Who decides who gets to use a piece of software?

The letter arrived at 5:21pm Eastern Time on a Friday, which is the hour at which official Washington usually stops returning calls and the news cycle goes slack for the weekend. It came from the Commerce Department, ran to a few paragraphs, and did something no piece of American paper had ever quite done before.

By the time the East Coast had finished dinner, two of the most capable artificial-intelligence models on the planet had gone dark. Not throttled, not patched, not quietly degraded. Off. A researcher in Berlin who had been mid-sentence with the thing found it gone. So did a financial analyst in Singapore, a software team in Bangalore, and, in a detail that would be funny if it were not the whole point, a number of Anthropic’s own engineers, the ones who happen to hold the wrong passport.

The directive told Anthropic to deny access to Fable 5 and Mythos 5 to any foreign national, anywhere on Earth, including non-citizens sitting at desks in California. There is no clean way to enforce a rule like that on a live product, so the company did the only thing the order left it room to do. It pulled the plug on both models for everyone, citizen and foreigner alike, and apologised for a disruption it had not chosen.

I want to be careful about what is fact here and what is my opinion, because the two blur quickly in a story like this. The facts are not in dispute. Anthropic confirmed it received the directive, confirmed its scope, and confirmed that it disabled the models in response, leaving its older Claude Opus 4.8 running.

Fortune and Al Jazeera both reported it as the first time the US has used national-security export controls against a commercial AI model. The stated reason is a cybersecurity one. Officials told Anthropic they had learned of a technique to bypass Fable 5’s safeguards and reach the raw cyberattack capabilities of Mythos, the model underneath it.

Anthropic calls it a “narrow potential jailbreak” and the whole episode a “misunderstanding”. Al Jazeera, citing Semafor, reported that suspicion of access by a China-linked group was part of the trigger, while noting it could not independently confirm that detail.

So much for the facts, but here is the opinion. The security argument, whatever its merits, is not the part of this story that should travel. The part that should travel is the mechanism, because the mechanism is what gets reused: export controls are an old tool. They have governed missiles, centrifuges, encryption, and the physical chips AI runs on.

What is new this time is the object. A frontier model is not hardware you can intercept at a port. It is a service, reached through a browser, woven by now into the daily work of companies and institutions that have nothing to do with American national security. Al Jazeera noted that clients of the ratings firm S&P use Claude to query their databases; research labs build on it; foreign staff inside American companies depend on it to do their jobs. When the state can switch that off for the entire world between one evening and the next, “export control” stops describing a border and starts describing a kill switch.

That is the precedent, and precedents do not stay in their box. Once a government has shown it can compel a company to revoke a commercial product from millions of users on a few hours’ notice, the tool exists for every future administration and every future grievance. The criterion used this time, “foreign national”, is so broad as to be almost meaningless.

Kun Chen, a former engineer at Meta and Microsoft, pointed out that it is not enforceable in practice and is trivial to bypass for anyone with genuine malicious intent, while sweeping up millions of ordinary users and even American firms’ own staff. A measure that misses its target and hits everyone else is not precision. It is a demonstration of reach.

There is a reasonable counterargument, and it deserves a fair hearing rather than a straw man. Governments have always claimed the right to stop dangerous technology from spreading, and if a model really can be turned into an automated weapon for breaking into banks, the state has a legitimate interest in that. Anthropic, after all, spent years describing its most powerful systems as too dangerous to release freely.

It called Mythos too potent for a broad launch, then built Fable on a scaffold of safeguards it advertised loudly. If you build something and call it a hazard, you can hardly be shocked when a regulator treats it as one.

The cybersecurity researcher Peter Girnus put it sharply: “If you describe your product as a munition in every press release, eventually a government takes you at your word. They wrote the legal predicate themselves and called it a brand.”

I find that argument honest and incomplete. Honest, because the danger is not purely invented, and Anthropic did help write the script. Incomplete, because it answers a question nobody is really asking. The issue is not whether the state may regulate genuinely dangerous capabilities. Of course it may. The issue is whether it should be able to do so by reaching past the company and into the product, unilaterally, without a transparent process, without appeal, and with effects that fall mostly on people in other countries who had no say and no warning.

Anthropic itself drew exactly that line, arguing the government should be able to block unsafe deployments, but only through a process that is “transparent, fair, clear, and grounded in technical facts”, and that this action met none of those tests. On that narrow point, I think the company is right, whatever else it has gotten wrong.

What makes the precedent harder to defend is the company it keeps. In January the same administration reversed years of policy and cleared Nvidia’s advanced H200 chips for sale to China. Dean Ball, who briefly worked inside the administration on AI policy, caught the contradiction in a single line: a government willing to export its best chips to a rival now wants to bar Britain, and every other non-American on Earth, from using its best models. “I have no words,” he wrote.

The hardware flows to the competitor; the software is walled off from allies. As security policy it does not cohere. As a demonstration of who holds the switch, it is perfectly clear.

And here is the part Washington will like least. The lesson lands hardest precisely where it would least want it to. Sridhar Vembu, co-founder of the Indian software group Zoho, put it plainly: “National sovereignty, national security, all of it is now about technology.” He meant it as a spur, and the spur is already working. The shutdown handed India’s sovereign-AI movement its strongest argument yet. Europe, which has spent years agonising over its own AI sovereignty while American hyperscalers quietly took some 70% of its cloud market, now has a case study it could not have scripted better.

Gary Marcus, a long-standing critic of the industry, pointed to the deeper self-harm: a directive like this gives the many foreign-born researchers at American labs a reason to go home, and gives investors a reason to wonder whether US AI firms are a safe bet when the government treats them as instruments of state policy on a Friday whim. A country that wants to stay ahead of China has just made its own labs less attractive to the talent and the capital that keep them there. Concentration of power tends to look like strength right up to the moment it reveals itself as brittleness.

The models came back for most users within days, which is exactly why the moment is so easy to wave away. It will get filed under teething trouble, a bit of bureaucratic overreach walked back almost as fast as it happened. But that misses what changed. The clumsiness of this first attempt does not make the next one less likely; it makes it more practised. And the people who should be paying attention are not in Washington or San Francisco. They are everywhere else.

Maybe the hospital in Madrid that runs patient triage through a model it does not own. The bank in São Paulo. Or even the ministry in Nairobi that built its citizen services on someone else’s software. None of them were in the room on Friday, and none got a warning. All of them just learned that the tools they have wired into the centre of how they work can be switched off by a government they did not elect, for reasons they will not be told, on an afternoon they will not see coming.

That is the stake, and it sits well below the noise of Anthropic versus the White House. The lawsuits and the name-calling will sort themselves out, but the dependency will not. So, for a few hours on a Friday night, the smartest software people have built went dark for most of the people who use it, because one government decided it should. The screens are lit again, and the switch is still there. Nobody has yet shown us what keeps a hand off it next time.