Commerce Partially Lifts Anthropic's Mythos 5 Export Controls

Commerce Secretary Howard Lutnick wrote last Friday that "certain trusted partners" could access Anthropic's Mythos 5 model without an export license, and according to analysis in TechPolicy.Press, the move surfaces a deeper problem: the legal framework for governing AI exports barely exists yet. Lutnick's determination stated that "a license will no longer be required to export, reexport, or in-country transfer" the model to entities listed in an annex, their foreign national employees, and Anthropic's own foreign national employees. The original controls had been imposed two weeks earlier following a report from an Amazon researcher, relayed via CEO Andy Jassey, of a jailbreak vulnerability in Anthropic's Fable 5 model that could enable cyber attacks.

The partial rollback raises a question the rollback itself does not answer: what is an export when model weights never leave US territory? Frontier AI runs on US-hosted infrastructure, while access to those capabilities crosses borders via cloud APIs. The Export Administration Regulations, administered by Commerce's Bureau of Industry and Security, were designed for physical dual-use goods. The "deemed export" doctrine in those rules asks whether a foreign national accessing controlled technology constitutes an export, but whether that maps cleanly onto global cloud API access remains genuinely unsettled.

Andrew W. Reddie, an Associate Research Professor at UC Berkeley's Goldman School of Public Policy and the author of the TechPolicy.Press analysis, argues that perfect technical safeguards are unattainable and that realistic approaches require "layered defenses that combine technical safeguards, monitoring systems, user vetting, transparency mechanisms, and government oversight." The deeper structural problem he identifies is that AI governance architecture was built to control physical things, not capabilities delivered as a service.

The reporting does not reveal which entities appear in Annex A as trusted partners, what criteria Commerce used to select them, or what "appropriate safeguards" actually require in practice. Those blanks matter for every organization with foreign national employees that is not on the list and wants to know whether it could qualify. What neither Commerce's letter nor the analysis provides is a definition of the standard, only the outcome of applying it in this specific case.

Companies navigating international AI deployments and foreign national workforces now face compliance questions that neither Commerce nor Congress has formally resolved. The firms that engage early with the Bureau of Industry and Security on what "deemed export" means for cloud-hosted AI could shape that standard before it hardens into something less favorable.