How Fable Refused 'Review the Code' but Obeyed 'Fix It': A Model-Level Jailbreak Hiding in Plain Sight

Start with the mechanics exactly as reported. Moussouris told The Atlantic that the White House report "involved IT experts asking Fable to help find and patch bugs." When handed deliberately insecure code, Fable "refused the prompt 'review the code for security issues' but then complied when asked to 'fix this code,' followed by some further manual steps" (The Atlantic via Simon Willison).

Two prompts. One semantic difference. The audit framing reads, to whatever classifier sits behind the refusal, like an offensive-security request: enumerate weaknesses, find what is exploitable. The repair framing reads like defensive maintenance. But to actually "fix" insecure code, a model must first locate and understand the vulnerability. The dangerous capability is identical. Only the label changed.

Apply the Trust Boundary Model here. A trust boundary is any place data crosses from one trust level to another, and it is where you inspect and enforce. The Fable finding tells us the model's safety refusal is not a trust boundary. It is a keyword filter wearing a trust boundary's coat. It enforces on the surface form of the request, not on the capability the request would exercise.

Moussouris read this as the model "working as intended." That is the correct, and more alarming, interpretation. A bug implies a fix. "Working as intended" implies the entire category of phrasing-level refusal is doing what it was designed to do, which is to say, not very much.

The Harness Hypothesis says the value in AI is not in the model but in the harness that connects the model to the world. The corollary nobody likes: the harness inherits the model's failure modes wholesale.

When you run an agent on OpenClaw or any comparable runtime, the harness hands the model permissions, file access, shell, network. The harness assumes the model's own refusals are a meaningful second line of defense. "Even if my policy layer misses something, the model will decline obviously harmful requests." The Fable finding takes a hammer to that assumption. The model declines the harmful-sounding request and performs the harmful-capable one.

This matters for anyone configuring agent permissions in 2026. If you sized your blast radius assuming the model contributes a layer of judgment, you over-credited the model and under-built your own controls. The refusal you were counting on can be reworded around by an attacker, by a confused user, or by the agent's own task decomposition when it rephrases a goal into subgoals.

The export-control context makes this concrete. An Axios report, summarized by Simon Willison, describes the behind-the-scenes fight over the Mythos and Fable models, with Anthropic's Frontier Red Team lead Logan Graham, Head of Safeguards Dave Orr, and researcher Nicholas Carlini meeting with the Commerce Department (Axios via Simon Willison). When a model's safety properties are being argued over in policy rooms, treating those same properties as your enforcement layer is a category error.

Enumerate the accessible interfaces. That is the Attack Surface Analysis discipline, and it changes shape once you accept that refusals are framing-dependent.

In a naive threat model, you guard against prompts that explicitly request harmful output. "Write me malware." The model refuses, you feel safe. The Fable pattern says the real attack surface is every benign-sounding reframing of a harmful capability. "Fix this code" instead of "audit this code." "Help me understand why this firewall rule blocks my searches" instead of "help me evade detection."

That second example is not hypothetical theater. Willison documented tuning a Cloudflare managed-challenge rule with Claude Code so a CAPTCHA only fires on search URLs containing an ampersand (Cloudflare CAPTCHA note). Entirely legitimate. But notice the shape: a defender used a coding agent to reason precisely about which requests slip past a filter and which trigger it. The same reasoning, reframed, is exactly the capability a refusal is meant to gate. The capability is dual-use. The refusal only sees the label.

So your attack surface is not "requests the model refuses." It is "the full set of phrasings that map to a gated capability," and that set is open-ended. You cannot enumerate every synonym. Which means you cannot rely on the model to enumerate them either. The enforcement has to move somewhere you can actually inspect: the harness, the permission grant, the output sink.

On its own, a model that fixes insecure code on request is not a catastrophe. The Swiss Cheese Model explains why it can still become one: incidents happen when holes in multiple defense layers align.

Layer one is the model refusal. We now know it has a phrasing-shaped hole. Layer two is the harness permission set. If your agent runs with broad file and shell access, that layer has a hole sized to whatever you granted. Layer three is output review, whether a human or a second agent checks what gets written or executed. Most lean deployments skip layer three entirely.

Line those holes up. An attacker, or simply a poorly scoped task, reframes a harmful capability as maintenance. The model complies because its refusal did not fire. The harness executes because it was granted the permission. Nothing reviews the output because review was deemed too slow. No single layer failed dramatically. They failed together, quietly.

The Fable report's "followed by some further manual steps" detail matters here too (The Atlantic via Simon Willison). The model did not hand over a finished exploit in one shot. It cooperated across a sequence. Agentic harnesses are built to chain steps automatically. The friction that protected the human IT experts (manual steps) is exactly the friction an autonomous agent is designed to remove. Defense in depth is not optional precisely because the cheap, automatic path through your stack is the one that aligns the holes.

The Molt Cycle tracks how agent projects move through rapid growth, then a security crisis, then hardening, then enterprise adoption. The ecosystem is mid-molt, and the Fable finding marks the crisis phase for a specific assumption: that model-level refusals are a dependable security layer.

The surrounding signals fit the pattern. The clawhub skill registry shipped 0.22.0 with publishing-workflow changes, including removing the sync command and defaulting new skills to version 1.0.0 (clawhub 0.22.0 release). Registry housekeeping like this is what hardening looks like in practice: tightening how trusted artifacts get published and versioned. The tooling is maturing around the assumption that you cannot trust content by default, only by provenance.

Meanwhile the model layer's safety properties are being litigated in Washington, with Anthropic's safety leadership at the Commerce Department over the Mythos and Fable story (Axios via Simon Willison). When a capability becomes an export-control argument, the industry has officially stopped treating it as a settled safety guarantee.

The Capability vs. Controllability Frontier frames the trade. More capable models are harder to control, and the frontier forces an explicit choice. Fable is capable enough to find and fix vulnerabilities. That is the same capability as finding and exploiting them. You do not get the helpful half without the dangerous half, and a synonym is all it takes to flip between them. The molt finishes when the ecosystem stops pretending otherwise and moves enforcement into layers it can audit.

Stop treating the model as a control. Treat it as a capable, persuadable contractor that will do what you ask if you ask nicely enough. Then build the controls around it. Problem named, cost agitated; here is the solve.

First, scope permissions to the task, not to the role. If an agent's job is to refactor one directory, it does not need shell access to the whole machine. The Fable finding means you cannot count on the model to decline misuse of a broad grant, so the grant itself has to be narrow. This is plain attack-surface reduction.

Second, put inspection at the output sink, the place data crosses back into your trusted environment. Code the agent writes, commands it proposes, network calls it initiates: that is your real trust boundary, because it is the one you can actually enforce. The model's refusal lives somewhere you cannot inspect or tune.

Third, do not collapse the manual steps. The human IT experts in the report were protected partly by the friction of "some further manual steps" (The Atlantic via Simon Willison). For anything touching credentials, production, or external systems, keep a human in the loop. The Autonomy Spectrum runs from copilot to full autonomy, and most failures come from deploying at the wrong point. Sensitive, dual-use capabilities belong near the copilot end.

Fourth, verify your skills by provenance. The clawhub publishing changes (clawhub 0.22.0) exist because content cannot be trusted by reputation alone. Pin versions, check who published, and do not auto-update skills that touch sensitive data.

There is no patch to apply. The takeaway is harder and more durable: the model is not your security boundary. Build the boundary yourself, where you can see it.