Now that the June 12 Commerce letter to Anthropic is circulating, I wanted to consolidate my thoughts about the letter in one place.
A number of smart reactions have already flagged vulnerabilities with the letter. I agree with many of them. My aim here is not to respond to each one, but to explain how I’ve been thinking about the main legal and policy issues. I’ve organized the post around three questions below.
Question 1: What does the letter do, and why did Commerce likely choose this mechanism?
The letter cites ECRA’s emerging/foundational-technologies authority, including its interim-controls clause, ECRA’s specific-notice authority, and EAR § 744.22(b), the specific-notice provision for military-intelligence end-use/end-user risk. It informs Anthropic that a license is required for the export, reexport, transfer (in-country), deemed export, and deemed reexport of the Claude Mythos 5 and Claude Fable 5 models.
The scope is sweeping. The license requirement applies to all destinations worldwide and all “foreign persons,” wherever located, including foreign persons in the United States. The letter also says the requirement applies to the “transmission or release” of the Mythos and Fable models. It is written as if the controlled item is the model itself, not a particular output.
Section 744.22(b) allows BIS to inform a person by specific notice that a license is required for specific exports, reexports, or transfers of any item subject to the EAR where BIS sees an unacceptable risk of use in, or diversion to, a military-intelligence end use or end user. That makes the “is informed” letter legally consequential, not merely advisory. Once Anthropic is informed, covered transactions require a license, and applications for licenses required under § 744.22(b) are reviewed with a presumption of denial.
The breadth and design choices of the letter suggest Commerce/BIS chose a mechanism that predictably left Anthropic with little practical choice but to take Fable 5 down from public availability and cut off foreign-person access to Mythos 5. Reporting reinforces that point. When Anthropic CEO Dario Amodei reportedly told Commerce Secretary Howard Lutnick, “This means we can’t have the model out,” Lutnick replied, “That’s the point.”
Question 2: What are the legal vulnerabilities?
The letter makes several aggressive legal moves. Some may ultimately be legally defensible, but each raises questions.
1. API access is not obviously an “export” of the model. Section 734.13(a)(1), which defines “export,” covers an actual shipment or transmission out of the United States. The deemed-export provision (§ 734.13(a)(2)) focuses on release of technology or source code to a foreign person in the United States, not remote use of a hosted system.
BIS cloud/SaaS guidance has historically distinguished remote use of hosted software from exporting the software itself when the user doesn’t download it. Remote access may transfer outputs, but it doesn’t transmit the underlying model.
The Remote Access Security Act reinforces the point. It would add remote-access authority to ECRA, but it is not law. That supports, but of course doesn’t prove, the view that current law does not clearly reach mere remote access without more.
2. The letter treats the Mythos and Fable “models” as the controlled items, but doesn’t define the term. “Model” could mean weights/parameters, source code, checkpoints, the inference stack, the deployed service/API layer, or some combination. Those aren’t interchangeable. Transferring model artifacts is a much easier export-control case than restricting use of a hosted service.
3. Section 744.22 is not a general cyber-safety rule. It focuses on unacceptable risk of use in, or diversion to, covered military-intelligence end uses or end users, not generalized concerns about jailbreaks, unsafe outputs, or cyber capability. Commerce may have intelligence showing a real military-intelligence risk, but the letter’s public text doesn’t explain that nexus.
4. The worldwide/all-foreign-persons scope is very broad. Section 744.22 is structured around unacceptable risk of use in, or diversion to, covered military-intelligence end uses or end users. The letter jumps from that targeted framework to a categorical rule for all foreign persons worldwide, including allied nationals and foreign persons in the United States. BIS may have a concrete diversion theory, but the letter doesn’t explain the bridge.
5. First Amendment risk should be taken seriously, but carefully. I wouldn’t jump to the conclusion that there’s a clear First Amendment violation. Export controls receive national-security deference, and AI models are at least partly functional systems, not just expressive works. But hard First Amendment questions arise where the practical effect is to suppress code, technical explanations, or model-generated information, particularly for Anthropic, U.S. persons, and people in the United States.
6. Public availability creates tensions. API or web access likely doesn’t make the underlying weights, source code, or technical documentation “published” under the EAR. Users receive outputs, not the underlying artifacts. But that also shows the tensions in Commerce’s theory. If API access doesn’t publish the model, then why is API access a “release” of the model? It’s not clear.
Question 3: What does this mean going forward?
1. U.S. AI developers will likely need to treat export controls as a post-release product risk. The recent AI EO creates a voluntary pre-release framework for covered frontier models, including up to 30 days of government access, while disclaiming mandatory licensing or preclearance. But after the Anthropic letter, that voluntary process may become practically hard to avoid for frontier developers trying to reduce post-release export-control risk.
2. Foreign and domestic customers may see U.S. closed frontier models as less reliable infrastructure, especially for mission-critical work. If broad foreign access to a model can be disabled by an individualized “is informed” letter after release, enterprises may hedge toward open models and/or non-U.S. models. That would hurt the export of the U.S. AI stack. We want U.S. models, cloud, tools, and safety practices to be adopted globally. A reputation for sudden disablement with little or no warning gives competitors, including Chinese providers, a big marketing win.
3. The all-foreign-person restrictions could distort talent decisions. Companies may overcorrect by relying more heavily on U.S.-person teams for sensitive model work, while foreign researchers may feel less welcome in U.S. frontier AI. That would be a bad outcome. The U.S. AI ecosystem benefits from foreign talent, and blunt access rules could push some researchers toward foreign competitors. The better approach is targeted controls, including TCPs, logging, and BIS authorizations where needed. This ensures foreign researchers can keep contributing in U.S. labs while national-security risks are mitigated.
4. This could affect cloud and SaaS more broadly. If BIS treats access to hosted software or AI capability as an export or release of the underlying item, companies beyond frontier model developers will need to reassess their own export-control risk.
None of this means Commerce/BIS should ignore national-security risk from frontier models. Export control agencies should be deeply engaged. But export-control tools have legal limits and should not be used unpredictably. Industry needs to know what compliance means. If the concern is foreign-person access to frontier model capability and dangerous outputs, the better answer is clear guidance, transparent expectations, and sustained pre-release engagement on internal controls and safeguards for publicly deployed models.
I’m sure others will have additional and more insightful thoughts. I’d welcome any of them, particularly if you think I missed anything.
English
