Opinion: Mozilla chief technology officer Raffi Krikorian argues that locking down the most powerful AI models doesn’t make us safer, it just demonstrates who is in control
The public fight since Friday has centered on how Fable was switched off. What we should be talking about is the total lack of rules describing how such a model could be turned off in the first place, and the refusal to acknowledge that these models might actually make us all more safe, not less.
On Friday, the government ordered Anthropic to cut off both of its most capable models, Fable 5 and Mythos 5, from every foreign national, including some of its own employees. Anthropic said the only way to comply in time was to disable access for all customers. The question to ask now is who gets to throw a switch like that and based on what evidence — what did Friday actually buy us?
Not safety, that’s for sure. Ten days earlier, the White House had chosen a voluntary framework for pre-release review of frontier AI models and disclaimed any mandatory licensing. I have backed every serious attempt to put AI oversight on a reviewable footing, and this was at least a step in the right direction. Then the administration reached past that executive order for export-control authority, the fastest and least answerable instrument it had, which Reuters reports was the first time Commerce used that power. Some experts doubt that AI models fit the export-control doctrine, which was built for goods that are exported rather than software that is served remotely.
You do not use such an extreme tool against something you think is harmless. I am inclined to believe the people who saw the briefings describing the security threat posed by the models, and I have said for months that the capability is real. But an export control only works on something that lives in one place, and the capabilities of Mythos are increasingly becoming available elsewhere.
The UK’s AI Security Institute found GPT-5.5 finished its multi-step cyber-attack simulation on two of 10 tries, with Anthropic’s own Mythos Preview only slightly better, managing it three times. The week of the ban, Chinese labs put comparable models in anyone’s hands. Moonshot’s Kimi K2.7-Code came under a permissive license, and Z.ai’s GLM-5.2 with open weights days later. None of this proves there is yet parity with Mythos, but all of it shows the capability is no longer confined to one American model. An export control can buy friction and time, which is worth something. But friction is not safety.
Instead, what we’re seeing is a new instrument of state power: the ability to switch a deployed frontier system off — at once and unilaterally — with nothing on the public record about the decision-making behind it. Anthropic says the only evidence presented to it was a verbal account of a narrow jailbreak that other public models share. David Sacks says Anthropic refused to patch it. Both cannot be true, and nothing public lets us tell which is. There was no published threshold that the model passed, no technical finding describing the situation, no way to contest the scope of what had happened, no independent review.
And the dispute over what justified the shutdown hides a more basic failure: the government response was aimed at the wrong target. The real problem is not Anthropic’s flagship model being at risk of jailbreaking, but the underfunded code beneath systems around the world that could be fixed using Mythos itself. The same models the government fears are the ones that can find those flaws.
Working with Anthropic on early access to Mythos Preview, the Firefox team fixed 271 bugs it surfaced in a single release, and Anthropic’s tally reached 1,596 disclosed across 281 open-source projects by late May, with 97 patched. Most of these are not working exploits, and a disclosure is not a fix. The scarce resource is the capacity to triage and patch. An order aimed at shutting off foreign access does nothing for these people who desperately need to make use of the model.
The objection is loudest from the people you might expect to favor caution. This weekend more than 80 security leaders, led by Alex Stamos, called the shutdown reckless, saying comparable capability already exists elsewhere and that pulling the models stripped tools from defenders without removing the risk. Openness has consistently favored defenders over attackers, because defenders are more numerous and better coordinated. Keeping access to these models open is a net good for the security of our infrastructure.
The decision to close down access is a single point of failure. The administration’s own national-security memo says no commercial entity should be able to “disable or degrade, or materially modify without Federal Government knowledge and approval” an AI system warfighters depend on. What’s described in that memo does not extend as far as civilian users, but the shutdown was more or less exactly of the form that it opposes: one decision, made in an evening on verbal evidence, disabling a system millions relied on, with no approval but its own.
A proper solution would require the scaffolding of a governed act, a stated threshold, a reason in writing, a way to contest the decision, and independent checks on whether the call holds. Instead the administration told its own AI testing unit to stop publishing while the order was carried out.
We built an elaborate apparatus for building AI models and turning them on safely: reviews, red teams, evals, benchmarks. To turn one off, all that is required is a letter that arrived at 5:21pm on a Friday afternoon, about which the two parties involved cannot agree on what it said.
The model was never the thing that needed governing. The switch was. And on that we have not written a single word.
Raffi Krikorian is chief technology officer at Mozilla, and writes the Substack Owners, Not Renters, focused on open source AI.