From Model Safety to Execution Control
Claude Fable 5 is back, running inside the agentic tools your teams already use. Its safeguards shape how likely the model is to misbehave. They do not decide what an agent can reach once it acts. That gap belongs to you, and it lives at the execution layer, not inside the model.
Qi Deng, Principal Threat Research Engineer | Aurascape
July 6th, 2026 | 🕐 9 minute read
Introduction
Anthropic secures its model for everyone. Only you can secure what your agents do inside your business.
Claude Fable 5 is back. Anthropic redeployed its most capable generally available model on July 1, nineteen days after a US export-control order took it offline. It now runs inside the agentic tools enterprises use every day, including Claude Code and Claude Cowork.
Anthropic’s account of the episode is worth reading in full. It covers the research finding that triggered the suspension and the classifier update that resolved it. It also proposes something the industry has needed for years: a shared framework for scoring jailbreak severity, drafted with Amazon, Microsoft, and Google. The framework deserves support. We hope it becomes a standard.
But the episode proves something the framework does not measure. Model safeguards, even the strongest ever shipped, cannot be your control layer. If your enterprise runs AI agents on frontier models, the security decision that matters does not happen inside the model. It happens at the point of execution, where an agent touches your code, your data, and your systems. That point is yours to control, and it holds steady no matter how the model layer shifts. Most enterprises have not claimed it yet.
What Nineteen Days of Disruption Proved
Start with what happened. In June, Amazon researchers reported a prompting technique that got Fable 5 to identify software vulnerabilities. In one case it produced code demonstrating an exploit. The US government applied export controls while it reviewed the finding. Anthropic’s testing then showed the technique exposed nothing unique. Weaker models could identify the same vulnerabilities. Every model tested could reproduce the exploit demonstration. The safeguards had simply held back ordinary defensive security work out of caution. Anthropic shipped a stricter classifier, the government lifted the controls, and the model returned.
None of that makes Fable 5 dangerous. Anthropic’s evidence shows the opposite. What the episode demonstrates is structural, and it applies to every frontier model your enterprise runs.
First, jailbreaks happen. Anthropic says plainly that no one can make an AI model impervious to them. Friendly researchers found one for Fable 5 within days of launch, despite the strongest protections Anthropic has ever applied.
Second, safeguards are coarse by design. Fable 5 ships with a deliberate safety margin that blocks requests which are probably benign. The logic is straightforward: a false positive inconveniences a legitimate user, while a false negative helps a malicious one, so Anthropic accepts the smaller harm to prevent the larger. The June fix widened that margin. The new classifier blocks the reported technique in over 99 percent of cases and flags more legitimate coding and debugging work as a side effect.
Third, safeguards sit in someone else’s control. The provider tunes them, on the provider’s schedule, for every user at once. Your policy is not an input. They are also blind to your context. Anthropic’s classifier will never know that a repository carries retention obligations, or that a block of text is your highly sensitive intellectual property. That is not its job.
Follow the incentives one step further. Frontier model providers invest heavily in reducing jailbreak risk. Anthropic says so in its own post: it doubled the staff working on safeguards before launch and stood up 24/7 monitoring of jailbreak submission channels. That work deserves credit. But no model provider carries the same incentive to build and maintain the real-time security, data, and threat controls that govern how your business uses AI. That work protects you, not the model’s safety record. And the exposure is already mainstream. McKinsey finds that 88 percent of organizations now use AI in at least one business function, and 62 percent at least experiment with AI agents. Adoption at that scale, governed by controls tuned for someone else’s priorities, is where the insider risk of AI now lives.
A control you cannot inspect, cannot tune, and cannot hold to your own policy is not a control. It is a dependency.
The Blast Radius Belongs to the Agent
Here is the part that matters for your risk register. A jailbroken model in a chat window can say alarming things and touch nothing. Agents are different. Agents hold entitlements. They can read files. They can write to repositories. They can run commands and orchestrate chains of API calls that move data between systems.
That is the blast radius, and it does not come from the model. It comes from the permissions agents hold. The surface stays the same size whether someone jailbreaks the model, a prompt injection hidden in a web page steers it, or it simply misreads what you wanted.
Picture a coding agent working in your environment this week. It reads source, runs commands, and writes changes. It runs on a frontier model whose safeguards researchers publicly bypassed in June, and which the provider then re-tuned in a way that now interrupts more legitimate developer work. The model layer moved twice in three weeks, and each move changed the likelihood of unsafe behavior. Neither move changed what the agent could reach. What it could touch on June 11, it can touch today. The model layer sets the odds of a bad action. The execution layer sets its blast radius. Only the second is fully yours to control.
Delegation Raises the Stakes
Enterprise AI moves through three stages. Employees working directly with AI applications came first, and security teams govern that interaction today. Delegation comes next, and it is already here: people hand real work to agents that plan, call tools, retrieve data, and act. Behind that, agent-to-agent execution takes shape: autonomous systems that coordinate work directly with each other.
And it is not only a developer story. The week engineers picked Fable 5 back up in Claude Code, business teams picked it back up in Claude Cowork. A knowledge-work agent preparing a renewal briefing reads the document store, queries the CRM, and drafts the outreach email. In a bank or an insurer, that path runs straight through regulated customer data. No one needs to compromise the agent to create exposure. One wrong tool call is enough to leak data or break compliance.
And the curve steepens from here. Fable 5 and Mythos 5 are forerunners of what frontier models can do next. As capability grows, so does the reliance organizations place in agents, and reliance becomes permissions. Your risk surface is the product of two numbers: how many AI interactions happen, and the permissions each agent holds. Both numbers only go up. Staying ahead of this expanding risk surface means securing every interaction, and controlling permissions.
Four Questions Before Your Next Agent Ships
I will pause here to be clear: The work of preventing jailbreaks is vital, and Anthropic’s openness about its safeguards and their limits sets a standard the industry should follow. Nothing here argues against that work. It argues for pairing it with the part only you can supply: a clear view of your own risk exposure at the moment of any AI interaction.
You do not need a framework document to find out where you stand. Four questions do it.
What can each agent in your environment touch? Not what it is supposed to touch. What its credentials and connections allow today.
Does anything sit inline between your agents and their tools? A control that decides before execution is different in kind from a log you read after the fact.
Can an agent bypass its controls to reach a tool off the governed path? If it can, every policy on the governed path is optional.
Could you hand an auditor the evidence of what an agent did with customer data last quarter? Your web gateway’s session log will not answer that question. Neither will a list of allowed domains. That evidence lives in the conversations and interactions themselves.
If some answers are unclear, you are not alone. The controls most enterprises rely on today come from the web and SaaS era: SSE, SWG, CASB, DLP. They classify destinations and inspect files, and they do that job well. No one designed them to read a conversation, follow an agent’s tool calls, or tell an enterprise tenant from a personal account. The gap is not a missing policy. It is a missing layer.
Control Belongs in the Execution Path
So put the control where the risk lives. Not at the model, where you have limited influence. Not in an activity log, where you learn what happened after the fact. But in the execution path itself, inline, where the agent acts. Inline is the enforcement point. A log tells you what an agent did. An inline control decides what it gets to do.
Context is what makes enforcement worth having. Destination is not enough, because an approved application can still host an out-of-policy action. The control needs to know who is acting, and under which entitlement: enterprise tenant or personal account. It needs to know which application is in play and in what mode. It needs to recognize the category of data in the exchange. And for agents, it needs the full execution path: the prompt, the response, the skills invoked, the tool the agent requests, the tool call itself, and the outcome.
The bar sits this high because the surface keeps growing. Each model generation extends what agents can do, and every new capability earns agents more trust and more permissions. Interactions multiply, and each one reaches further. Tools that watch destinations and files cannot follow that growth, because the risk now lives in conversations, tool calls, and outcomes. The control point has to sit where those interactions happen, and it has to scale as they multiply.
With that context, policy stops being a blunt allow-or-block switch. Allow the action. Coach the user toward the approved path. Block the tool call. Redact the sensitive field and let the rest through. Keep the evidence.
Here is what that looks like in practice. Return to the renewal-briefing agent. It requests a tool call that would export a full customer table into a draft email. The control sees an authenticated employee on the enterprise tenant. It sees an application running in agent mode. It sees regulated customer data in the exchange and an export tool in the request. Policy blocks that one tool call, lets the rest of the task proceed, and records the event. The briefing ships. The customer table stays where it belongs. Nobody filed a ticket.
One requirement is decisive for agents: the agent must have no path around the control. An agent that reaches a tool directly, off the governed path, makes every policy on that path decorative. That is the purpose of a Zero-Bypass Architecture for Agentic AI. Tool execution routes through the control point by design. Model Context Protocol (MCP) matters here as a key mechanism agents use today to reach tools. It is a mechanism inside the execution story, not the whole story.
A Control That Holds When the Model Moves
The reason to anchor control at the execution layer is durability. Policy enforced there does not move when the model layer does. A new jailbreak surfaces tomorrow: the agent’s permissions do not change. The provider ships a stricter classifier: your policy holds. You swap the underlying model next quarter: the control point stays where it was.
That is the difference between inheriting the model provider’s safety cadence and enforcing your own. For a bank or an insurer, it is also the difference an auditor cares about. The control you attest to has to be one you own. The evidence trail has to survive a model change. Execution-layer enforcement gives you both, on your schedule, under your policy.
Two Jobs, Both Necessary
None of this competes with what Anthropic is doing. Model safeguards and enterprise execution control are different jobs, and both need doing well. Anthropic secures the model for everyone who uses it. Only you can secure what your agents do inside your business. Use the model provider’s enterprise controls too. They matter. They govern who can reach the model and under what settings. They do not stand between your agent and your systems while work is underway. That job stays with you.
We built Aurascape for that job. Aurascape gives you interaction-level control over how employees and agents use AI, under your policy, with evidence you can stand behind. The industry framework will tell you how severe the next jailbreak is. Your architecture decides how much it matters to you.
To explore the architecture that keeps you in control, watch the launch recording here.
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.