Friday, 12 June 2026. Anthropic had launched Fable 5 a few days earlier: a public, heavily scoped version of its cybersecurity technology called Mythos. That Friday, the US Department of Commerce activated export controls and Anthropic suspended access to Fable 5 (and Mythos 5) for all customers, worldwide. According to Anthropic and specialist press (including Axios), Commerce Secretary Howard Lutnick communicated the directive to Anthropic. Tool gone. No confirmed return date.

At the time of writing, in late June 2026, general access to Fable 5 was still suspended. The situation may have changed by the time you read this: check the current status through Anthropic's official channels.

Maybe you were not using Fable 5. Maybe you had never even heard of Anthropic. But what happened that Friday is a lesson that applies to any small business that has integrated AI tools into its daily operations: when you depend on a single provider for a critical task, you have a single point of failure. And the decision can come from very far away, for reasons you have no power to control.

What happened, plainly

Anthropic launched Fable 5 as the public version of Mythos, its cybersecurity specialist system. It was a capable model aimed at companies that needed digital threat detection and response. A few days after launch, the US government activated export controls that, in practice, led Anthropic to suspend access for all customers.

The European Union reacted with political statements and regulatory debate, but without its own executive measures regarding these specific models. The practical result: customers who depended on Fable 5 for business processes found themselves without the tool from one day to the next.

There is one additional detail worth noting if you pass customer data through tools of this kind: Anthropic communicated a mandatory 30-day retention of traffic from Mythos-class models. Anthropic says this is for security, not for model training. But the practical implication is clear: if you use (or were planning to use) Mythos-class tools, you need to review your Data Processing Agreement (DPA), data residency, and GDPR legal basis before passing customer data through them.

On the AI Act side: the European regulation foresees additional obligations for general-purpose AI models with "systemic risk", if they exceed certain thresholds (for example, 10^25 FLOPs of training compute). I am not claiming that Fable 5 or Mythos exceed those thresholds, because I do not have verified information on that. If they did, they could be subject to those additional obligations. But that is a forward-looking risk reading, not a present sanction.

Why this is not just a big-company problem

The usual instinct when something like this happens is: "well, the big companies using Fable 5 for corporate security are having a hard time. I have a shop or a practice, this does not affect me."

But the lesson is not specifically about Fable 5. The lesson is about the pattern:

This is not alarmism. It is an honest risk reading: any AI integration into a critical business process creates a dependency. And single-provider dependencies have a cost when they fail, regardless of the size of the business.

The uncomfortable question

Ask yourself this, now, about every AI tool you use regularly: if it disappears tomorrow, what happens to my business?

For many small businesses, the answer is "I will have a difficult few days and find an alternative." That is acceptable. But for some, the answer is "a critical process stops" or "I do not know how I would have done the work without it." Those are the dependencies worth managing now, while there is no urgency.

Actionable continuity plan: six concrete steps

I am not proposing a full business continuity plan. I am proposing six concrete things a small business can do in an afternoon:

1. Build a real inventory of your AI tools.

List every AI tool you and your team use regularly. Include ChatGPT, Claude, Gemini, Copilot, image tools, chatbots, automations, content generators, and any SaaS product with an embedded AI component. Most teams overlook tools that are part of the real picture until they actually do the inventory.

2. Classify by criticality.

For each tool, answer: is it critical (if it fails, a business process stops), important (there is impact but I have a manual fallback), or convenient (it makes life easier but is not essential)? The critical ones are the ones that need a plan B.

3. Identify an alternative provider for each critical tool.

You do not need to switch anything now. You need to know, for each critical tool, what the substitute would be if it disappeared. For ChatGPT, the obvious alternatives are Claude or Gemini. If you value European data sovereignty, it is worth knowing Mistral (a French company, models available via API, data residency in Europe). It is not the right answer for everyone, but it exists and it works.

4. Map which customer data flows through each tool.

For each AI tool, identify whether you are passing personal customer data through it (names, emails, message content, purchase history). If so, check that you have a signed DPA with the provider, that the data is processed within the EU (or that equivalent guarantees exist), and that you have a GDPR legal basis for that processing. In an incident like Fable 5, this is the first thing you will need to be able to demonstrate.

5. Review your DPA, data residency, and GDPR legal basis.

If you use Mythos-class models or any tool with traffic retention clauses, read the DPA carefully. The 30-day retention Anthropic communicated for Mythos means data can remain held outside your direct business control for that period. If you are not sure whether your provider has an adequate DPA, this is the moment to ask, not the moment of a crisis.

6. Define a minimum manual procedure for critical processes.

For every critical process that depends on an AI tool, document how it would be done without it. It does not need to be perfect: it needs to be sufficient to keep operating while you find an alternative. "If the chatbot goes down, queries go to info@domain.com and we respond manually within 24 hours" is a valid manual procedure.

Europe sets the rules, but does not have the models

The Fable 5 case exposes a real tension: the European Union is the first to regulate AI (the AI Act) and the first to protect citizens' data (GDPR), but it does not have frontier AI models of its own. The models powering European business processes today come from three or four North American companies. When an external government makes a regulatory decision affecting one of these models, we absorb the effects.

Initiatives like Mistral (French) and investments in European AI infrastructure are moving in the right direction, but the gap is real and will not close in months. For a small business in 2026, the practical takeaway is: diversify providers where it makes sense, make sure your customers' data is protected by solid DPAs, and do not let any AI tool become the single point of failure for a process you cannot afford to stop.

There is no need to be alarmist. There is a need to be prepared. Let the Fable 5 case be the lesson you learn without having suffered the disruption yourself.

If you want the full regulatory context behind all of this, the article on Spain's AI Law and the EU AI Act covers it in detail.

Want to review which AI tools you use and how exposed you are?

The free diagnostic tool helps you classify your AI tools by risk in five minutes. If you want to go deeper, I can help you build the inventory, review your DPAs, and define continuity plans for critical processes. Three or four hours of work together and you have the foundation in place.

Diagnostic tool (free) Let's talk 15 minutes