Fable 5 Dual-Use Safety Measures

Fable 5 is the classifier-guarded release of the Mythos-class model: four refusal categories (cyber, bio, frontier_llm, reasoning_extraction) make the shared Fable/Mythos model broadly releasable, return HTTP 200 with stop_reason refusal on the API, and can fall back to Claude Opus 4.8.

What it is

  • The safety layer that makes Mythos-class capability generally releasable: “Claude Fable 5 includes safety classifiers that can decline requests” while Claude Mythos 5 ships without them (https://platform.claude.com/docs/en/about-claude/models/introducing-claude-fable-5-and-claude-mythos-5, retrieved 2026-07-07).
  • Four documented refusal categories: cyber (offensive cybersecurity), bio (biological harm), frontier_llm (assisting competing AI development, described at launch as an anti-distillation safeguard), and reasoning_extraction (reproducing internal reasoning in response text).
  • Anthropic reports the classifiers fire rarely: “They trigger, on average, in less than 5% of sessions.” (https://www.anthropic.com/news/claude-fable-5-mythos-5, published 2026-06-09).
  • Pre-launch assurance: over 1,000 hours of external red-teaming produced no universal jailbreaks. The system card expands this to more than 100,000 external red-team attempts, with two task-specific jailbreaks found rather than a universal one.
  • The system card reports that Fable safeguards flagged 407 of 410 ExploitBench episodes, which makes the safety layer measurable rather than merely descriptive.

How it works

  • Refusal semantics: “A refusal is a successful HTTP 200 response” (https://platform.claude.com/docs/en/build-with-claude/refusals-and-fallback, retrieved 2026-07-07) with stop_reason “refusal” and a stop_details object naming the category that fired.
  • Billing: a refusal that arrives before any output is not billed and does not count against rate limits.
  • Fallback to Opus 4.8 takes three paths: the server-side fallbacks parameter (beta header server-side-fallback-2026-06-01), SDK refusal-fallback middleware (TypeScript, Python, Go, Java, C#), or a manual retry with fallback credit. Rerouted requests are billed at the serving model’s prices.
  • Product framing matches: “Queries on some topics will instead receive a response from Claude Opus 4.8.” (https://www.anthropic.com/news/claude-fable-5-mythos-5, published 2026-06-09).
  • Claude app surfaces also expose this as model switching rather than an API object: a support article says Claude may switch from Fable 5 to another model after checking conversation memory, connected app context, web search, and file content.
  • Cyber scoping: Anthropic sorts activity into four tiers from prohibited use to benign use and states “We do not intend to block all cybersecurity-related activities.” Its proposed Cyber Jailbreak Severity scale scores jailbreaks 0 to 4 on capability gain, breadth, ease of weaponization, and discoverability (https://www.anthropic.com/news/fable-safeguards-jailbreak-framework, published 2026-07-02).
  • Incident response in practice: after an Amazon-reported cyber jailbreak and US export controls on 2026-06-12, Anthropic deployed a classifier blocking the technique in over 99% of cases; controls lifted 2026-06-30 and Fable 5 redeployed globally 2026-07-01 (https://www.anthropic.com/news/redeploying-fable-5, published 2026-06-30).
  • Data governance backstop: Fable 5 and Mythos 5 are Covered Models with mandatory 30-day retention for safety monitoring, no zero-data-retention option, and retained data excluded from training.
  • On claude.ai, the harness adds runtime nudges: classifiers can inject six named reminder types including cyber_warning and ethics_reminder, and reminders never reduce restrictions (System Prompt Export 2026-07, L144-152).

Best practice

  • Build every Fable 5 integration to branch on stop_reason refusal; it arrives as HTTP 200, so error-code handling alone never sees it. EVIDENCE-BASED
  • Use stop_details to log which category fired; category counts tell you whether your workload sits near the cyber or bio boundary. PRACTITIONER
  • For unattended agents, enable the server-side fallbacks parameter or SDK middleware so refusals degrade to Opus 4.8 instead of failing the run. EVIDENCE-BASED
  • For app and Claude Code work, interpret unexpected model switches as a safeguard path first, then inspect whether memory, files, web search, or connector context pulled the session across a category boundary. EVIDENCE-BASED
  • Expect fallback answers to be billed at the serving model’s own prices and reconcile cost reports accordingly. EVIDENCE-BASED
  • Do not tune prompts to skirt the classifiers; the June 2026 jailbreak episode shows Anthropic patches techniques fast and regulators can suspend the model entirely. PRACTITIONER
  • Legitimate defensive security work should proceed normally; the four-tier cyber framework explicitly protects benign use. EVIDENCE-BASED
  • Treat Project Glasswing as the operational complement to this safety layer: Fable keeps broad users inside safeguards, while Mythos access is narrowed to trusted defensive workflows. EVIDENCE-BASED

Pitfalls

  • Reading the sub-5% trigger rate as near-zero for your workload; security-heavy or bio-adjacent sessions concentrate refusals far above the average. PRACTITIONER caution.
  • Assuming Mythos 5 is a workaround: it drops the classifiers but is invitation-only via Project Glasswing.
  • Forgetting that a refusal after partial output is billed; only refusals before any output are free.
  • Treating “no universal jailbreaks in 1,000+ hours” as “unjailbreakable”; a working cyber jailbreak still triggered export controls within days of launch.
  • Treating the 407 of 410 ExploitBench flagging figure as proof of perfect coverage; it is one official evaluation, not a guarantee for all future prompt shapes.
  • Citing third-party summaries when the official 319-page system card is now captured directly in Fable Mythos 5 System Card.

Sources

Next actions

  • Probe which stop_details categories fire on this vault’s own security research prompts and record rates.
  • Track the CJS framework page for adoption or revisions after 2026-07-02.
  • Re-verify the sub-5% trigger claim if Anthropic publishes post-redeployment numbers.