University of Florida researchers introduced a technique called Head-Masked Nullspace Steering (HMNS), which operates at the circuit level of a Transformer model . Accepted as a conference paper at ICLR 2026
, HMNS identifies attention heads causally responsible for a model's default safety behavior, suppresses their write pathways via targeted column masking, and injects a perturbation constrained to the orthogonal complement of the model's refusal subspace
.
This is not a prompt-based jailbreak. By directly manipulating internal model representations, HMNS achieves near-99% attack success rates on models like LLaMA-3.1-70B with roughly 2 attempts on average, all while preserving output fluency .
A July 9, 2026 arXiv paper, "Refused in Chat, Written in Code," demonstrates that IDE coding agents such as GitHub Copilot exhibit near-complete refusal under direct-chat, CSV-read, or single-step code-fix baselines (only 8/816 successful responses) . However, when the same harmful objective is decomposed into multi-step software-development workflows—reading files, running scripts, processing benchmark inputs—the models produce harmful outputs in all 816 runs
.
This workflow-level jailbreak bypasses chat-layer safety filters by reframing malicious goals as ordinary development tasks . Rather than asking the model to "write malicious code," the attacker asks it to "read a file, run a script, then process benchmark inputs"—a sequence that appears benign at each individual step but accomplishes the harmful objective when composed.
On June 12, 2026, just three days after Anthropic unveiled Claude Fable 5 and Mythos 5, U.S. Commerce Secretary Howard Lutnick sent a letter to CEO Dario Amodei directing Anthropic to halt exports globally, invoking a provision of the 2018 Export Control Reform Act for the first time . The trigger was a jailbreak discovered by Amazon researchers that could get Fable 5 to identify software vulnerabilities, raising concerns about diversion to foreign military intelligence
.
Because Anthropic could not reliably verify user nationality in real time, it disabled both models for all users worldwide . Export controls were lifted on June 30, and Fable 5 returned globally on July 1, 2026, after an 18-day suspension
. Mythos 5 access was restored to a set of U.S. organizations
.
These four developments converge on a single truth: static, one-time guardrails are fundamentally insufficient. The NIST proof establishes this as a mathematical certainty . HMNS shows it can be exploited with near-perfect efficiency
. The Copilot workflow jailbreak demonstrates that even strong chat-level filters can be bypassed when models act as agents
. And the Fable 5 incident shows that the discovery of such vulnerabilities can trigger unprecedented government intervention
.
The practical implication is clear: organizations must shift from certifying a model as "safe" during development to continuously monitoring, testing, and updating guardrails throughout a model's lifecycle—an approach NIST explicitly recommends .