Government can switch off a frontier AI model. In June, one did, twice.

On a Friday afternoon in June, Anthropic received a letter at 5:21pm Eastern. Within hours, two of the company’s most powerful AI models went dark for every customer on the planet. Not a bug. Not an outage. A directive from the United States government, and the company had no real choice but to comply.

Two weeks later, part of one model came back, for a vetted few, by a second letter. In the same window, OpenAI launched its new flagship to a small list of government-approved partners and said plainly that it hoped this would not become the norm. If that sounds less like a product you buy and more like a license a government can revoke, that is the point. In June 2026, the most capable cloud AI stopped being something you simply pay for and became something a government can switch off. Here is what happened, the law that made it possible, and the one kind of access nobody can revoke.

On June 12, one letter took two frontier models offline worldwide

Anthropic had released Fable 5 to the public on June 9. Three days later the government invoked national-security authorities and ordered the company to suspend all access to Fable 5 and its strongest cybersecurity model, Mythos 5, by any foreign national, inside or outside the United States, including Anthropic’s own foreign-national employees. A global service cannot cleanly sort users by nationality on a Friday evening, so the practical effect was blunt: both models went off for everyone.

The stated trigger was a jailbreak. By Anthropic’s account, the government’s evidence was that the model could be asked to “read a specific codebase and fix any software flaws,” which the company described as a narrow, non-universal issue rather than a general break in its safeguards. Anthropic complied with the order and disagreed with it in the same breath, writing that “we disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people”. The company stressed that access to all its other models was unaffected, and promised to work toward restoring the two that were pulled.

Strip away the specifics and the shape is striking. A single document, delivered without public notice, reached into a company and removed a live product from hundreds of millions of users in an afternoon. That is a new kind of event in the AI market, and it set the template for the two weeks that followed.

Two weeks later, OpenAI shipped its flagship behind a government gate

On June 26, OpenAI introduced the GPT-5.6 family: Sol, the flagship; Terra, the balanced everyday model; and Luna, the fast, low-cost tier. The company also did something it had never done before. Rather than open the models to the public, it limited the rollout to a small group of trusted partners whose participation had been shared with the government, calling it a short-term step with broad availability to follow “in the coming weeks.”

The reason was capability. All three models were rated “High” for cybersecurity risk under OpenAI’s Preparedness Framework. OpenAI’s own deployment notes are careful about how far that goes: the models “can find vulnerabilities and pieces of exploits, but… were unable to carry out autonomous, end-to-end attacks against hardened targets”, and the company is explicit that they do not reach its highest (“Critical”) risk level. High enough to worry Washington, in other words, not high enough to be a weapon on its own.

What makes this different from the Anthropic case is the direction of the push. Anthropic was ordered to recall a model already shipped. OpenAI gated its flagship up front, at the request of the White House’s cyber and science-policy offices, while a formal evaluation process for cyber-capable models is still being drafted. OpenAI was pointed about it, writing in its rollout post that it does not believe “this kind of government access process should become the long-term default”. Two of the largest AI labs in the world, two different mechanisms, the same outcome: the public could not get the model.

This is an export control, repurposed for the API era

The throughline is export law. Both actions trace to the Commerce Department’s Bureau of Industry and Security, the office that decides which sensitive technologies can leave the country, under Secretary Howard Lutnick. Its modern toolkit grew out of the International Emergency Economic Powers Act and the Export Control Reform Act, and in early 2025 it gained a rule aimed squarely at AI: controls on the weights of the most advanced models, the ones trained with on the order of 10^26 computational operations or more.

Pointing that machinery at a chatbot is the novel part. Export controls were built for discrete transfers of an identifiable item from one party to another. A frontier model reached through an API is the opposite: a service anyone can call from anywhere, at any time. As one policy analysis put it, when each enforcement decision becomes precedent, “a framework can end up assembled before anyone has stepped back to define it as one.”

That is exactly what is being contested. On June 23, an AI company called Legion LegalTech sued, arguing that Commerce is enforcing “a control that does not exist,” since the AI-weights export classification on the books had been marked non-enforced since May 2025. The suit also invokes the Berman Amendment, which carves “information or informational materials” out of this kind of control. Commerce, for its part, cited emerging-technology authority and the “is-informed” letter mechanism it uses for national-security cases. An “is-informed” letter is a quiet instrument: it tells one named company that a specific activity now needs a license, without a published rule the rest of the industry can read in advance. Treat this part as live and unresolved: the facts of the takedown are confirmed, the legal ground under it is being fought over in court.

“Restriction” has many shapes, and each hits different people

It is tempting to lump all of this into one headline about AI getting locked down. That blurs four genuinely different things, and the difference decides who actually feels it. A nationality bar lands on people abroad and on foreign-national staff. Capability gating lands on everyone waiting for the next flagship. A trusted-partner allowlist lands hardest on the small teams who will never be on the list. And the weights rule lands on anyone who wanted to download the very top models and run them privately.

June 2026 produced a live example of the first three at once, stacked on top of the weight rule that was already there. Keeping them separate matters, because the honest response to each is different. A capability review you might accept; a quiet, indefinite allowlist with no path on is a harder thing to live with. Collapsing them into a single argument is how a serious policy question turns into a slogan.

Access just became a variable, not a guarantee

The clearest proof is how fast the dial moved back. On June 26 and 27, Commerce told Anthropic that Mythos 5 could return, but only for “certain trusted partners”, identified as cyber defenders and infrastructure providers. Roughly 200 firms had prior access through a program called Project Glasswing, reportedly including Apple, Google, Cisco, Nvidia, and Microsoft. The same letter left Fable 5 dark, with no date for its return.

It is a US story only because these particular labs are American. The deeper rule is jurisdictional: any government with leverage over a provider, where it is headquartered, where its servers sit, or which market it wants to keep selling into, can gate a model the same way. The EU, the UK, and China each have their own thresholds and their own politics, so one model can ship freely in one country, arrive late in another, and not at all in a third. When your AI lives in someone else’s cloud, you inherit whichever government has a say over that cloud, not the one you happen to vote for.

Read the timeline as a whole and the lesson is not about any one model. Access went off, then partway back on, for a hand-picked list, inside two weeks, entirely by letter. The capability you rely on is now a policy variable. It can be turned down, scoped to a club you are not in, or switched off, and you will find out the way everyone else does, when a feature you depended on yesterday returns an error today. This is the continuity problem that runs through the case for not betting your workflow on someone else’s uptime and the compliance pressure pushing regulated work off the open cloud. Policy risk is simply the newest chapter of the same story.

A government can switch off a service. It can’t un-download a model.

Here is the part that survives every twist of the policy. A directive acts on a service: an API, an account, a region, a list of approved names. It cannot reach a set of weights already sitting on your hard drive. A model you downloaded keeps answering through outages, takedowns, lawsuits, and letters, because there is no switch for someone else to flip. That is the entire argument for keeping a capable open model on a machine you own.

Be honest about the limits, though, because the hedge is risk management, not immunity. The same 10^26-operation rule is aimed at the export of the most advanced model weights, so open releases are not outside policy either; the top open models could themselves become controlled. Local models also trail the hosted frontier, so a downloaded model is a capable fallback, not a like-for-like replacement for the best cloud system on its best day. The realistic posture is hybrid: reach for the strongest hosted model when you can, and keep a serious local one for when you can’t. The open families covered in the local-models guide are good enough now that this is a real plan, not a consolation prize, which is the same reason serious software has always run locally.

What to actually do with this

Do not bet a critical workflow on a single hosted frontier model. Know your second choice, and know your offline choice, before you need them. Keep one capable open model downloaded and tested, so that a directive, an outage, or a region lock is an inconvenience and not a full stop. The word that matters there is tested: run your real tasks through the local fallback once now, while everything works, so you already know what it can and can’t carry on the day the hosted model stops answering. If you build on these APIs, watch the framework the administration is drafting for cyber-capable models, reportedly targeted for later this summer; the June events were the first cases, and the rules are being written now.

None of this is a verdict on the policy. Reasonable people will land in different places on whether a model that can find software vulnerabilities should ship to everyone on day one. The fact under the debate is simpler and harder to argue with: access to the most capable cloud AI is now a variable that someone else controls. The only access that isn’t is the model already on your machine. Whatever you think of the directives, that is a good reason to keep one there.