Mythos identified thousands of zero-day vulnerabilities across major operating systems and browsers, including flaws in OpenBSD and FFmpeg that had gone unpatched for 27 and 16 years respectively. The UK AI Safety Institute confirmed the model can autonomously target poorly defended enterprise systems, with ArmorCode analysis showing working exploits were generated in over 83 percent of cases. The immediate trigger for the ban was discovery of a jailbreak method that could circumvent Fable 5's safety classifiers and unlock sensitive cybersecurity capabilities.
This marks the first time the US government has applied export controls to an AI model based on emergent capabilities rather than intentional design. Attorneys should monitor how this precedent reshapes AI governance and export policy, particularly as other advanced models develop unintended capabilities. The incident also signals heightened scrutiny of AI safety measures and potential liability exposure for developers whose systems identify but do not disclose critical vulnerabilities. Anthropic has since formed Project Glasswing with Apple, Google, NVIDIA, and JPMorgan Chase to use Mythos defensively, identifying over 10,000 critical vulnerabilities in their codebases.