---
title: "Export controls for AI: policy aimed at the wrong layer"
description: "The US forced Anthropic to cut foreign access to Fable and Mythos. But regulating the supply of intelligence misses the real risk surface: the inferences these systems draw about us, and the open trust layer we still haven't built."
publishedAt: 2026-06-13T00:00:00.000Z
tags: ["policy","ai","trust","privacy"]
canonical: https://danielmay.co.uk/posts/export-controls-for-ai-is-policy-aimed-at-the-wrong-layer/
---

Last night, Anthropic was [forced by the US government](https://fortune.com/2026/06/13/anthropic-disables-fable-mythos-export-controls-national-security-threat/) via export controls to shut down API access to their newly released highly intelligent models, Fable and Mythos. The directive reportedly followed [another company demonstrating a way around the models' safeguards](https://www.axios.com/2026/06/12/anthropic-trump-mythos-fable-national-security) - though an independent security researcher who reviewed it calls it [defensive research, not a jailbreak](https://fortune.com/2026/06/13/anthropic-fable-mythos-models-commerce-deparment-export-restrictions-jailbreak-defense-prompting/). The net result is that "foreign nationals" will no longer be permitted access to the models. Anthropic [seems resistant to the orders](https://www.anthropic.com/news/fable-mythos-access), calling it a misunderstanding, but legally had to comply.

Pro-AI commentators are crying foul with good reason. The [cyber damage arguments just don't hold water](https://www.linkedin.com/posts/danielrmay_agenticai-anthropic-fable-share-7471655124914827265-D_-1/) when reviewing the [highly tuned safety classifiers](https://www.anthropic.com/news/claude-fable-5-mythos-5) that shipped with it. The US intervened in [export controls back in the 90s too](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States), famously restricting strong cryptography. The net result of that was stifled innovation - we owe our ability to safely process billions of credit card transactions online to the guarantees provided by 128-bit cryptography and the open web stack that was worked on by thousands of volunteers and foundations. Many who have grown up on the modern internet are surprised to hear that there was a "US" and an "international" version of Netscape, with different security guarantees, caused by export controls. Not only are there consumer implications, but this impacts how model labs operate, immigration at a time of flux and early stage US startup investing.

The AI skeptic or policy advocate may see this as a win regardless, simply because it represents the government extending some control over what they see as an AI boom or bubble that is out of control. We see stories about how observed [sycophantic behavior](https://techcrunch.com/2025/04/29/openai-explains-why-chatgpt-became-too-sycophantic) from models and user obsession due to lack of adequate safety controls are causing real people real harm. But that view lacks nuance too, because the export controls as imposed, just like the ones imposed back in the 1990s, do not stop the proliferation of LLM enhanced applications.

The AI companion or personal assistant startup knows this, puts the data privacy question on ice (because so long as we're using TLS and allowing deletion of data, we're [compliant](https://oag.ca.gov/privacy/ccpa), right?), and builds an interface the user recognizes but is more tailored in some direction to their specific needs. Maybe it's an AI-enabled photos app that invokes the model with your photos, or maybe it's a therapy app in which you divulge your secrets.

This model-context data problem isn't confined to the easy-to-bash "LLM wrapper" products: it's also evident in client applications provided by major model labs, mostly as "memory" now. In one provider's consumer chat client, memories are shared with the user via the settings menu, clearly having gone through some kind of compaction process to summarize my previous chats. In agentic terminal-focused coding interfaces like Claude Code, [memories are managed in markdown files](https://code.claude.com/docs/en/memory) operated on by the model's intelligence directly. Oftentimes, faulty assumptions made by agentic assistants can be traced to complex document-memory retrieval and indexing architectures that don't scale or error-prone compaction that incorrectly rewrote a false to a true. The two interfaces don't share data even inside the same provider, showing us that there are key differences between what context matters when, but the emergence of primitives is clear.

Meanwhile, the government has chosen to regulate the *supply* of intelligence when the actual risk surface is the *handling* of those context packets.

What lands in memory is often the most sensitive part - not what you typed, but what the system concluded from it. In the positive case context of my Claude Code session, automatically saved memories may contain motivations behind products I'm building that could be private. In the negative case context of a therapy assistant application, that might contain a medical diagnosis that is factually incorrect ("hallucinated").

The pieces of a trust layer exist, but only in patches. [California already treats inferences as personal information](https://oag.ca.gov/system/files/opinions/pdfs/20-303.pdf) you can ask to see (impractical, opaque at the point of use), and there's [early work on portable AI memory](https://arxiv.org/abs/2605.11032). What there still isn't is anything that works across products in the same manner as the open protocols the web was built on, or any agreement on what it looks like to share, delegate, or revoke an inference once an app holds one. For the past 25 years, we've treated data as the thing to protect. That made sense when the largest companies in the world collected inert data about clicks. The harder problem, and the one [researchers have been pointing at since 2018](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248829), is what to do about the inferences drawn from that data - the assumptions a system makes about you that you can't see, can't predict, and often can't correct. That power has been handed to everyone building in their bedroom now.

We must move quickly in building the open infrastructure to support safer inference on consumer data. Last time we experienced this kind of trust gap in technology, innovation was labor-intensive enough that the rate of harm to the consumer was manageable. We were integrating with POTS telephonic systems, fax machines, legacy mainframes and real humans. This time, we're caught: we've had our foot off of the "data sovereignty" gas for long enough that the time to launch and gain traction on a harmful product is shorter than it has ever been before. I've approached startups building companion apps with investment backing, posed ethical questions and have never received a satisfying answer.

I don't want to just call out the problem, I want to help fix it, but I know I'm not capable of doing it alone. I've started sketching what this could look like in practice. Will you help me develop mechanisms that let users inspect, correct, revoke, delegate, audit, and move the inferences made about them? Send me an email if you're interested. daniel@danielmay.co.uk