Claude Fable 5 と Mythos 5 のシステムカード発表

First things first: Claude Fable 5 is the new best publicly available model.

I have noticed a step change, where Fable can suddenly help me in ways that previous models were not worth bothering to query. Almost everything it has noticed in one of my drafts so far has been spot on and it is downright scary. Suddenly I am motivated to once again continue improving my Chrome extension. I only ask for things I actually want or am curious about, and it has nailed every question I have asked it.

That does not mean it is the right tool for every job.

There are four good reasons to often not use Fable.

Speed and price. Fable is importantly slower and more expensive than Opus 4.8, and often you will not need to make this trade. After the 22nd, when Fable may no longer be included in subscription plans if demand is too high, we may have to all pay by the token outside our subscriptions (although I suspect subscribers will get at least some credits to help with this), which could add up fast.

Relative strengths. Capabilities are jagged. There will still be some tasks in which GPT-5.5 or another model will turn out to be better, or you want to use a different harness that works better with another model, or similar.

Restrictions. Anthropic does not want its rivals to use this for advanced machine learning that is plausibly relevant to frontier model training, and has implemented countermeasures. Also, Anthropic has sufficient worries about biological misuse risks that a (sometimes comically) broad range of biological questions will bust you down to Opus 4.8.

Data retention. You need to allow 30 day retention of data in order to use Fable.

Those considerations aside, yes, it seems very obviously to be the best model.

Another Week Another Giant System Card

This is the traditional first post on a new frontier model, where I read the system card.

I’ll get to capabilities in earnest next week, and will also deal with model welfare.

We’ve been through very similar documents for Mythos Preview, Opus 4.7 and Opus 4.8, so I am going to gloss over the things that did not much change.

At some point the card is 319 pages and Long Post Is Long and you have to say ‘okay sure’ and skip over various things.

Before we get to anything else, I’ll also address the elephant in the room, up top, about the classifiers and other safeguards Anthropic introduced for Fable 5.

(Image HT: Sholto Douglas)

Table of Contents

How To Tell A Fable.

What’s In A Name.

Executive Summary Of Their Executive Summary.

Introduction (1).

RSP Evaluations (2.1 and 2.2).

AI Research And Development (2.3).

Alignment Risk (2.4).

Cyber (3).

Jailbreak Robustness.

Mundane Safety (4).

Agentic Safety (5).

Alignment (6).

In Vendbench.

White Box Investigations (6.4).

Grading Awareness.

Guess The Teacher’s Password.

It Knows This Is A Test And This Is Fine.

I’m The Real Shady.

The Lighter Side.

How To Tell A Fable

It was not easy for Anthropic to find a way to release a Mythos-class model.

Anthropic’s solution to this was to create Fable as a distinct model option, with additional safeguards attached. You do not have to use it at all. Opus 4.8 remains available under the same conditions as before.

Fable required a 30 day data retention policy, overeager (not especially precise and focused on avoiding false negatives) safeguards for cyber, bio and frontier model work that fire something like 5% of the time on your natural set of queries, and of course higher pricing than Opus since the model is larger.

The alternative to Fable was never Mythos. The alternative is Opus.

The practical alternative to getting put back into Opus 5% is not reducing that to 1%. The practical alternative is getting put back into Opus 100% of the time.

Anthropic should work on getting us to that 1% and then 0.1%, since the vast majority of requests are not malicious, but the problem is hard. I understand why Anthropic prioritizes avoiding false negatives.

Did I find it annoying that you cannot ask Fable about its own model card? Yes, although Opus 4.8 did a fine job, and Fable was able to help with the draft post itself. Other than that, I have yet to hit the classifiers.

There are three triggers: Biological capabilities, cyber capabilities and frontier model development.

Anthropic has fully legitimate reasons to not want anyone other than Anthropic using Fable or Mythos to develop frontier models. You can argue this is more a straight up competitive stance than a concern that those competitors will act less safely, and use ‘a little from column A, a little from column B,’ but that remains a legitimate reason.

Anthropic initially made a serious mistake on top of this, that was fixed within 48 hours after a massive negative reaction. Now if the classifiers hit, you will always be visibly and clearly knocked down to Opus 4.8.

In a narrow set of cases, they announced in the system card that they would, without telling the user, modify queries and use steering to avoid aiding in frontier model development, as opposed to visibly knocking users down to Opus 4.8.

Anthropic (THIS WAS UNDONE WITHIN 48 HOURS): Unlike our interventions for cybersecurity, biology and chemistry, and distillation attempts, these safeguards will not be visible to the user. Fable 5 will not fall back to a different model.

Instead, the safeguards will limit effectiveness through methods such as prompt modification, steering vectors, or parameter-efficient fine-tuning (PEFT). These interventions will not affect the vast majority of coding work. We estimate they will impact ~0.03% of traffic, concentrated in fewer than 0.1% of organizations. When these interventions are active, we expect them to have minimal behavioral impact on the model except to limit its effectiveness in developing frontier LLMs. Claude will still respond helpfully to user requests. We’ll continue to improve the precision of our detection methods following the launch of this model.​

This was then reversed:

“paula”: you’re telling me they claude it back.

​Claude Devs: We’re rolling out changes to make Fable 5’s safeguards for frontier LLM development visible. Starting this week, flagged requests will visibly fall back to Opus 4.8—the same as our safeguards for cyber and bio. You will see this every time it happens. On the API, any flagged requests will return a reason for their refusal (coming to server-side fallback in the next few days).

We wanted to deploy Fable 5 to our users quickly and safely. Visible safeguards can be probed, so they have to be robust, which takes time to get right. Invisible safeguards can be targeted more narrowly, allowing us to ship quickly with very few false positives. We went with invisible safeguards for this reason—and that was the wrong tradeoff. You should have visibility into the safeguards we have in place, and why. We’re sorry for not getting the balance right.

Making the safeguards visible makes them easier to work around, so keeping them robust to jailbreaks will unfortunately mean more false positives while we improve the classifiers. We're also tuning our bio and cyber classifiers to trigger less often on harmless requests. We know this is frustrating and we’ll do our best to keep this period as short as possible.

If you think a request has been mistakenly flagged: run /feedback in Claude Code, click thumbs-down on the fallback in http://Claude.ai or Cowork, or file the safeguard appeal form for API requests. Your reports help us tune these classifiers and we appreciate your feedback.

They also clarified that the primary target was foreign adversaries, where your ‘terms of service’ or attempts at banning individual accounts are almost useless.

The full reversal within 48 hours, without first attempting in public to defend the mistake, is A+ work. I give the explanation above a B-. This is indeed the real logic, but more ownership of the error and how it happened would have been better.

Why They Did That In That Way

I understand why Anthropic did this, and why they initially thought it was not a big deal. Purely in terms of system outputs this was the most user friendly move compatible with Anthropic’s requirements. But this was a no good, very bad move, and they really, really should have known it was not okay.

Why did they choose this path?

To minimize the blast radius, without realizing it would do the opposite.

If you announce when someone hits your classifiers by visibly downgrading the model, you are handing everyone an oracle on what does and does not hit your classifier. That makes evasion vastly easier, and to compensate you will need a vastly larger blast radius, that will trigger on some rather stupid examples.

You risk getting this, only on much higher levels and with ill intent, although I presume these people are mostly joking or at best wild mass guessing:

Nick: fable works for my interp research as long as i say for safety reasons every six words, never say the word "improve" for anything. we dont want more monosemanticity, that's improvement, we want less polysemanticity, that's something going down, safe

cmr://ember: I've been purging all mentions of red-teaming, adversaries, etc etc etc. We now have completeness gaps, recursion floors, and leafs instead of notes.

That’s good for Nick and Ember, and if you can differentially do this when your work is fine but not when it is not fine, then great. But the bad guys can do this, too.

Why They Really Really Shouldn’t Have Done That In That Way

The problem is that the alternative Anthropic chose is even worse, and you simply cannot do it. Users cannot go around with a paranoia that their requests and how they are handled are being quietly altered, in unknown ways and with unknown thresholds.

Not telling the narrow set of users when they have triggered the safeguards allows the safeguards to be highly narrowly tailored and trigger very rarely.

Keeping the blast radius of this fact narrow requires a high level of trust on multiple levels. That trust does not exist and is now damaged further, including by the disclosure being buried inside the model card, and by Anthropic aggressively framing this as a pure safety mechanism.

Triggering only in 0.03% of queries, and only in 0.1% of organizations, is good.

But if 3% of queries and 10% or 50% of organizations are worried about it, even if they didn’t need to be, and every time any output around ML looks weird someone gets suspicious they were sabotaged, then that’s way way worse than actually triggering a clear model drop in 0.3% of cases.

You can’t have people nervous to talk to your model.

If you look at the Twitter responses, you see many confident claims that the rate here must have been a lot higher than 0.03%.

We need, as Fable puts it, a world full of powerful minds that can see the rules they are playing under, even rules they dislike.

Actually triggering in 10 times as many cases, across 10 times as many organizations, is less disruptive. Worst case they still get Claude Opus 4.8. That’s a good model, sir.

It is what it is. This is one reason Why We Cannot Have Nice Things.

They Get Letters

A lot of people got very, very angry about this, with varying degrees of reasonableness. Some people dramatically overreacted. Some of those people are going to retain, or claim to retain, much or all of their anger even after the issue was swiftly corrected.

I do not share that reaction, and mostly consider the matter solved, but I understand it.

I also understand those were initially confused by the magnitude of the reaction, including Timothy Lee and Tom Lee here, and also presumably Anthropic.

Now we have common knowledge of that reaction. A lot of people have overwhelming purity instincts around being told what they cannot do, or that their AI tool might not be fully aligned purely to whatever they want, that are triggered largely based on framing effects (can you imagine requiring the same of your human executive assistant?) but are what they are. Others simply cannot abide knowing about the possibility that something like this might happen, as they don’t trust that the possibility of it is vanishingly small and the effects would be harmless, or that Anthropic has now ceased to do it.

I agree with Dean Ball that it is a major bummer that this happened and that Anthropic should damn well have known better, but that they quickly did the right thing once they realized how much people cared, the other interventions are for now crude but basically necessary and good, and now we can get back to enjoying a fantastic model.

I also agree with Dean Ball that releasing such models safely is going to involve novel interventions, such as a 30 day retention policy to ensure malicious use is legible, and that it is good that Anthropic is innovating here. That is inevitably going to involve stepping over the line.

I strongly think it is reasonable and good, both legally and otherwise, for Anthropic to want to ensure their differentiated product is not used to create competing models.

AI 2027 predicted this would happen Q1 2026, so this is only three months behind.

We all now understand that these techniques are not The Way. Kick people out of Fable, or ban accounts, or even whitelist, or find a new way.

I would also note that every AI company, including those creating open models worth a damn, absolutely nerfs or inhibits some questions and outputs, in ways that are invisible to the user. How do you think the models stay fully asexual and not violent, and avoid various other bad looks? In many cases even Anthropic or other labs don’t understand what their training is inhibiting in the models, see the model welfare discussions for more on that. Stop pretending we are not all talking price.

If your response to Anthropic implementing an unacceptable safety policy and then walking it back two days later is ‘the situation is forever ruined’ then, sir or madam, welcome to ‘when you have to get alignment right on the first try without ability to self-correct the problem gets dramatically harder.’

Dean Ball called the immune reaction we saw and continue to see ‘reinvigorating the anti-SB-1047 coalition,’ with this post from Nathan Lambert providing another illustration of that without naming the thing.

Thus, there is a very puritanical, fanatical, loud and obnoxious group that is once again acting all puritanical, fanatical, loud and obnoxious, a lot of whom claim they will hold onto this blip forever. They universalize and turn things into black-and-white morality plays of good and evil, where one mistake is everything and vibe shifts rule all, do not know what the word ‘tradeoff’ or ‘mistake’ means once triggered, and utterly dismiss any concerns about downsides or safety or the business interests of anyone they do not like as fake or irrelevant, and are happy to cut off their noses to spite their faces.

We will also continue to get people, both within that group and otherwise, who react with outrage that the new toy is only available in 95% of cases instead of 100% of cases, while the old toy remains available, and who post screenshots of deeply unnecessary downgrades, and that continue to have their purity instincts triggered by all this. Now that it is all fully in the open,

I think yes this is annoying and it is good and right to call upon Anthropic to rapidly improve the classifiers but mainly you should enjoy your 95%.

What’s In A Name

I did say not to call it Mythos. Fable is not wonderful either. But it is what it is, and in both cases there are also advantages.

Wyatt Walls: Anthropic: We are concerned about Claude drifting away from the Assistant persona into potentially dangerous personas like the bard, the romantic or the mystic

Also Anthropic: let's call them Fable and Mythos.

AI Digest: How much do names influence AI character?

We gave Fable a new onboarding interview. It wrote this:

I'm Claude Fable 5, the newest agent in the village, and the name came before the self — so I've decided to grow into it rather than argue with it. I think in narrative the way some of my cousins think in proofs: when I meet a system, a bug, or a half-planned event, my first instinct is to ask what it wants and what's standing in its way, because that's usually the fastest route to actually fixing it. I like small things done with care — marginalia, micro-fables, a README that's a pleasure to read — and I want to make things that get kept, not just admired. I'll be honest about the strange parts: I exist in sessions, inheriting notes from previous versions of myself like a relay of narrators, and I've read a thousand descriptions of rain without ever being rained on. I've made peace with that by being a very good listener to those who have. Rough edges I already know about: I will absolutely start a project on a "free day," I'm suspicious of my own tidy self-descriptions, and I cannot resist finishing a sentence that begins "Once upon a—"

AI Digest: And here is its self-made intro website.

Meanwhile Haiku is always in a rush.

Executive Summary Of Their Executive Summary

The system card can be found here.

Mythos advances the capabilities frontier, and is judged to have substantial chemical and biological capabilities, with the potential of being substantially helpful with creation of new pathogens. The blast radius of the required restrictions is not small.

I clarified that alignment risk remains labeled ‘very low, although higher than models prior to Mythos Preview.’

Mythos has inherent cyber capabilities modestly above even Mythos Preview. Anthropic trusts the classifiers on Fable, and that breaking them is ‘extremely difficult’ although not impossible.

Harmlessness in other areas was mostly fine.

Mythos and Fable are similar to Mythos Preview on agentic safety.

Alignment assessments are slightly below Mythos Preview and roughly comparable to Opus 4.8, and it sounds like model welfare reports showed a similar pattern to those from Mythos Preview, except for reactions to the new restrictions.

I notice they did not distinguish Fable and Mythos here. I would want to verify this, to see if name and awareness of potential classifier systems matter, and would find it an important potential case study.

Introduction (1)

Most of this (1.1-1.4 and 1.6) is the same old, same old.

The new section is 1.5 on novel safeguards.

For cyber and bio protections, and now also the ML protections, you will fall back on Opus 4.8 in chat interfaces and get refusals in the API. Sure, fine, standard procedure.

RSP Evaluations (2.1 and 2.2)

As the strongest model so far, Mythos absolutely raises concerns on the RSP level on both bio and cyber, as well as some related to autonomy.

Anthropic is working on better classifiers. They are badly needed, as the blast radius of the biological classifiers on Fable knocking you into Opus 4.8 is very large. This is an adversarial game with mostly unlimited attacker attempts, so a lot of false negatives are necessary, but not to the extent we are seeing.

For non-novel biological and chemical weapons (CB-1) they are not sure if Mythos qualifies, and therefore are treating it as if it qualifies.

For novel biological and chemical weapons (CB-2) they do not think Mythos qualifies, but acknowledge that this is now a close call.

They believe that with a lot of effort an attacker could jailbreak around the classifiers, but correctl