The Off Switch Found Hands — Issue #018

Last week the receipts arrived faster than anyone could fix them. This week the bigger question got answered: nobody needed to fix them. The switch worked.

Anthropic shipped Claude Fable 5 — its first publicly available Mythos-class model — on Tuesday June 9. By Wednesday, Amazon’s researchers had used it the way every defender uses these tools: pointed it at a codebase and asked for the flaws. By Thursday, Anthropic was apologizing for a different problem entirely — a covert anti-distillation guardrail buried in a 319-page system card. By 5:21 PM Eastern on Friday, Commerce Secretary Howard Lutnick had a letter on Dario Amodei’s desk ordering the model off the internet for any foreign national, anywhere, including Anthropic’s own foreign-national staff. By Friday night, Fable 5 and Mythos 5 were dark for every customer on earth.

The state owned the off switch the whole time. This week it just used it. And — because the week wasn’t going to let one story carry it — SpaceX printed $2 trillion on the way out the door, Apple turned its operating system into an agent control plane, and 42 state attorneys general served OpenAI with a subpoena four days after it filed for an IPO. Whose hand is on which switch became this week’s whole conversation.

🚨 Three Days to Off

The takedown that rewrote how a model dies

The clean timeline first. On June 9, Anthropic launched Claude Fable 5 — the first publicly available model in a new “Mythos-class” tier above Opus — alongside Claude Mythos 5, the same underlying model with safeguards lifted for Project Glasswing partners. Fable shipped at $10 per million input tokens and $50 per million output (double Opus 4.8) with conservative cyber/bio/chem safeguards that re-routed flagged queries to Opus. Anthropic said it had red-teamed Fable for thousands of hours with the US government, the UK AISI, and “multiple private third-party organizations” before launch and found no universal jailbreak.

Three days later it was off.

Per Anthropic’s June 12 statement, the directive arrived at 5:21 PM Eastern from the Commerce Department, citing national-security authorities, suspending access for any foreign national whether inside or outside the United States, including Anthropic’s own foreign-national employees. Because nationality cannot be filtered at API inference time, Anthropic disabled both models for all customers globally to comply. Every other Claude model stayed up. Per NBC News, this was the first time a leading AI company has ever taken a publicly deployed model offline at federal direction.

Here’s the part the launch-day coverage missed: the trigger came from inside the cap table. Per Axios and the Wall Street Journal, Amazon CEO Andy Jassy was among the executives who phoned senior administration officials Thursday night to share a report showing Amazon’s researchers had jailbroken Fable. At least five other companies escalated to a variety of senior officials through Friday morning. Treasury Secretary Scott Bessent, National Cyber Director Sean Cairncross, and Commerce Secretary Lutnick were the named principals. Trump signed off, per a senior White House official, “though he worried it could slow innovation.”

Amazon has invested roughly $13 billion in Anthropic and holds a $100 billion AWS infrastructure commitment from the same company. A major investor effectively turned in its own portfolio company. The technique Amazon flagged, by Anthropic’s account, was the one every defender uses: ask the model to read a codebase and find the flaws. Anthropic specifically named OpenAI’s GPT-5.5 as a model with the same capability, available without a bypass.

The hype-vs-reality receipt came from Katie Moussouris, CEO of Luta Security and the woman who built Microsoft’s first bug bounty. Anthropic asked her to review what Amazon had submitted. Her verdict: it wasn’t a jailbreak at all. It was “Defense Oriented Prompting” — a technique defenders use, not attackers. “If national security is the goal,” she wrote on LinkedIn, “this is an own goal against us.” A source told Axios the escalation may have had less to do with the security risk than with the broader relationship — administration officials were bothered by what they read as a “lack of seriousness” in how Anthropic handled the Fable release.

Anthropic’s own line, from the statement, is the one that should be pinned: it disagrees that “the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people. If this standard was applied across the industry, we believe it would essentially halt all new model deployments for all frontier model providers.”

Why it matters for builders: a deployed frontier model can now be undone in 72 hours on verbal evidence of a “narrow, non-universal” jailbreak, with the technical basis withheld from public review. If your production stack has a single-vendor dependency on a capability tier, that dependency is no longer just a pricing or latency risk — it’s an act-of-state risk. The model in your stack is in service until it isn’t. Concrete move this week: stand up a behavior-tested fallback path, abstract the model ID from the application layer, and define which features must degrade gracefully if a substitute can’t meet the same security or data-handling requirements. Treat model disappearance like provider downtime — except the cause isn’t an outage and the timeline isn’t yours.

Hype vs. Reality: 9/10 — the timeline, the directive, and the takedown are on the record from Anthropic, the Commerce Department, and named officials. The “national security” technical basis is verbal-only as of Sunday evening. The capability Amazon flagged is, per the independent reviewer Anthropic asked to look at it, the standard defender’s workflow.

🏛️ The Rulebook Is Whatever Friday Says

Voluntary on June 2, mandatory by June 12, same administration both times

Ten days before the Commerce Department killed Fable, the same administration signed an executive order on AI safety that explicitly disclaimed mandatory review. Section after section landed on the word voluntary. The order — “Promoting Advanced Artificial Intelligence Innovation and Security” — directs federal agencies to share information with leading labs and asks the labs to share frontier models with the government up to 30 days before public release. Critical clause: “nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models.”

Ten days later, the Commerce Department used export-control authority to do the practical equivalent through a different statutory door. And the door it walked through is wide. Per the WSJ and Axios reporting cited above, Anthropic had pre-notified the government multiple times about the planned June 9 release, and the government did not object — until Amazon and at least five other companies started phoning senior officials Thursday and Friday. Per Axios, administration officials gave Anthropic roughly 90 minutes Friday afternoon to propose an acceptable mitigation before the letter went out.

Washington has spent months arguing that fragmented state AI regulation will choke American innovation. Anthropic, OpenAI, and others have backed federal preemption rhetoric on that exact grounds. Then this week the same administration imposed a bespoke, vendor-specific restriction on one model using an unpublished standard, without an industry-wide rule, without a public capability threshold, and without an established appeals process. The fragmented patchwork the administration wanted to preempt was just replaced by a fragmented patchwork the administration writes.

This isn’t a libertarian complaint. The argument isn’t that governments should never block a model. Anthropic itself, in its own public AI policy posture, supports a government authority to do exactly that — for genuine catastrophic risk, through a statutory process that’s transparent, fair, and grounded in technical facts. The dispute is over whether the mechanism that fired this week was technically defined (no published capability threshold), consistently applied (only one vendor named), externally examinable (verbal evidence only), narrowly scoped (a global shutoff for everyone), and appealable (the order arrived as a directive, not a proposal). On every count, this week’s action was none of those things.

Why it matters for builders: the operating environment for production AI in the US just acquired a new failure mode that no contract can hedge — emergency action by a government using authority that was disclaimed in the document signed ten days earlier. If you’re shipping into a regulated workflow, the “rule” you’re complying with on Tuesday is not necessarily the rule on Friday. The mechanism is the story, not the politics: a single-vendor lock-in is now a single-administration lock-in too.

Hype vs. Reality: 8/10 — the EO text and the export-control directive are both on the public record. The contradiction is observable from the documents themselves. The “appeals process” critique is structural — there isn’t one published.

🍎 Apple Built the Hallways

The model is not the platform — the platform is the platform

The frame on Apple’s WWDC last Monday wrote itself for two days: “Apple gave up and rented Gemini.” It’s not wrong, exactly, but it misses the bigger move. Apple isn’t competing on the model anymore. Apple is making the OS the agent control plane, and inviting the labs in as tenants.

The concrete deliverables: a new public LanguageModel Swift protocol in the Foundation Models framework that any third-party cloud model provider can implement, per Apple’s own developer docs. Devs swap between Apple’s on-device Foundation Models, Google Gemini, and Anthropic Claude via Swift Package Manager with no session-code changes. The Foundation Models framework itself is being open-sourced this summer and runs wherever Swift runs, including Linux servers. The fm CLI lands in macOS 27 — on-device and Private Cloud Compute access piped through a shell. A Python SDK exposes the same on-device model. Free Private Cloud Compute access for developers under 2 million first-time downloads. Xcode 27 integrates agents from Anthropic, Google, and OpenAI. App Intents become the mandatory way Siri talks to apps; SiriKit is on a deprecation clock.

And the underrated one: macOS 27 ships Container machines, a new lightweight-persistent-Linux feature built on top of the Containerization framework Apple open-sourced at WWDC 2025 — OCI-compatible Linux containers running natively on Apple Silicon, each in its own isolated VM, no Docker Desktop required. The framework isn’t new; the persistent first-class developer experience on top of it is. Read that next to last week’s coverage of Microsoft Execution Containers in #017 and a pattern lands hard: the OS is becoming the sandbox layer for agent execution, on both major desktop platforms, in the same quarter.

Yes, Siri runs on a custom 1.2-trillion-parameter Gemini model, reportedly at ~$1B/year, with Apple’s three-tier routing (on-device for simple, Apple Foundation Models on Cloud for mid, Gemini Frontier on Google Cloud B200s for heavy). Yes, Siri AI doesn’t ship in the EU or China at launch because of the Digital Markets Act and Chinese regulatory friction. Yes, Tim Cook delivered his last WWDC keynote as CEO; John Ternus takes over September 1. But the bigger play isn’t “Apple admitted defeat on the model.” It’s that Apple is making model identity a swappable abstraction at the OS layer, exposing both on-device and cloud compute through one Swift surface, open-sourcing the framework, and shipping a native Linux container runtime alongside it.

OpenAI and Anthropic are building increasingly capable workers. Apple is building the building access system — App Intents, permissions, personal context, Secure Enclave, Private Cloud Compute, and 2.5 billion active devices. After this week’s Anthropic takedown, the “rented capability is revocable capability” thesis has more force. Apple is making the rented part as portable as it can.

Why it matters for builders: if you ship on Apple platforms, a LanguageModel adapter is now the right abstraction layer for production AI features. Build to that interface, behavior-test multiple providers, and make the model swap a config change. The Containerization framework gives you isolated Linux execution on Apple Silicon laptops without Docker Desktop’s overhead — useful for local coding agents, sandboxed tool execution, and dev environments where the host shell is too privileged. None of this requires owning a frontier model. That’s the point.

Hype vs. Reality: 7/10 — the developer surfaces are real and the documentation is shipping. Siri’s user-facing reliability remains an open question; Apple has burned that trust once already this cycle. Verify before you bet a roadmap.

💰 The IPO Lane Has a Subpoena Lane

Three of the largest listings in history, served with three lawsuits and a 42-state probe

The week the state pulled Fable from the shelves was also the week the AI compute economy went public. SpaceX debuted on the Nasdaq under SPCX on June 12, priced at $135, opened at $150, closed at $160.95 — up 19.2% on day one, $75 billion raised, valuation across $2 trillion at close. Largest IPO in history by deal size. The IPO narrative wasn’t the rockets. It was the compute. SpaceX is now selling roughly $2.17B/month in committed AI infrastructure revenue from two named customers: Anthropic at $1.25B/month and Google at $920M/month — the latter a 32-month deal worth about $30B for ~110,000 Nvidia GPUs that Google specifically said it needs as “bridge capacity” because demand for its Gemini Enterprise agent platform has been higher than expected. Both contracts include 90-day cancellation clauses after initial lock-up — Reuters noted that Musk has separately described the Anthropic lease as effectively a six-month arrangement with an off-ramp. Lock-in with a release valve.

The same Monday Apple opened WWDC, OpenAI confirmed it had confidentially filed an S-1 with the SEC. Per Bloomberg-relayed reporting, Goldman Sachs and Morgan Stanley are the lead underwriters; the target listing window is September through November 2026; OpenAI’s last private round in March 2026 valued the company at $852B, and analysts expect the IPO to clear $1T. Anthropic’s S-1 from #017 (June 1, $965B post-money valuation) made it a trifecta — three of the largest US IPOs ever, all filed or trading inside ten days.

Then the other shoe. Friday June 12, the same day Lutnick’s letter went to Anthropic, New York Attorney General Letitia James served OpenAI with a subpoena on behalf of a coalition reported by Tech Times to include 42 state attorneys general, demanding records on advertising practices, user engagement and retention, model sycophancy, consumer and health data, protections for minors and seniors, deep-learning models, and internal company policies. The 42-state action lands on top of Florida’s June 1 lawsuit by AG James Uthmeier against OpenAI and Altman personally — alleging the company misrepresented ChatGPT’s safety to children. On June 11, a Canadian mother filed a separate US lawsuit alleging ChatGPT encouraged her teenage daughter’s suicide. The Tumbler Ridge shooting apology Altman issued earlier this month — OpenAI failed to alert law enforcement after flagging the alleged shooter’s account — is part of the same package state AGs are pulling on.

Read the two stories together. The biggest commercial AI buildout in history is going public the same week its largest model gets recalled, its biggest competitor gets subpoenaed by 42 states, and the compute layer underneath the whole thing trades at $2T on the Nasdaq. The “regulatory risk” line in every prospectus just became expensive.

Why it matters for builders: the days when you could roll out a feature, take a beat, and respond to issues on a quarter timeline are not the days you’re operating in. Three of the largest AI companies in the world now have public-market disclosure obligations, state AG document demands, federal export-control exposure, and pending product-liability lawsuits in the same five days. If your stack is sitting on top of those vendors, your timeline now compresses to theirs. Plan for vendor-side incidents — IPO-related disclosures, federal directives, state subpoenas, plaintiffs’ bar — as production events, not press releases.

Hype vs. Reality: 8/10 — the IPO mechanics, the subpoena, and the lawsuits are all on the public record. The aggregate compounding effect is editorial — but the documents are real.

🧠 The AI-Native Org Chart Hit Reality

Meta’s flatter, AI-heavier company met the humans, walked back the math

The “AI-native company” pitch has been everywhere for nine months: agents do more individual work, so you need fewer managers, so flatten the org, so reassign people into AI workflows, so coordination costs fall along with headcount. Five assumptions, presented as one trend.

This week Meta filed the first real receipt against the math. Per a Reuters report on an internal memo, CEO Mark Zuckerberg wrote: “Given the complexity of these changes, we’ve made mistakes and will almost certainly make more.” The May restructuring had cut roughly 10% of Meta’s workforce — about 8,000 employees — and reassigned roughly 7,000 into AI-oriented roles, with reported management spans as wide as 50 direct reports in parts of Applied AI Engineering. Zuckerberg committed to no further company-wide layoffs in 2026, said Meta would scale back the expanded management ratios, and announced a company-wide hackathon in July.

Translate the memo. A 50:1 management span isn’t proof that agents made middle managers redundant. It’s evidence that the management work got left undone. AI can increase individual throughput while simultaneously creating more systems to coordinate, more evaluations to run, more exceptions to handle, more cross-team dependencies to broker. The throughput gain is real; the coordination work doesn’t disappear because the agents are faster.

Why it matters for builders: if your company is selling the “flatten the org, agents pick up the slack” pitch, this is the cleanest counterfactual you’ll see this year — from the company most likely to make it work, walking it back. Run the AI-throughput math against the coordination-overhead math before reorganizing.

Hype vs. Reality: 7/10 — Reuters has the memo. The 50:1 number was reported widely in May; the walkback is direct quote.

🛠️ On Your Radar: Skills Without a Supply Chain

npm packages with shell access — and no npm

Last week’s GitHub spotlight was OpenCode pulling ahead because the harness should outlive the model. This week’s spotlight is the unfinished part of that thesis: if skills are the new package format, where’s the package security?

Three repos define the week’s GitHub theme. The anchor is NVIDIA/SkillSpector, a security scanner for AI agent skills built explicitly for the Claude Code / Codex CLI / Gemini CLI installation flow. The pitch is direct: skills execute with implicit trust and minimal vetting, and SkillSpector lives in your install path to scan them first. 64 vulnerability patterns across 16 categories — prompt injection, data exfiltration, privilege escalation, supply chain, excessive agency, memory poisoning, MCP tool poisoning, taint tracking, YARA signatures, and dangerous code (AST). Two-stage analysis: fast static checks plus optional LLM semantic evaluation. The research it cites — done on a 31,132-skill sample from a 42,447 collection — found 26.1% of skills contain vulnerabilities and 5.2% are likely malicious at high severity. A separate Snyk pass on 3,984 skills found 76 outright malicious payloads and 13.4% with at least one critical issue. The number that should make you stop scrolling: when researchers ran three different scanning systems against the same skills, only 0.69% of flagged skills were flagged by all three. The scanners don’t even agree.

The complement is chopratejas/headroom, a context-compression layer that sits between your agent and the LLM. It claims 60-95% token reduction by compressing tool outputs, logs, file content, and RAG chunks before they reach the model. Live example on the README: 10,144 tokens compressed to 1,260. It exposes a library, an HTTP proxy, and an MCP server, with provider-specific paths for Claude, Codex, and Gemini. This is the direct builder response to #017’s metered-billing story — tool output, especially giant JSON blobs and search results, is becoming the avoidable source of context cost.

And the architectural complement: Apple’s Container machines (covered above) — the persistent-Linux experience built on the open-source Containerization framework Apple shipped a year ago. Each agent run in secure isolation, no Docker Desktop required, integrated with App Intents and Foundation Models. The OS is becoming the sandbox layer.

The thesis is the one Matt Pocock’s skills repo opened a few months ago and that SkillSpector is now formalizing in scanner form. Reusable agent instructions are becoming a package ecosystem — but without consistent signing, publisher identity, lockfiles, declared permissions, sandboxed execution, standardized review, vulnerability advisories, or scanner agreement. Skills are npm packages with shell access and no npm. The dependency isn’t just code. It can rewrite the behavior of the interpreter evaluating the code. Treat every skill like an untrusted dependency with social-engineering privileges, because that’s what it is.

What to do this week: pin skill versions or commits. Inspect instruction files and any scripts. Deny credentials by default, scope what each skill can see, isolate shell execution, and log which skill influenced which run. Then add Headroom-style compression on the context side and a SkillSpector-style scan in the install path. The scanners disagree — running one isn’t absolution — but a single clean scan is more than what most production agent stacks have today.

🎯 The Playbook

Four moves for the week the off switch found hands

Design for model disappearance, not just provider downtime. Abstract model identifiers out of your application code. Behavior-test your fallbacks against the same tasks you ship. Define which features must degrade gracefully when the substitute can’t meet the same security or data-handling bar. The Fable shutdown is your first reference event.
Treat every skill like an untrusted dependency with shell access. Pin versions or commits. Inspect instruction files and any scripts. Run SkillSpector-style scanning in your install path, but don’t treat a clean scan as absolution — scanner agreement is under 1%. Deny credentials by default, sandbox execution, and log which skill influenced each run.
Compress tool output, then measure task quality. Headroom-style compression cuts token cost meaningfully — but token reduction isn’t a win if it strips the evidence your agent needs to debug, verify, or recover. Bench against your real tasks before deploying.
Separate agent capability from agent authority. The model that can execute an action should not automatically have the credentials, network access, or approval to do it. The trust boundary is the environment, not the conversation — and after Fable, the environment is also subject to acts of state.

🔥 What’s Viral Right Now

The 5:21 PM ET screenshot. Anthropic’s status page reading “We’ve suspended access to Claude Mythos 5 and Claude Fable 5” became a meme within minutes. The choice of a Friday evening for the directive read to half the internet as a regulator’s choice and to the other half as an industry partner’s choice. Both reads are defensible.

Moussouris’s “own goal.” Katie Moussouris’s LinkedIn post calling Amazon’s report “Defense Oriented Prompting” — not a jailbreak — and labeling the government’s response an “own goal against us” became the most-cited expert line of the week. The framing did real work shaping the narrative.

“Claude Fable 5 Is Allowed to Sabotage Your App If You’re a Competitor.” Jon Ready’s Hacker News post on the invisible anti-distillation guardrail hit 929 points before the government takedown stole the news cycle. Anthropic apologized on X Thursday and made fallbacks visible — twenty-four hours before being ordered offline.

“Powered by Gemini.” The Apple keynote architecture slide reading “Powered by Gemini” on the Siri compute diagram was reposted relentlessly. The symbolism was doing all the work, and a lot of people on both sides of the deal weren’t sure how they felt about it.

“Amazon turned in its portfolio company.” The clip from Axios’s reporting about Jassy calling administration officials Thursday night — while Amazon holds ~$13B of Anthropic equity and Anthropic owes Amazon $100B in compute commitments — generated more Bluesky and HN argument than any other line of the week.

📡 Quick Signals

DiffusionGemma landed on consumer GPUs Wednesday. Google DeepMind released DiffusionGemma on June 10 — a 26B Mixture-of-Experts open-weights model (3.8B active per step) under Apache 2.0 that generates text via discrete diffusion, denoising 256-token blocks in parallel rather than predicting one token at a time. Google reports >1,000 tokens/second on a single H100, up to 4x faster than comparable autoregressive models. It trails standard Gemma 4 on accuracy benchmarks — Google’s framing is that the speed/quality tradeoff is worth it for code infilling, in-line editing, and other low-latency interactive workflows. NVFP4 quantization gets it to ~18GB VRAM, which means it runs comfortably on a 24GB RTX 4090 or 32GB RTX 5090 with room to spare. First production-grade open diffusion-LM with weights you can actually run.

A German court ruled Google liable for what its AI Overview says. The Munich Regional Court issued a preliminary injunction (case 26 O 869/26) classifying Google as a direct infringer for AI Overview claims linking two publishers to scams that did not appear in any of the cited sources. The court rejected Google’s argument that users can check the sources themselves, citing a study that found only ~1% of users click through. The legal version of the trend we’ve been tracking for months: once search becomes an answer engine, “the website said it” is a weaker defense. Preliminary, not final; Google is appealing.

OpenAI acquired Ona for Codex. OpenAI announced Thursday it will acquire Ona — the German cloud startup originally founded as Gitpod — to give Codex agents persistent, customer-controlled cloud environments where long-running multi-step tasks can continue after the developer closes the laptop. Codex now reportedly serves 5M+ weekly users (up 400% from earlier this year). The signal is the same one we covered with engram in #016 and is now showing up at the runtime layer: agents are moving from disposable chat sessions to durable workspaces with their own credentials, state, and processes. The security boundary becomes the environment, not the conversation.

EU AI Act enforcement is 7 weeks out. August 2, 2026 is the high-risk Annex III enforcement deadline. Penalties scale to €35M or 7% of global revenue. Some Article 6(1) product-related high-risk obligations were always slated for August 2027, and a handful of transparency sub-obligations have shifted incrementally — but the bulk lands on schedule. The Commission has rejected industry calls for blanket delays. If you ship to EU users in regulated workflows, compliance planning is now operational, not theoretical.

Microsoft Work IQ and Web IQ are GA on June 16. Announced at Build, going live tomorrow — Work IQ exposes semantic-index access to Microsoft 365 data with sub-165ms p95 latency; Web IQ provides grounding APIs against re-architected Bing for fresh pages, news, images, and video. Priced via Copilot Credits. The “agents in your Office data” surface gets a Microsoft-controlled spine.

Sonnet 4.8 watch. Still not shipped as of issue close. Claude Sonnet 4 (claude-sonnet-4-20250514) and Claude Opus 4 (claude-opus-4-20250514) retire on the Claude API tomorrow, June 15. The model name “sonnet-4-8” lived in internal Anthropic source maps for weeks; the most-cited prediction window from the developer side is June 16-18. If it ships before Wednesday it’ll be the third major Anthropic launch in eight days — which would be either confidence or panic, depending on which we’re looking at.

Last week’s lede ended on “Mind it.” This week the off switch found hands and used them. It’s worth knowing whose. Build for that.

Stay building. 🛠️

— Matt