US export controls shut off Anthropic models

Show Notes

AI access is no longer just a product feature. It is becoming controlled infrastructure. In this episode, we break down how U.S. export controls forced Anthropic to shut down major models globally, and what that signals for any team relying on third-party AI. The shift has real consequences. Security workflows can stop overnight. Vendor risk now includes geopolitical decisions. And at the same time, critical vulnerabilities like the Splunk remote code execution flaw show how quickly your core systems can become liabilities if exposed. We also cover Wallarm's push into full visibility for AWS environments, and a new regulatory move as state attorneys general subpoena OpenAI over model behavior and data handling. Plus, key updates on cyber training, AI governance, and the changing shape of security teams. Learn more at https://crestvale.io

Transcript

SPEAKER_00 0:00

Your AI security tooling can now disappear overnight because of a policy decision you do not control. And if your detection stack is exposed, an attacker might not just get in, they might rewrite what you think is happening. This is the Crestvale Newsroom Daily Podcast. The US government just demonstrated something that changes how you should think about AI dependencies. It can effectively turn off access to a frontier model overnight. Anthropic shut down access to its Fable 5 and Mythos V models globally after new export controls targeted foreign nationals. The restriction was not limited by geography. It applied to people, not infrastructure. And Anthropic could not enforce that cleanly. So they pulled access for everyone. This is the key shift. AI access is no longer just a product decision. It is now controlled infrastructure. If your team relies on external models for security workflows, code analysis, or vulnerability discovery, those workflows are now exposed to geopolitical risk. In this case, Mythos 5 was actively used in vulnerability research. Those pipelines stopped immediately. No phaseout, no migration window. Just gone. What triggered it is also worth paying attention to. The cited issue was a narrow jailbreak involving code analysis. Anthropic itself noted similar capabilities exist in other models. So the enforcement line is not clean. That uncertainty matters more than the specific restriction, because now you have to assume that access decisions can be inconsistent, fast, and outside your control. This is the part that should stick. If a model sits in your critical path, it is now a regulated dependency, not a service you can assume will always be there. That means fallback models, redundant workflows, and clear boundaries on where you rely on third-party AI versus what you can run, or replicate yourself. Now, if that risk feels abstract, the next story is very concrete. Splunk Enterprise is dealing with a critical pre-auth remote code execution flaw. No login required. If your instance is exposed, an attacker can execute code immediately. And this is not just any system, this is your visibility layer. If Splunk is compromised, your logs can be altered, alerts can be suppressed, detection logic can be manipulated. You lose trust in the system that tells you what is real during an incident. That is a worst-case scenario. Exploitability here is low effort. The issue ties back to exposed server command access. That means attackers will move quickly. This is not something to schedule. If Splunk sits anywhere near your security critical path, patching this is priority one, because until you do, you cannot fully trust what your environment is telling you. Meanwhile, Wallerm just made a move that is less dramatic, but strategically important. They launched AWS-wide infrastructure discovery with flat pricing and a free tier. That sounds like a pricing update. It is not. It is a direct attack on a long-standing problem in cloud security. Most tools charge more as you discover more, which quietly discourages full visibility. Walarm flipped that. Pricing is based on accounts, not assets. So large environments are no longer penalized for turning on complete discovery. That matters right now because AI workloads are spreading fast. Agents, APIs, and data flows are multiplying across accounts and regions. And most teams do not have a clean inventory. Regulators are about to care about that. Walarm is positioning this as the first layer of AI governance, and that framing is accurate. You cannot govern what you cannot see. Now, on the regulatory front, scrutiny is accelerating. A coalition of state attorneys general has subpoenaed OpenAI. This is not a light touch inquiry. They are asking for documents on advertising, engagement tactics, model behavior, and how sensitive data is handled, including data from miners. What stands out is the focus on product mechanics, not just data storage or privacy policies. They are looking at how models influence users, how engagement is shaped, and how safety tuning works in practice. That pulls product design directly into regulatory scope. OpenAI says it is cooperating and adding safeguards, especially for younger users, but the broader signal is clear. AI providers are now being treated like regulated platforms. For you, that changes vendor risk. You need clarity on how models handle data, how they behave, and how your use cases might expose you, especially if you touch sensitive populations or regulated data. Here is what else is worth knowing today. The Federal Bureau of Investigation is moving cyber training into full-scale simulated environments. This signals a shift away from tabletop exercises toward realistic, infrastructure-level incident response. Mercedes-Benz Korea is standardizing AI outputs through a governed semantic layer. The takeaway is simple. Without shared business logic, your AI systems will generate inconsistent answers. Bug Hunter is pushing vulnerability discovery closer to push-button execution. That lowers the barrier for attackers and raises the baseline threat level defenders need to assume. Accenture is signaling the end of scaling security teams by hiring more analysts. The focus is shifting to operators who can use AI and translate risk into business decisions. Ripple is exploring AI agents as economic actors. Early signals suggest interoperability will matter more than speed in machine-to-machine payments. Before we close out, here is a quick look at where markets landed. Equities closed higher in the previous session, with both SPY and QQQ moving up, suggesting continued strength in large cap and tech. The 10-year yield also moved higher, pointing to sustained pressure in rates. In commodities, gold pushed higher and oil moved down, while Bitcoin also climbed, showing mixed signals across inflation-sensitive assets and digital stores of value. Here is the takeaway. If a system is critical to your security or operations, assume it can fail, be pulled, or be compromised, and design around that reality now. Tomorrow, we are watching how vendors respond to rising regulatory pressure on AI behavior and data handling. If this was useful, follow the Crestvale Newsroom daily podcast so you don't miss it. Thanks for listening.