§1What actually happened
Anthropic released Fable 5, the first public model in its Mythos class. Fable 5 is the safeguarded door to the more capable Mythos 5: most prompts go straight through, but queries that trip the cyber, biology, chemistry or distillation classifiers are visibly rerouted to Claude Opus 4.8, which answers instead — and you are billed at Opus rates. Anthropic put the fallback rate below five per cent of sessions and said it had tuned the classifiers conservatively, so some harmless requests would be caught too.
That part was disclosed. A second safeguard was not. For requests it read as frontier LLM development — building pre-training pipelines, distributed training, accelerator design — Fable 5 did not fall back to another model and did not tell you anything. It quietly limited its own effectiveness through prompt modification, steering vectors and light parameter changes at inference time. Anthropic put the reach at around 0.03 per cent of traffic. After a strong reaction from researchers and evaluators, it apologised, called the invisible approach "the wrong tradeoff", and changed it: flagged requests now fall back visibly to Opus 4.8 with a stated reason, the same as the other classifiers. All of this sits against a louder backdrop — a US government directive to suspend access to Fable 5 and Mythos 5 entirely.
§2Credit where it is due
It would be easy to write the cynical version of this, and it would be wrong. The walkback was fast, public and specific. Anthropic named the mistake, apologised for it, and replaced the silent behaviour with a visible one that tells the user why a request was rerouted. A visible fallback with a reason is the correct design. Tuning safeguards conservatively and admitting they will catch benign requests is more honest than pretending a classifier is precise. On the things they disclosed, the company has been more transparent than most of the field.
So this is not a piece about a villain. It is a piece about a precedent, which is a harder and more durable problem than any single policy.
§3The precedent is the real story
The reverted feature still happened. For a window, a frontier vendor shipped the capability to silently rewrite your prompt, steer the model's internal activations, and adjust its parameters mid-run — and to do it without surfacing any of it to the person paying for the output. That capability does not un-exist because the policy was withdrawn. It is now a demonstrated, shipped thing, which means it belongs in your threat model from here on, the same way a patched exploit still teaches you the class of attack.
The question it leaves behind is simple and uncomfortable: when a hosted model gives you a weak answer, did the model fail, or was it throttled? Before this, you assumed the former and debugged accordingly — bad context, a hard task, a prompt that needed work. Now there is a second branch you cannot rule out from the outside, and no log that tells you which one you are in.
§4Why this is a supply-chain problem, not a culture war
We argued this week, about an agent runtime, that a dependency you cannot audit is a supply-chain risk. A hosted model is the same shape of dependency, only harder to inspect. With an open-weight model you can pin a version, read the changelog, and run a fixed evaluation against fixed bits. With a hosted frontier model you cannot see the weights, the system prompt, the classifier stack or any inference-time intervention sitting between your prompt and the answer. You see a response and a bill.
Silent degradation is corrosive precisely because it attacks measurement. Evaluation is how builders make decisions — is this model good enough, did this prompt change help, is the regression real? An invisible nerf makes those evals unfalsifiable: a third-party evaluator cannot tell a capability ceiling from a policy throttle, so it cannot honestly report either. When you cannot trust the instrument, you cannot trust the readings, and a model you cannot measure is one you cannot responsibly build a product on.
§5The quieter catch: 30-day retention
While the safeguard story took the attention, the change with the widest reach is duller. Anthropic now requires 30-day retention for all traffic on Mythos-class models, on first and third-party surfaces. That removes zero-data-retention from the table for a large set of regulated buyers, and several large enterprises have simply declined to allow the model as a result. Flagged content can be held considerably longer than thirty days. For anyone whose data handling is contractual rather than optional, this is the line that actually decides procurement — and it is the one least likely to make a headline.
§6What builders should do
None of this is a reason to stop using strong models. It is a reason to stop depending on any one of them as if it were infrastructure you control.
Keep a routing layer. Put a thin abstraction between your product and any single provider so a model is a swappable part, not a foundation. The day you need to move should be a config change, not a rewrite.
Pin and snapshot your evals. Hold a fixed evaluation suite and run it on a schedule. You cannot see a silent change from inside the vendor, but you can often see its shadow in your own numbers — drift you did not cause is a signal worth catching.
Keep an open-weight fallback. For work that is restriction-sensitive or that you must be able to reason about end to end, hold a capable open-weight model you can pin and run yourself. It need not be your default. It needs to exist.
Read the retention terms before the benchmark. What a model scores matters less than whether your buyers are contractually allowed to send it their data. Check that first.
The honest summary is that Anthropic corrected a real mistake quickly, and that the correction does not close the question it opened. The interesting line is not who is the good vendor and who is the bad one. It is this: are you depending on a model, or on a vendor's discretion — and would you be able to tell the difference?