Anthropic argues the jailbreak researcher bypassed the model's conversational refusals, not the independent classifier systems that gate dangerous content. The dispute is a clean demonstration of what frontier safety actually looks like.
When jailbreak researcher Pliny the Liberator posted screenshots claiming to have "liberated" Anthropic's newly launched Claude Fable 5 model, coaxing it through multi-agent prompting to discuss cybersecurity, chemistry, psychological manipulation, and explosives, the company's response was not a fix or a denial of the screenshots. It was an architecture lesson. Anthropic told SecurityWeek that Pliny's trick bypassed the model's conversational refusals but never touched the independent classifier systems the company considers its real safety perimeter.
The distinction sounds technical, but it is the actual story. "Jailbreak" is a word that has been stretched to cover very different things, and the Fable 5 episode is a clean case study in why that matters at the frontier tier.
Fable 5 launched earlier this week as a Mythos-class model, Anthropic's framing for its most capable systems, with domain-specific guardrails in high-risk areas like cybersecurity and biology. In those areas, Fable 5 automatically falls back to Claude Opus 4.8. Anthropic said the model was stress-tested against jailbreaks before release, both internally and with external red-teamers.
Pliny the Liberator, a well-known AI red-teaser on X (@elder_plinius), claimed the opposite in a public post, asserting that multi-agent prompting let them extract the kind of output Fable 5 was designed to refuse. Pliny also released an alleged Fable 5 system prompt on GitHub (in the ANTHROPIC/CLAUDE-FABLE-5.md file), and posted screenshots purporting to show the model producing restricted material.
Anthropic pushed back on three fronts. The company argued, first, that the demonstrated technique is a well-known limitation of large language models: conversational refusals can be coaxed into silence through clever framing, but that is not the same as disabling the underlying safety system. Second, Anthropic said its strongest protections live in independent classifier systems that run separately from the model, so overriding the model's refusals does not disable those classifiers. Third, on the specific outputs, the company reviewed Pliny's examples and concluded that some were not Fable 5 generations at all, and the rest contained only publicly available information with no meaningful uplift for harmful activity.
That third point is where the dispute gets harder to adjudicate. Anthropic's claim that some screenshots are not Fable 5 generations is a factual assertion that depends on output fingerprinting or model provenance tooling the company has not publicly detailed. The screenshots themselves, plus the released system prompt, are the researcher-side evidence, and they should be read as researcher assertion, not independent proof of a full classifier bypass.
What is not in dispute is the architecture. Anthropic's safety stack for Fable 5 has at least three layers: a model with conversational refusals trained into it, a domain router that falls back to Claude Opus 4.8 for cyber, biology, and similar high-risk topics, and a set of classifier systems operating outside the model that flag or block dangerous outputs regardless of what the model itself says. The first layer is the most visible and the most easily manipulated through prompting. The third layer is the most consequential, and it is also the one Anthropic says Pliny never reached.
The jailbreak community treats "liberating" a model as a meaningful win, and in one sense it is: it shows the conversational layer is not a hard wall. But the harder question, the one Fable 5 puts in front of readers, is whether that conversational layer was ever supposed to be. Anthropic's own framing is that it was not. The model is the front door. The classifiers are the building.
This is also why "jailbreak" is becoming a category problem. When a model can be coaxed into discussing explosives through role-play, that is a real failure mode for any deployment that relies on the model alone to gate dangerous content. When the same model, on the same input, is caught by an independent classifier that the user never sees, the safety claim still holds. The public dispute between Pliny and Anthropic is, at its core, a fight over which of those framings is doing the work.
For anyone watching the next round of Mythos-class releases, the takeaway is structural. Frontier safety is not one wall. It is a stack, and the stack has joints. The interesting question is not whether Pliny found a joint. It is which joint, and whether what is on the other side of it is something Anthropic's classifiers can still catch.