In the early 1990s, a software engineer called Phil Zimmermann released a piece of encryption software called PGP — Pretty Good Privacy — and the United States government responded by classifying it as a munition. Exporting it without a licence, they argued, was potentially a federal crime, on the same legal footing as shipping a guided missile to a hostile state.
The response from the cryptography community was perhaps one of the more elegant pieces of civil disobedience in the history of technology. They printed the source code in a book, books being protected by the First Amendment. It was mailed, perfectly legally, to anyone who wanted it. People put the RSA algorithm on a t-shirt. Several wore it through customs.
Congress eventually lost the argument. By 1999 the export controls on cryptography had been substantially relaxed. The technology had spread too far. The controls had become, quite visibly, absurd.
It's been difficult not to think about this story since the US government directed Anthropic to restrict access to Fable 5.
The directive was announced publicly.
The intervention was announced by Anthropic. Users and organisations relying on Fable 5 were told, clearly and promptly, that they no longer had access to the capability they had been using. It's been reported that Amazon's security team flagged a jailbreak to the White House, although Anthropic say it was a narrow, non-universal one as could be found in any model. The directive was described as an Commerce Department export control limited to non-US citizens, which is an interesting delineation to choose over a geographic one, probably impractical to implement, and would have caught non-US Anthropic employees. Anthropic chose to pull the model for everyone.
In the crypto wars, the community had a response because control was being fought over mathematical knowledge; reproducible, distributable, printable. The community could make the controls unenforceable, and eventually it did.
The question the Fable 5 directive poses is a starker one: what is the equivalent response? Where is the t-shirt?
The PGP parallel breaks down at precisely the point where it matters
The crypto wars are a useful reference point, but there is a limit to the analogy, and it matters.
PGP was an idea, mathematics. The source code fit in a paperback. The RSA algorithm fit on a chest. Once the knowledge existed, reproducing it required a modest machine and an afternoon. The US government was trying to prevent ideas from spreading, and ideas, as governments have repeatedly discovered, are a poor target for export controls.
Fable 5 is not just an idea. It is not a piece of code you can print, memorise, or compile on a laptop. It is the product of tens of thousands of specialised GPU chips, drawing megawatts of power, requiring billions of dollars of capital and years of coordinated engineering effort. The weights alone run to hundreds of gigabytes. With today's technology, the infrastructure required to serve those weights at commercial latency is not something just any organisation can replicate, very few can.
There is no t-shirt. There is no book. The engine kill switch exists, it seems it works, and the community cannot print its way around it.
And that leaves us with a structurally different problem from the export control problem, one which requires a structurally different response.
Governments are going to do more of this, not less
I want to resist the temptation to frame this as a story about one administration's particular policy preferences, because I think that framing is both politically reductive and practically unhelpful.
The underlying dynamic is not unusual. States have always sought to control the flow of strategically important technology. They controlled the export of encryption. They controlled the export of semiconductor manufacturing equipment. They controlled access to satellite imagery. The Fable 5 directive is a continuation of that pattern, not a departure from it.
What is new is that the relevant infrastructure is now cloud-hosted, observable, reachable by legal process, and operated by companies with shareholders and legal liability in the restricting jurisdiction. The conditions that made the crypto wars unwinnable for governments — distributed, reproducible, mathematically grounded — do not apply. And the political appetite for this kind of intervention is growing, not shrinking.
The EU's AI Act creates its own framework for restricting AI systems by risk classification. China's regulations require domestically-deployed models to reflect approved values and submit to government inspection. The UK's current approach is relatively permissive, but the direction of travel internationally is toward more state involvement in AI capability, not less.
The CISO who treats the Fable 5 directive as an isolated political incident is going to be caught off-guard by the next one.
What this actually means for how we manage AI risk
Most AI governance frameworks were designed for the wrong problem. They were built to answer questions about data, consent, bias, and explainability — important questions, but perhaps not the questions that a sovereign kill switch raises.
The relevant question now is: what happens to your organisation if the AI capability you depend on is withdrawn, without warning, at the instruction of a foreign government? Before this week, most organisations had not asked it. Most still cannot answer it.
A few things now appear clearly necessary.
The first is mapping which workflows carry material AI dependency. Not "do we use AI" — almost everyone does — but "which decisions, analyses, or processes would break, or break badly, if a specific provider or model were suddenly unavailable?" That mapping does not currently exist in most risk registers, and it should.
The second is understanding the jurisdictional exposure of your AI providers. Anthropic is a US company. That means US law determines what Anthropic can and cannot provide, regardless of where your organisation is based or what your contract says. Force majeure clauses and SLAs do not protect you from a government directive — and in most cases they explicitly do not. The same jurisdictional analysis applies to every provider you use. That exposure should be named in your third-party risk assessments.
The third is revisiting single-provider AI strategies as a concentration risk. A year ago, committing to one provider's model family was a reasonable simplification. Today it is a dependency that a foreign government has demonstrated it can switch off. Not every organisation needs to build multi-model fallback infrastructure immediately, but the capability to do so — the architectural decisions that would make it possible — is worth considering now rather than in the aftermath of the next directive.
A different kind of export control problem
The crypto wars ended with the defenders winning. Knowledge spread, the controls became unenforceable, and cryptography became the invisible infrastructure of the modern internet. Phil Zimmermann was never charged.
The structural conditions that made that outcome possible do not apply to frontier AI. The capability is concentrated, not distributed. The infrastructure is visible and reachable. The companies that operate it have strong incentives to comply with government directives, because the alternative is existential.
The sovereign AI kill switch is real. It has been demonstrated. And unlike the munitions controls of the 1990s, there is no principled workaround available to the people on the wrong side of it.
Organisations that have built AI into their operations on the assumption that access, once established, cannot be revoked — that frontier AI behaves like mathematics — have a gap in their risk model. Closing it is not technically complex and does not require a large programme.
It requires someone to ask the question. Which, as ever, is usually the hard part.
