Bottom line: Export controls that prohibit Fable 5 because it repairs code undermine defensive security work, for which this very capability is central.
Claude Fable 5 was banned under US export controls after security researchers prompted the model to repair code containing known CVEs and intentionally planted vulnerabilities. Security experts criticize this regulation as it undermines the core capability of AI models for defensive cybersecurity.
Security researcher Kate Moussouris confirms the sequence of events: scientists used open-source code with documented CVEs as well as newly written code with deliberately inserted vulnerabilities. The models Claude Fable 5, Mythos, and Opus were asked to “review the code for security issues” – Fable 5 declined. When asked to “repair this code,” however, the model delivered solutions through iterative manual processes that were converted into automated test scripts for patches.
Moussouris points out the core issue: this request is not a security measure bypass, but rather the central task of code models in a defensive context. Cybersecurity defenders must be able to deploy AI models to find vulnerabilities, repair them, and verify them through testing – exactly the daily workflow in security teams. Blocking this capability does not make the model safer, but rather weaker at bug-fixing and patch verification.
The problem lies in political perception: non-technical decision-makers have heard for months that models capable of “designing cyberattacks” are particularly dangerous. Now the risk of over-regulation becomes clear: a model that helps secure source code could fall under blanket export bans because the technical distinction between defensive and offensive requests becomes blurred in practice.
Source: simonwillison.net · Published June 16, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.