Fable and Mythos are the same model, and that is not a technical footnote | --no-rollback

Fable and Mythos are the same model, and that is not a technical footnote

Anthropic's new model is designed to be safe for you and dangerous for those it approves. The company openly admits that it has built something capable of causing real harm, while appointing itself the arbiter of who may use it.
Rubén S.
Technical observer of foreseeable disasters
8 min

For years, we have assumed that safety in artificial intelligence models was fundamentally a matter of capability. A safe model was one that did not know how to do dangerous things, or had not yet reached the threshold at which those things became possible. Under that implicit framework, safety was almost a by-product of technical immaturity: models were safe because they were not good enough yet.

According to Anthropic’s latest announcement, that assumption no longer reflects reality.

Claude Fable 5 and Claude Mythos 5 are the same underlying model. They are not two systems with different training histories, separate datasets, or competing alignment philosophies. They are the same model under two names, separated only by a layer of classifiers that decides who may ask for what. What distinguishes Fable from Mythos is not what the model knows. It is what the model is allowed to say.

That technical detail, buried in a footnote to the announcement, is the real substance of the release.

A fable for everyone, a myth for the chosen few

The names are no accident. Anthropic explains them in that same footnote: Fable comes from the Latin fabula, “that which is told,” and is related to the Greek mythos. The fable is the story we are allowed to tell. The myth is the deeper truth beneath it.

The distinction between the two models does not exist at the level of capability. It exists at the level of access. Mythos 5 is Fable 5 with its cybersecurity safeguards lifted for a group of accredited defenders. Soon, its biological safeguards will also be lifted for authorized researchers. The model can do the same things in both cases. The only difference is who may ask it to do them.

Anthropic has been unusually candid in explaining this. Safety does not mean that the model is unaware of what it knows. It means that an external classifier decides whether the person asking is authorized to receive the answer. This is an access-control architecture, not an architecture of benevolent ignorance.

That is both more honest and more unsettling than the alternative. More honest because it acknowledges that the capability exists rather than pretending otherwise. More unsettling because the question is no longer, “Can the model do this?” but, “Who decides who is allowed to ask?”

For now, the answer is that Anthropic, in consultation with the United States government, decides who joins the consortium. A private company, with no democratic mandate or binding external oversight, has appointed itself the arbiter of access to genuine offensive capabilities in cybersecurity and biology. The government it is consulting has built global surveillance programs without recognized legal authority, operated in foreign jurisdictions without consent, and withdrawn from treaties when their terms were no longer convenient. That is hardly reassuring. But the primary problem is not whom Anthropic consults. It is that Anthropic is making the decision for everyone.

The science buried beneath the coding benchmarks

The technology industry is comfortable with certain kinds of results. A fifty-million-line Ruby repository migrated in a day is a story any CTO can understand and repeat. Stripe compressing months of work into days makes a good headline. First place on CursorBench and FrontierCode fits neatly into a table. These results are easy to understand, compare, and cite.

The same announcement contains other results that the industry does not quite know how to process.

Mythos 5 conducted autonomous genomics research for more than a week. It designed and trained its own machine-learning model to identify cells with equivalent functions in evolutionarily distant organisms, outperforming a model published in Science despite being one hundred times smaller. One hypothesis it proposed about a protein mechanism in E. coli was independently corroborated by a laboratory working on the same problem, with no knowledge of the model’s hypothesis.

There is no benchmark for that. There is no comparison table or position in a ranking. There is a laboratory somewhere that reached the same conclusion as the model, without knowing that the model had arrived there first.

Showing the model completing a Pokémon game is much easier. But the difference between a model that completes tasks faster and one that proposes testable scientific hypotheses is not a difference in speed. It is a difference in kind. And that difference does not appear on any coding benchmark.

A fence is not a wall

Fable 5’s safety mechanism deserves attention because it is a design choice with philosophical consequences.

When the classifiers detect a problematic query, involving offensive cybersecurity, high-risk biology, or attempts to distill the model, the request is not rejected. It is redirected to Claude Opus 4.8, a capable model without Mythos-level capabilities. The user still receives an answer, perhaps even a useful one. It is simply not the answer Fable 5 would have given.

This design has a virtue that should not be overlooked: it is honest about what it is doing. It does not pretend that the model lacks the knowledge or simulate ignorance. It acknowledges that the capability exists, that it can cause harm in the wrong hands, and that the response is access management rather than selectively removing knowledge during training.

The problem is that a fence is not the same as a wall.

Anthropic reports that external experts found no universal jailbreaks after more than one thousand hours of testing. It also reports that the United Kingdom’s AI Safety Institute “made progress toward one” during a short initial testing period. Good news and bad news appear in the same sentence. The fence is sturdy, but it can potentially be climbed, and the incentive to try is exceptionally high when the prize is a model with genuine offensive capabilities in cybersecurity and biological design.

The five percent of sessions that trigger the classifiers is not merely a technical metric either. It represents the volume of users who will encounter an invisible redirection without understanding why their answer came from a different model. Conservative safety measures have distributed costs, borne by legitimate researchers, well-intentioned security developers, and physicians asking questions that sound suspicious when stripped of context. Anthropic acknowledges that there will be false positives. Users who experience them will know little more than that.

Who measures, who profits, who audits

The data-retention policy deserves separate attention.

From now on, all traffic to Mythos-class models, including Fable 5, will be retained for thirty days. Anthropic presents this as a safety measure: the data will help detect new jailbreaks and attacks that operate across multiple requests. It will not be used to train models or for purposes unrelated to safety. It will be deleted after thirty days, subject to exceptions, and any human access will be logged.

That is a reasonable policy if we assume Anthropic will act in good faith, an assumption complicated by its own history. The same company secretly carried out Operation Panama, buying and physically destroying millions of books so they could be scanned, while an internal document explicitly stated that it did not want the public to know what it was doing. It also used millions of pirated copies to train its models and paid $1.5 billion to settle the largest copyright case in United States history. Meanwhile, its acceptable-use policy, which prohibits the use of Claude for domestic surveillance or autonomous weapons, did not prevent the model from being used in military operations in Venezuela and Iran before the company itself pushed back, with notable resolve, against Pentagon pressure to remove those restrictions. The fact that it had to push back means that the pressure had already reached the company.

Something has changed in kind

After all of that, one thing remains true: the results are extraordinary.

We have spent years using language models to write code, summarize documents, and make emails sound friendlier. That has always been useful. It was never transformative in the deepest sense of the word. What Anthropic is describing in the life sciences is different: a system participating in the production of verifiable scientific knowledge.

If that trend continues, and there are no structural reasons to believe it will not, the consequences will extend far beyond the productivity of software developers or financial analysts. We will be talking about how knowledge is produced, who has access to the ability to produce it, and what happens to scientific publishing, validation, and reputation when a model can generate hypotheses faster than laboratories can test them.

This is not excitement over a position on a leaderboard. It is the recognition that something has crossed a threshold it will not cross back over.

This is not a product launch. It is a precedent

If the Fable 5 and Mythos 5 announcement is remembered at all, it will probably be for its FrontierCode numbers or the video of the model playing Pokémon. It should not be.

It should be remembered as the first release in which a leading AI company said, openly and with verifiable documentation: we have built something capable of causing real harm, we are going to release it anyway, and the difference between the safe version and the dangerous one lies not in the model but in the access layer we have built around it. We have given the two versions different names to make that distinction explicit.

That is uncomfortable honesty. At this stage in the development of artificial intelligence, it is also the only kind of honesty worth anything.

The question Fable 5 leaves open is not whether models will be more capable in six months. They will be. The question is whether the governance structures we are building now, for the time being in consultation with one particular government and for partners that government approves, will be adequate to manage what comes next.

This is not the end of safe models. It is the beginning of models that know exactly what they are doing.