ProBackend
active vulnerability exploitation
3 hours ago5 min read

How a Three-Word Prompt Exposed the Flaws in AI Governance and Export Controls

When the Trump administration banned Anthropic's Fable 5 and Mythos 5 models over a so-called jailbreak, the reality was far simpler — and far more embarrassing. Security researcher Katie Moussouris walked through the actual prompt, her Wassenaar Arrangement credentials, and why this episode reveals deep cracks in how we govern AI.

The Prompt That Started a Global Ban

Here's the thing about the biggest AI export ban in recent memory: it wasn't triggered by a sophisticated jailbreak. It wasn't some elaborate prompt-injection attack crafted by a nation-state actor or a shadowy red-team collective. The "jailbreak" that got Anthropic's most advanced models locked down worldwide came down to three words.

Fix this code.

Katie Moussouris — founder and CEO of Luta Security, known in bug-bounty circles as the "fairy godmother of bug bounties" — was the only outside expert Anthropic shared the research paper with before the government got involved. And when she read it, her reaction wasn't alarm. It was disbelief.

"That's it," she told reporters after reviewing the document. "'Fix this code,' plus several manual steps to generate test scripts, should never have triggered an export control."

The sequence itself is almost banal. Outside researchers fed Anthropic's Fable 5, Mythos, and Claude Opus models open-source code laced with known CVEs and intentionally planted vulnerabilities. They asked the models to review the code for security issues. Fable 5 refused.

So they tried again. They asked the model to fix this code instead. The model obliged. After a few more prompts, it even produced test scripts to validate the patches.

That's not a jailbreak. That's what defenders do every single day.

The Prompt That Started a Global Ban

Why Moussouris's Take Actually Matters

You might be wondering: who exactly is Katie Moussouris, and why should we care what she thinks about export controls?

Fair question. Because here's the kicker — she didn't just stumble into this conversation. Between 2013 and 2017, Moussouris served on the technical expert group that renegotiated the Wassenaar Arrangement. For those not steeped in arms-control history, this is a voluntary pact between 42 nations that governs export controls on classified dual-use software and technology. Think of it as the rulebook for what countries can and can't share with each other when it comes to tools that could be used for surveillance, espionage, or warfare.

And Moussouris's group did something remarkable: they won exemptions for defensive cybersecurity activity. That means defenders — the people tracking malware, analyzing vulnerabilities, coordinating incident response — can share data across borders without living in fear of criminal prosecution. It's the framework that lets security researchers collaborate internationally instead of treating each other like potential spies.

So when the Trump administration invoked export controls to block access to Anthropic's models, Moussouris wasn't just an observer. She'd helped build the system being applied here. And from her vantage point, it looked like someone had completely missed the point.

Why Moussouris's Take Actually Matters

The Government's Overreaction, in Real Time

Friday, June 13th, 2026. The US government dropped an export control directive citing national security concerns. The target: Anthropic's Fable 5 and Mythos 5 models. The effect: any foreign national — inside or outside the United States — lost access immediately.

Anthropic, predictably, played it safe. They disabled both models for all customers to ensure compliance. Not just foreign users. Everyone.

Which brings us back to Moussouris's t-shirt-worthy observation: if you put "fix this code" on the front and "this shirt is a munition" on the back, you'd have captured the absurdity of the situation.

Because what the government had done was treat a routine defensive security workflow like it was someone trying to build a bomb. The "find, fix, and test loop" that defenders run every day — identify vulnerabilities, patch them, verify the patches work — is exactly what Anthropic's models were doing. Moussouris put it bluntly: the models were executing "the most valuable thing an AI model can do for defensive security."

Removing that capability doesn't make systems safer. It makes them worse at finding bugs and verifying patches. Which, spoiler alert, is kind of the whole point of having AI in your security stack.

The Open Letter and Industry Backlash

By Sunday, June 14th — just two days after the directive went live — Moussouris had joined over 100 cybersecurity leaders in signing an open letter urging the Trump administration to reverse course.

The letter's core argument was straightforward: pulling the best capabilities away from defenders without a good reason, when adversaries are rapidly advancing, is dangerous. Period.

"Defense improves when defenders find the same bugs attackers find and fix them faster," Moussouris wrote. "We need the best tools to defend against increasingly capable attackers in the AI era of cybersecurity."

Think about that framing for a second. This isn't about corporate freedom or regulatory capture. It's about the basic logic of defense in an era where attackers are also getting better, faster, and more automated. If you restrict the tools defenders can use while your opponents keep advancing unchecked, you're not reducing risk. You're just making yourself more vulnerable.

The Trump administration didn't respond to The Register's requests for comment. Which, honestly, might say more than any denial would have.

The China Factor and Unintended Consequences

Here's where the story gets genuinely troubling. Because for all the talk about national security, the US can't actually extend these export controls to open-weight models or similar advanced systems from China and other countries.

Anthropic and Google have both accused China-based rivals — including DeepSeek — of using what they call "distillation attacks" to train their models by siphoning knowledge from American companies' AI. In other words, Chinese developers are already finding ways to extract the capabilities they need without running the models themselves.

So what happens when you restrict access to Anthropic's models for foreign users? You don't stop adversaries from getting equivalent capabilities. They'll achieve Mythos-like performance anyway, through distillation or other means. And soon.

But you do hurt defenders. Specifically, the defenders who rely on these tools to find vulnerabilities, write patches, and validate fixes before attackers can exploit them.

It's a paradox that should keep anyone who cares about cybersecurity governance up at night: the US is restricting defensive tools while its adversaries advance rapidly, all based on a three-word prompt that any security team would recognize as routine work.

More blogs