The Anthropic episode: Probably a security challenge in need of governance, certainly not Europe’s 'kill switch'

On Friday 12 June 2026, the U.S. government directed Anthropic to cut off access by foreign nationals to its two most capable AI models, citing "jailbreaking" concerns. To give effect to the order, Anthropic disabled access to the two models for all customers. Within hours, European politicians and commentators framed the episode as a "kill switch" aimed at Europe. Yet the closer one looks at this particular incident, the less it resembles the switch many feared.

Whether the decision was well founded, mistaken, disproportionate or even punitive towards a single U.S. company, it still does not appear to be a deliberate anti-European kill switch. On the public record now available, that framing does not fit. The episode may well be better understood as a contested AI-safety intervention carried out through the wrong instrument, with the reach to foreign nationals most likely an artifact of the only legal tool immediately available, export control, rather than an aim to cut Europe off. The practical effect was global: the models were unavailable inside the U.S as surely as they were in France, the U.K. or Japan. The dependency it exposes is real, but that is a problem shared well beyond Europe.

What happened

According to Anthropic, the U.S. government, citing national security authorities, issued an export-control directive instructing the company to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the U.S., including foreign-national Anthropic employees. Anthropic said the "net effect" was that it had to "abruptly disable" both models for all customers to ensure compliance while leaving other Anthropic models running. What this took away, then, was access to its two most capable models, not the service as a whole.

A little background matters. Mythos 5 had been released to a limited group of cyberdefenders and infrastructure providers because its cybersecurity capabilities were judged unusually powerful. Fable 5, launched only days before the order, was a Mythos-class model with safeguards designed to make it safe for general use. Anthropic says that, before launch, it had worked with the U.S. government, the U.K.'s AI Security Institute, private third parties and internal teams to red-team those safeguards for thousands of hours.

What set the order off is itself contested, and the disagreement is not a detail. On the government's side, as Politico later reported, the trigger was treated as a serious jailbreak: Amazon, and reportedly others, flagged a method of bypassing Fable 5's guardrails, and senior officials judged the problem dangerous enough to want the model taken down. The finding was reportedly shared with the National Security Agency at an earlier stage, though The New York Times reports in a different article that the agency was not involved in the decision itself. Anthropic’s account is narrower. It described the technique as a non-universal jailbreak that unlocked cyber capability in one specific context rather than broadly defeating the model’s safeguards. It said the flaw was fixable and that comparable outputs could be elicited from other available models, including GPT-5.5. The Times also reported that some of the officials involved later regarded the document that drove the alarm as misleading, since the capabilities it flagged are also present in OpenAI’s GPT-5.5.

How Europe read it

The reaction was immediate and furious, and it ran across political families and borders. Politico Pro described the order as exposing Europe’s AI dependency. Le Monde described a wave of concern in France and Europe with figures across the political spectrum treating the incident as proof that Europe needs to accelerate technological sovereignty.

In France, the MP Philippe Latombe, well known for his legal challenge to the EU-U.S. adequacy decision, presented this as a clear case of a "kill switch," arguing that it proved wrong those who claimed the U.S. government would never order a general disruption of digital services against Europe. 

The alarm united figures who agree on little else including most of the potential presidential contenders. To cite just a few, Jordan Bardella called the suspension a reminder that AI is already a question of national sovereignty and urged support for Mistral. Bruno Retailleau warned that a nation dependent on others for technology can be unplugged overnight. Édouard Philippe described AI as a critical infrastructure as essential as electricity or the internet that others can switch off. Gabriel Attal stated that "the AI wars have started." And Jean-Luc Mélenchon talked about "a digital colony of the U.S." 

The same note sounded beyond France. European Commission spokesperson Thomas Regnier said the development further illustrated Europe's need to strengthen technological sovereignty while also stressing that measures should not discriminate against partners.

The sharpest version of the European critique was harder to wave away, and I pressed it myself. The directive sorts by nationality or foreign-person status, not by threat. A cybercriminal who happens to be a U.S. person was not addressed by this export-control directive, while a French, British or other allied cyber-defender protecting critical infrastructure was denied access. If the worry is dangerous use, the foreign-person line is a strange security filter. It denies access to allied defenders while leaving domestic bad actors outside the perimeter of the measure. A former U.S. official quoted in The New York Times put it more bluntly, noting that current U.S. policy allows the export of advanced AI chips to China while preventing citizens of America's closest allies, like Canada, from using a leading model inside the U.S., which he called "absurd."

However, as explained further below, the nationality line in the export control order appears to be an artifact of the statute, not a strategic aim; the models became unavailable in the U.S. just as much as in Europe. While criticism of the legal tool used may remain valid, some of the suggested responses risk further detriment to Europe's technological sovereignty goals. The line that Europe is "better off without these models" is the clearest example and as a long-term aspiration to reduce dependency, it is intelligible. As immediate cyber-defense advice, it is counterproductive. 

The outrage only makes sense because the models matter. Everyone in this debate, including the U.S. officials who forced the recall, treated Mythos-class capability as unusually powerful. Its strength at finding and patching vulnerabilities is exactly what European banks, hospitals, cloud providers and critical infrastructure operators need to close holes before attackers do. Renouncing one of the most capable defensive tools available does not make Europe safer. It leaves European defenders weaker, especially if the restriction is temporary and the flaw fixable. The problem this incident exposes is one of dependence, governance and lack of European agency in the decisions impacting their security and prosperity. The answer to a governance problem is better governance, not renunciation.

There is also an irony in the European reaction that deserves naming, but with a caveat. The intervention now denounced as American overreach is, in substance, an act of AI-safety enforcement: a government moving to restrict a powerful model because its safeguards could allegedly be bypassed to unlock dangerous capability. That is the same safety logic Europe itself has championed. If European authorities had received a credible warning that a frontier model could expose serious cyber capability through a bypass, they too would have come under pressure to act. But the comparison goes only to the substantive safety logic. It does not validate the U.S. process, the secrecy, the reported ninety-minute horizon, the absence of consultation with allies —or at least notice to allies — or the foreign-person line on which it was framed.

Setting the record straight

The anger is understandable. Europe has spent years warning about technological dependence, and an urgent order that withdrew the most capable models overnight is a real shock. Understandable, though, is not the same as accurate, and on this specific incident the record deserves to be set straight, because accuracy serves a serious argument better than a contested example and needless alarm strains transatlantic relations. Europe should not build a sovereignty argument on a questionable factual premise.

Take the Politico account at face value while also accepting that the administration may have responded to a real and serious concern, misjudged the seriousness of the risk, acted without an appropriate process, took a wrong or disproportionate decision, or even moved against Anthropic for reasons closer to its running feud with the company than to any real danger. The anti-European reading still does not hold.   

One need not resolve whether the concern was grave, as the administration argued, or overblown and disproportionate, as Anthropic contended. 

The point is narrower: The government’s apparent aim, if the reporting is accurate, was to get the models paused or pulled ostensibly on cybersecurity grounds, not to carve Europe, or any other allied country, out or preserve the models for Americans. 

Its first ask was reportedly a voluntary pull applying to all users, Americans included, and the government appears to have been content for the models to be unavailable to everyone. Anthropic's blanket shutdown then delivered exactly that, a global result that was probably the only way to comply, given the practical impossibility of offering these models to U.S. persons only. That does not make the measure justified. It does suggest that the foreign-person line was more likely a feature of the legal instrument than the political target, and that taking the capability away from U.S. users too is a strange way to single out Europe.

This distinction matters. It does not make the dependency any less real, since a single government's decision was still enough to withdraw a frontier capability from everyone at short notice. But it changes what the episode proves. It shows that such a withdrawal can happen; it does not show, on the public record now available, that Washington aimed a kill switch at Europe or any other allied country.

Could the U.S. have switched it off for everyone?

That raises the question that reframes the whole affair. If the administration wanted the models down for everyone, including U.S. persons, did it have a clear, direct and immediately usable legal instrument to achieve that result? On a careful first reading, the answer appears to be no. U.S. lawyers may identify emergency, procurement, sanctions, informal-pressure or other theories. But none appears to have offered the same immediate path as export controls.

Export controls, administered by the U.S. Department of Commerce under the Export Administration Regulations, govern exports, reexports and certain in-country transfers of items subject to the EAR. The deemed-export rule, which treats the release of controlled technology or source code to a foreign person inside the U.S. as an export, also turns on the recipient being a foreign person. This matters. Export-control authority may reach a foreign person's access to controlled technology, including in the U.S., but it does not provide an obvious basis to prohibit a U.S. person's purely domestic use of a U.S.-deployed model. As a matter of legal authority, that is why the directive runs on the foreign-person line: It is the line this instrument most naturally draws. There is precedent for this asymmetry. In the 1990s, the U.S. restricted the export of strong encryption while leaving its use inside the country unrestricted, controlling who abroad could receive the technology rather than what Americans could do with it at home.

The International Emergency Economic Powers Act reaches further, and it is central to Office of Foreign Assets Control sanctions and other emergency economic measures. But it requires the president to declare a national emergency in response to an unusual and extraordinary threat that, under 50 U.S.C. 1701, has its source in whole or substantial part outside the U.S. 

A direct ban on access by U.S. domestic users to a model built and deployed by a U.S. company would not sit easily within that foreign-source requirement, unless the threat were framed through foreign exploitation or some other foreign nexus. IEEPA's longstanding carve-out for informational materialswould also create arguments against using it to ban access to a text-generating service. Reaching domestic users this way would therefore have been novel, legally exposed, and would have required the conspicuous step of declaring a national emergency, which the administration did not take.

The Defense Production Act might seem the obvious place to look for a solution. But its core compulsion power directs companies to prioritize and accept defense-related orders and to allocate materials, services and facilities. It is much more naturally a tool for prioritizing or directing production than for prohibiting a public deployment or recalling a model already in the market. Legal commentary reviewing adjacent options for mandatory frontier-model vetting has likewise judged the DPA an unlikely and unstable basis for action in this area. Nor is there any FDA-style pre-market or recall power for AI software. The Trump Administration's own recent executive order on pre-deployment testing is built around a voluntary framework. That is not conclusive, but it is a strong signal that no clear, direct and immediately usable mandatory shutdown authority was thought to exist.

A kill switch against Europe? Not this time

Put together, the better reading is close to the opposite of the one that travelled across Europe. If the public reporting is accurate, the administration wanted the models paused or pulled for all users. The strongest legal instrument that was immediately usable happened to operate through a foreign-person line. The nationality or foreign-person scope looks more like an artifact of the legal tool than a weapon aimed at Europe.

That conclusion should not be overstated, but it should not be overcomplicated either. The line export control draws, by nationality rather than by risk, remains a poor proxy for dangerous use, and that is a fair criticism of the instrument. As implemented, though, the measure was not a carve-out that shielded Americans: The models became unavailable inside to U.S. users, exactly as they did everywhere else. The U.S. government appears to have been content for them to be unavailable to everyone. Whatever else this was, it was not a switch thrown at Europe while Americans carried on. 

On the public record now available, the charge of a deliberate kill switch aimed at Europe, or at any other allied country, does not hold.

The warning that remains

On the evidence so far, the most accurate reading is that export control was simply the strongest legal tool within immediate reach to halt deployment for every user, and that its foreign-person wording followed from the instrument rather than from any wish to single Europe — or anyone else — out. The bloc was global. It fell on U.S. users exactly as it fell on European, Indian or Japanese ones, and the government appears to have been content for the most capable models to be unavailable to everyone.

That is not a kill switch aimed at Europe or at any other allied country. What the episode does expose is real all the same, and it is not a European problem but a shared one: a frontier capability the whole world could use one week was gone the next, on the decision of a single government, through a process that, on the reported account, came down to a ninety-minute ultimatum on undisclosed evidence. It also points to real security concerns that demand a shared framework and the collective investment to build one. 

The lesson is about dependence and about the procedures that should govern moments like this, not about a weapon pointed at any one region. Understanding exactly what happened here and building far better procedures for when it happens again is the work that should follow.

I thank Peter Swire and Richard Salgado for their useful comments on an earlier draft. Any remaining errors are my own.