us.