ProBackend
ai policy ethics
6 days ago10 min read

Anthropic Ends Zero Data Retention for Mythos and Fable Models; Suspends Access Amid Export Controls

Anthropic has ended Zero Data Retention for its Mythos and Fable models, mandating 30-day storage to combat complex safety threats like iterative jailbreaking and state-sponsored espionage. On June 12, access was suspended following US government export control action.

Cypress Moretti

For years, the gold standard for enterprise AI privacy has been Zero Data Retention (ZDR)—a contractual guarantee that an AI provider would not store any prompts or outputs submitted through its API. Anthropic, a leader in safety-first AI development, has long championed this standard for its corporate and government partners. However, as of June 9, 2026, that landscape has fundamentally shifted with the introduction of the Mythos-class models.

In a move that highlights the growing tension between absolute privacy and proactive security, Anthropic has announced that its new high-capability models—Claude Mythos 5 and Claude Fable 5—will require a mandatory 30-day data retention period. This policy applies even to organizations that have traditionally operated under ZDR agreements, signaling a new era where the risks associated with frontier AI capabilities necessitate a more hands-on safety posture.

The June 12 Suspension: Export Controls Disrupt Model Access

Just three days after the data retention policy went into effect, Anthropic announced on June 12 that it had suspended access to Claude Fable 5 and Claude Mythos 5. The company received a national-security directive from the US government that effectively prohibited all access to these models, including for legitimate research and development purposes. The directive prohibited foreign nationals from using the models, even Anthropic's own employees working on safety research.

In its official statement, Anthropic explained that the government believes it has become aware of a method to bypass or "jailbreak" Fable 5's safety mechanisms. The company confirmed it reviewed a demonstration of this technique, which allowed researchers to identify vulnerabilities. Anthropic's leadership stated that these vulnerabilities appeared relatively simple to exploit and that other publicly available models could discover similar issues without requiring the same jailbreak technique.

The Washington Post reported that Anthropic dispatched senior leadership and technical experts to Washington D.C. in an urgent bid to negotiate a resolution to export control restrictions that abruptly shut down access to the company's most powerful AI models. Company co-founders and senior executives, along with its red team security specialists, flew to Washington D.C. on short notice in an attempt to understand the specific national security concerns and explore potential pathways for restoring model access under modified terms.

Defining "Covered Models"

The new retention requirement specifically targets what Anthropic calls "covered models." Currently, this includes the Mythos 5 and Fable 5 architectures. While the underlying intelligence of these models is largely identical, Fable 5 includes specialized safeguards for high-risk domains such as cybersecurity and biotechnology.

Anthropic designates these as covered models because they represent a significant leap in reasoning and task-execution capabilities. The company noted that while other models in the Claude family remain unaffected and will continue to honor existing ZDR terms, future models with capabilities similar to the Mythos class will likely fall under this same retention umbrella. This indicates that the 30-day window is not a temporary measure but a permanent fixture for the most powerful tiers of Anthropic's intelligence offerings.

The concept of covered models is crucial for organizations navigating compliance requirements. These models are specifically flagged within Anthropic's platform, and access controls ensure that they cannot be substituted with alternative models when ZDR is enabled in an organization's workspace. The company maintains a published list of covered models on its Trust Portal, which is regularly updated as new capabilities are released.

For businesses that have already integrated the Claude API or embedded Claude into their products, this distinction means they must evaluate whether their current deployments involve covered models and plan accordingly. Organizations with multi-tenant products or shared workspaces will need to carefully manage model selection to ensure compliance with their specific data retention agreements.

Why Privacy is Yielding to Security

The rationale behind this pivot is rooted in the evolving threat landscape of AI misuse. Anthropic argues that as models become more capable, the most dangerous attacks are no longer single-shot events that can be caught by real-time classifiers. Instead, sophisticated adversaries are using temporal attack patterns that only become visible when analyzed over time.

Best-of-N and Iterative Jailbreaking

One such threat is "Best-of-N jailbreaking," where an attacker sends hundreds or thousands of slight variations of a malicious prompt, hoping that statistical variance will eventually trigger a successful bypass of the model's safety filters. Detecting these attempts requires looking at the volume and progression of requests, which is impossible if every prompt is deleted immediately after execution.

Research published in the arXiv preprint "Best-of-N Jailbreaking" (arXiv:2412.03556) demonstrated how adversaries could systematically weaken safety controls through iterative perturbation of prompts. The paper showed that while individual requests might appear benign, the cumulative effect across hundreds or thousands of variations could successfully elicit harmful responses from otherwise well-protected models.

Anthropic's internal research has shown similar patterns, with threat actors using AI-assisted attack tools to generate thousands of variations targeting specific safety boundaries. The temporal analysis enabled by 30-day retention allows Anthropic's trust and safety teams to identify these patterns before they succeed in complete jailbreaks.

Disrupting High-Stakes Espionage

Beyond individual jailbreaks, Anthropic is targeting broader patterns of state-sponsored espionage and large-scale data extortion campaigns. These operations often involve slow, methodical probing of model capabilities across multiple days or weeks. By retaining data for 30 days, Anthropic's trust and safety teams can apply retroactive analysis to identify and disrupt these coordinated campaigns before they reach critical mass.

The company referenced its previous research on AI-enabled cyber operations, published in August 2025, which demonstrated how threat actors were using AI models to conduct reconnaissance, write malware, generate phishing content, and automate parts of the attack chain. The government's determination to act quickly following Fable 5's launch suggests that intelligence agencies may have identified specific malicious campaigns already underway or imminent threats that would benefit from immediate model access restrictions.

Privacy Controls in a Retention Era

Acknowledging the sensitivity of this change for enterprise customers, Anthropic has outlined a suite of technical and organizational measures to ensure that retained data remains secure and private. The 30-day storage is not an open door for human browsing; rather, it is a restricted safety cache with strict access controls.

Restricted Access Protocols

Anthropic employees are barred from accessing conversation data unless a request is explicitly flagged by safety classifiers for potential serious harm, or if a customer requests a review in writing. These reviews can only be performed by a small set of approved reviewers through tooling that prevents export, copying, or downloading of the underlying data.

The company maintains that access to retained data follows a strict protocol:

  • Safety Flagging Only: Data is only reviewed when classifiers identify potential serious harm, such as threats of physical violence, plans for illegal activities, or evidence of ongoing cyberattacks
  • Written Customer Requests: Customers may request access to their own data for compliance or audit purposes, but this requires written authorization and creates an audit trail
  • Legal Subpoenas: In cases where Anthropic is legally required to produce data, the company will challenge overbroad requests and notify customers when permitted by law

Tamper-Proof Logging System

Every instance of data access is recorded in a log that reviewers cannot modify or suppress, providing a clear audit trail for compliance teams. The logging system is designed with the following security principles:

  • Append-Only Logs: Once a log entry is created, it cannot be modified or deleted
  • Cryptographic Integrity: Each log entry includes a cryptographic hash that verifies the integrity of previous entries
  • Real-Time Monitoring: Anomalous access patterns trigger immediate alerts to security personnel
  • Quarterly Audits: Independent third parties conduct regular audits of the logging system to verify its integrity

Customer-Managed Encryption Keys

Eligible organizations can continue to use their own encryption keys to manage the underlying storage, ensuring that even retained data remains within the customer's cryptographic control. This feature is available to organizations with Enterprise or Advanced ZDR agreements.

With customer-managed keys, the encryption and decryption processes occur on the customer's infrastructure or in a secure enclave that Anthropic cannot access. This provides an additional layer of protection for highly sensitive data and allows organizations to maintain control even when using Anthropic's services.

Automatic Deletion Policy

Data is purged automatically after the 30-day window expires, ensuring that the safety cache does not become a permanent repository of sensitive business intelligence. The deletion process is designed to be irreversible and includes:

  • Scheduled Jobs: Automated systems trigger deletion 30 days after the original interaction, plus a buffer period
  • Verification Protocol: Before deletion, the system verifies that no safety investigations are pending and that no legal holds apply
  • Secure Wipe: Data is not just removed from indexes but physically wiped from storage using Department of Defense-standard deletion protocols
  • Audit Trail: The deletion process itself is logged and available for compliance reporting

Impact on Enterprise Customers

The 30-day retention requirement represents a fundamental shift for organizations that have operated under ZDR agreements. While the policy is designed with robust privacy protections, it marks a departure from the absolute data control that many enterprises expected when signing ZDR contracts.

What Changes for Enterprise Users

For organizations that have traditionally relied on ZDR:

  1. Access to Anthropic Services: Organizations using covered models will now have 30-day retention enabled by default
  2. No ZDR Option for Covered Models: Even with prior ZDR agreements, covered models require retention
  3. Opt-Out Window: Organizations have 90 days to transition off covered models if retention conflicts with their compliance requirements
  4. Customer-Managed Keys: Enterprise customers can opt into this feature for additional control over data encryption

Compliance Considerations

Organizations operating under strict regulatory frameworks (HIPAA, GDPR, FINRA, etc.) should carefully evaluate whether the 30-day retention period aligns with their data governance policies. Key considerations include:

  • Data Subject Rights: Under GDPR, individuals may request deletion of their data; organizations should understand how Anthropic's retention policy interacts with these rights
  • Legal Hold Notifications: Organizations should ensure their systems can respond to legal hold requests while Anthropic retains data
  • Cross-Border Transfers: The retention policy may affect data transfer agreements between jurisdictions with different privacy standards

Migration Paths for Compliant Organizations

For organizations that cannot accommodate the retention period, several options exist:

  1. Use Alternative Models: Stick with non-covered Claude models that honor existing ZDR terms
  2. Customer-Managed Infrastructure: Deploy Anthropic models through AWS Bedrock, Google Cloud, or Microsoft Azure with customer-managed encryption
  3. On-Premises Solutions: Evaluate whether Anthropic's on-premises offering can accommodate retention requirements
  4. Alternative Providers: Consider models from providers that maintain ZDR for all tiers of their offerings

The company has committed to providing 90 days' notice before enforcing the retention requirement on ZDR customers, giving organizations time to evaluate their options and make informed decisions about their AI strategy.

The Broader Implications for AI Safety and Privacy

Anthropic's move represents a pivotal moment in the ongoing debate about how to balance privacy with safety in frontier AI development. By requiring 30-day retention for its most capable models, Anthropic is acknowledging that perfect safety cannot be achieved through real-time filtering alone.

A New Paradigm for Frontier AI

The company's position suggests that the industry may be moving toward a new paradigm where:

  • Most Capable Models require some form of data retention for safety analysis
  • Less Capable Models may continue to offer ZDR for cost-sensitive or privacy-critical applications
  • Customer Choice remains paramount, with organizations able to choose models based on their retention tolerance

This tiered approach acknowledges that different applications have different safety and privacy requirements, allowing organizations to make informed trade-offs between capability and data control.

Regulatory Precedent

The June 12 suspension of Fable 5 and Mythos 5 access—followed by Anthropic's Washington D.C. mission to negotiate a resolution—represents an unprecedented step in AI governance. It signals that:

  • Export Controls May Apply to General-Purpose AI: This could become a template for regulating other frontier AI capabilities
  • Safety Research May Conflict with National Security: The line between defensive research and capability proliferation is blurring
  • Industry Self-Governance Is Under Stress: Voluntary safety commitments may give way to mandatory government controls

What Comes Next?

Industry watchers predict several potential developments:

  1. Sanitized Model Variants: Anthropic or other providers may release "defense-only" versions of their models with specific capabilities disabled
  2. Controlled Access Frameworks: The government may establish clear criteria for accessing frontier AI capabilities in defensive security roles
  3. International Coordination: Allies may coordinate their approaches to frontier AI export controls to prevent regulatory arbitrage
  4. Alternative Safety Mechanisms: Research may focus on in-model safety features that reduce the need for data retention

For now, organizations using Anthropic's AI capabilities should prepare for a new reality where safety and privacy must be balanced through transparent policies, robust technical controls, and ongoing dialogue with both AI providers and government regulators.

The 30-day retention policy for covered models, coupled with the June 12 suspension event, marks a definitive end to the era of absolute zero retention for frontier AI. As Anthropic states on its Trust Center, "The safety of the ecosystem may now require a slight retreat from the absolute privacy of the past." Whether this trade-off proves sustainable—or whether alternative safety mechanisms can be developed—remains one of the most important questions facing the AI industry in 2026 and beyond.

Related blogs

ai policy ethics

Artificial Intelligence for Inspired Action: Navigating Our AI-Mediated World with Purpose

Everything is connected and affected in an AI-mediated environment. This article explores the four key risks reshaping human psychology—agency decay, bond erosion, climate conundrum, and divided society—and introduces the POZE framework for ProSocial AI that amplifies human flourishing.

1 day ago · 6 minai policy ethics

Meta Unwinds $2B Manus Deal: Beijing's Divestiture Order Accelerates Separation

Meta has begun dismantling its $2 billion acquisition of Manus AI, completing an operational separation as the most concrete step yet toward complying with a divestiture order Beijing issued roughly two months ago on national security grounds.

1 day ago · 5 minai policy ethics

Security Experts Open Letter Urges Reversal of Anthropic Claude Export Restrictions

An open letter signed by dozens of security experts urged the US government to reverse export restrictions on Anthropic's Claude AI models, raising concerns about national security implications and global AI leadership.

2 days ago · 5 min
More engineering analysis and backend guidance from ProBackend.
More blogs