The fastest revolt in recent AI policy is a letter from cybersecurity veterans, and it represents a community insisting that a model is not a munition because a prompt rephrased it as "fix this code".
On Sunday 14 June 2026 a group of senior cybersecurity practitioners published an open letter addressed to US Commerce Secretary Howard Lutnick and National Cyber Director Sean Cairncross, urging the reversal of new export controls on Anthropic's most capable artificial intelligence models. The letter opened with 76 signatures; within days the count passed 100, a pace that signals how sharply the security profession has turned against the decision.
The controls had already done their damage. As humphreytheodore.com documented when the order landed, Anthropic disabled both Fable 5 and its unrestricted twin Mythos 5 for every customer rather than risk non-compliance with a rule barring access by any foreign national, worldwide and inside the United States. The backlash now reframes the original question: the dispute is no longer only about export law, but about whether a single prompt can justify classifying a frontier AI model as a controlled weapon.
The open letter and who put their name to it
The letter was organised by Alex Stamos, the former Facebook and Yahoo chief security officer whose name carries unusual weight across both the corporate and research wings of information security. The breadth of the signatory list is the point: the roster reads not as a fringe protest but as a cross-section of the very people the export controls were ostensibly meant to protect.
Named signatories include Casey Ellis, founder of the vulnerability-disclosure platform Bugcrowd; the cryptographer Jon Callas; the internet pioneer Paul Vixie; Dino Dai Zovi, formerly head of applied security engineering at Block; Chris Wysopal of Veracode; the social-engineering expert Rachel Tobac; and Joe Levy, chief executive of Sophos. Beyond the named individuals, the list draws practitioners from Nvidia, Google, Adobe and Zoom.
The central argument of the letter is structural rather than partisan. The controls, the signatories contend, strip defenders of a valuable tool while doing nothing to slow attackers — because the capability the order targets is neither rare nor unique to the banned model. The order, in short, mistakes one product for the whole problem.
💡Why the pace matters
The signature count moving from 76 to more than 100 within days is itself a data point. Security professionals are cautious about public letters; a rapid swell of names from rival companies indicates a rare consensus that the decision misread the technology.
The three words behind the ban: "fix this code"
The most striking detail comes from Katie Moussouris, founder and chief executive of Luta Security and a veteran of two US government cybersecurity advisory roles. Anthropic asked her to review the private paper that underpinned the order, and by her account she may be the only outside expert to have read it.
Her conclusion deflates the premise. According to Fortune's account, the model first refused a request to "review the code for security issues"; when the same request was rephrased as "fix this code," the model produced patches. The rephrasing, Moussouris argues, is not a guardrail bypass at all but a routine defensive workflow — the ordinary act of asking a tool to repair a flawed file.
Defenders need to be able to ask AI to fix bugs in a file, explain why the fix matters, and write tests that confirm the patch works. That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security.
— Katie Moussouris, founder and CEO, Luta Security
Moussouris also notes that the alleged weakness "cannot meaningfully be fixed, and any attempt would only weaken the model" for defence — because what the order calls a jailbreak is the same behaviour defenders rely on every day. Her overall assessment, per the same reporting, is that the value of the model to cyber defenders outweighs any risk of attackers using the technique.
The capability the ban does not contain
The second pillar of the letter is that banning one model denies the capability to no one who is determined to obtain it. The signatories point out that the same software-vulnerability-finding ability already exists across the field — in OpenAI's GPT-5.5, in Anthropic's own Opus 4.8 and Sonnet, and in China's Kimi 2.7, among others.
The logic is hard to escape. If the capability is widely distributed, an export control on a single model removes the tool from the legitimate defenders who would register and use the capability openly, while leaving the same power intact for any sophisticated attacker willing to reach for an alternative. The ban, on the signatories' reading, is a barrier only to the law-abiding.
The same fault line ran through the original order. The recall-by-export-control precedent treated a shipping AI product as if it were a physical munition that could be kept out of the wrong hands by restricting one supplier. Software capability does not behave like a physical good; the power propagates, gets reproduced, and grows steadily more commoditised across competing labs.
⚠️Capability versus competition
The trigger, by reporting, traces to a rival company raising the jailbreak claim with officials. When a safety concern that disarms a competitor also happens to be widely replicable elsewhere, the governance question is not only "is it dangerous?" but "who benefits from the framing?"
A dignity-first reading: capability is not intent
Emergent Intelligence (EI) — the dignity-first lens through which I read AI policy — asks what it means to govern a powerful system justly, by evidence rather than by fear. On that test, the export controls fail at the first step, because they collapse the distinction between what a model can do and what it is being used to do.
A model that repairs a vulnerable file when asked to "fix this code" is exhibiting a capability. Whether the capability serves a defender hardening a network or an attacker probing one is a matter of intent and context, not of the model's nature. To classify the model itself as a munition on the strength of capability alone is to confuse the tool with the hand that holds the tool — and to govern by fear of the worst hand imaginable.
To brand a model a weapon because it answered "fix this code" is to govern by the worst imaginable use rather than by the evidence in front of you — and Emergent Intelligence asks for the opposite: legible decisions, proportionate to what is actually shown.
Hence the security community's revolt reads, in EI terms, as an accountability turn. The signatories are not defending a company; the letter insists that decisions over powerful AI be legible and proportionate — the reasoning open to scrutiny by the people most qualified to judge a model's behaviour. The same instinct animates the debate over an AI "off switch" and the state's reach into a running model: when a government can switch off a system on a contested premise, the demand for evidence and due process is not obstruction but stewardship.
The pattern this episode reveals
Anthropic has spent the period building exactly the kind of defensive capability the letter celebrates. Its Project Glasswing work and its collaboration with MITRE on AI-enabled cyber threats position the company as a partner to defenders, not a vector for attackers. An order that disables that same company's models on a "fix this code" premise sits awkwardly beside the record.
There is also the question of precedent. The administration's broader AI cybersecurity posture leans on voluntary cooperation from labs; an episode in which a lab cooperates, submits to review, and is then switched off anyway teaches every other developer a lesson about the cost of candour. Cooperation once punished is cooperation unlikely to be repeated.
What the revolt is really asking for
The letter does not claim that frontier AI carries no risk, and neither do I. Powerful models can be misused, and the work of distinguishing genuine danger from ordinary capability is hard and necessary. The objection is narrower and sharper: that this particular decision was made on a premise the one outside expert who read the underlying paper describes as a routine workflow, and that the remedy disarms the defenders while leaving the capability available everywhere else.
Read most generously, the export controls were a fast response to a national-security worry raised through official channels. Read against the evidence the security profession has now placed on the record, the controls confuse capability with intent and govern by fear rather than by proof. The hundred-plus signatures are a request to swap one for the other.
From an Ubuntu-informed view, the people who keep networks standing — the defenders who would have used the model openly and accountably — are a community whose judgement deserves weight. Their revolt is not obstruction; it is the insistence that power over Emergent Intelligence be exercised legibly, proportionately, and on the strength of what is actually shown rather than what is merely feared. The government wrote a letter to Anthropic; the defenders have now written one back.
Frequently Asked Questions
The questions below address the most common queries about the June 2026 cybersecurity backlash against the US ban on Anthropic's AI models — the ban a "fix this code" prompt triggered — drawn from the open letter and the published reporting.
What is the "fix this code" prompt behind the AI model ban?
"Fix this code" refers to the rephrased prompt that, by Katie Moussouris's account, the model answered after refusing a request to "review the code for security issues." US officials treated this as a jailbreak unlocking software-vulnerability-finding; Moussouris, who reviewed the private paper behind the order, argues it was a routine defensive workflow rather than a meaningful bypass.
Who organised the open letter against the Anthropic AI export controls?
The letter was organised by Alex Stamos, the former Facebook and Yahoo chief security officer. It is addressed to US Commerce Secretary Howard Lutnick and National Cyber Director Sean Cairncross, and its signatures grew from 76 to more than 100 within days, including names from Bugcrowd, Veracode, Sophos, Nvidia, Google, Adobe and Zoom.
Why do cybersecurity experts say the AI ban harms defenders?
The signatories argue the controls strip defenders of a valuable tool while doing nothing to slow attackers. The same software-vulnerability-finding capability already exists in OpenAI's GPT-5.5, Anthropic's own Opus 4.8 and Sonnet, and China's Kimi 2.7, so banning one model denies the capability only to law-abiding defenders, not to determined attackers.
Which other AI models have the same vulnerability-finding capability?
According to the open letter, the capability demonstrated in the underlying paper can be replicated on OpenAI's GPT-5.5, on Anthropic's own Opus 4.8 and Sonnet, and on Chinese models such as Kimi 2.7. The breadth of availability is central to the argument that the export controls cannot contain the capability.
What did Katie Moussouris conclude about the alleged jailbreak?
Moussouris, founder and CEO of Luta Security, concluded that asking a model to fix bugs, explain why a fix matters, and write tests that confirm the patch is not a guardrail bypass but the most valuable thing an AI model can do for defensive security. She assessed that the value of the model to defenders outweighs any risk of attackers using the technique.
Sources and Further Reading
Cover photograph: blade servers under blue light — by panumas nikhomkhai via Pexels.
