The Continuity Gap: AI Vendor Availability Risk

In mid-June 2026, the U.S. Commerce Department sent Anthropic an export control directive citing national security authorities. It ordered the company to suspend all access to two of its frontier models, Fable 5 and Mythos 5, by any foreign national - inside or outside the United States, including Anthropic's own non-citizen employees.

The directive arrived at 5:21 p.m. Eastern on a Friday. It took effect immediately. There was no advance notice.

Because Anthropic couldn't enforce a "foreign nationals only" restriction selectively and fast enough to comply, it disabled both models for everyone. Anthropic's statement to customers was four words long where it counted: "We apologize for this disruption." Its other models, including Claude Opus 4.8, stayed online. Fable 5 and Mythos 5 went dark.

Read that sequence back, because it breaks an assumption most AI governance programs are built on.

‍

The model didn't fail. Nobody's vendor failed.

The thing that took those models down wasn't a bug, a bad fine-tune, or a model that drifted off its instructions. The stated trigger was a suspected technique for bypassing Fable 5's safeguards around cybersecurity tasks - and Anthropic disputed even that, calling the vulnerability narrow. The model didn't misbehave. It was switched off above the application layer, by a party most end customers don't contract with and can't meaningfully appeal to.

Here's the part that should keep operations leaders up at night: the order targeted foreign nationals. The blast radius was every user. A US carrier running entirely domestic claims workflows on Fable 5 could have gone dark at 5:21 p.m. on a Friday as collateral damage - no foreign nexus, no wrongdoing, no warning.

‍

What we've been governing, and what we haven't

For two years, carriers and the vendors selling to them have gotten good at governing how AI behaves. We write escalation rules. We keep a human in the loop. We document model behavior and reason for audit. We test for hallucinations, drift, and bias. In Notch's case, we build deterministic validation layers that sit between the model and any real-world action.

All of that is correct. None of it would have helped you at 5:21 p.m. on that Friday.

Every guardrail you built assumes the model is there to be guarded. When the model layer itself goes dark, the entire control stack has nothing to stand on. We call this the continuity gap: the distance between "our AI behaves correctly" and "our AI is available at all."

‍

The turn-off switch problem

If model-layer control becomes a normal feature of the AI operating environment - and an export-control order taking out two frontier models suggests it might - then an AI product can disappear overnight through no fault of the vendor and no fault of the enterprise using it. Call it the turn-off switch problem.

This reframes vendor risk for regulated buyers. Diligence cycles go deep on vendor accuracy, bias, and explainability. Those still matter. But there's an axis most AI risk registers don't have a line for: vendor availability, where the failure originates not with the vendor but with forces sitting underneath them - a model provider, or a government order the provider has to obey inside of three hours.

The governance that regulators, reinsurers, and boards will eventually expect to see has to account for this. The question should be simple: if the model behind your claims triage, your underwriting intake, or a back-office process went dark at 2:17 a.m., what happens to the policyholder already in the queue?

If the honest answer is "we stop," you don't only have a governance gap. You have a continuity gap wearing a governance costume.

‍

DMDF: a continuity risk model you can add this quarter

Closing the gap isn't complicated, and none of it requires new technology. We think about it as DMDF.

Dependency map. Know every AI workflow in production and which vendors it depends on. Most teams discover their footprint is less diversified than they assumed.
Model map. For each workflow, know which foundation model sits behind it, who controls that model's release, and what can cause access to change - a provider decision, a pricing move, or a government order. The Anthropic case adds a new entry to that list that wasn't there a month ago.
Defined fallback. Every automated decision path needs a documented way to continue without that model, even if the fallback is slower, more manual, or more expensive. For a claims intake flow, that might mean routing to a queue with a defined SLA instead of dropping the policyholder. Degraded and slower beats dark.

‍

Architecture is the durable answer

DMDF is the floor. The ceiling is building so that one provider's decision - or one government's - can't take you offline in the first place.

That's why model-swapping is a design requirement at Notch, not a feature. Each LLM module in the platform can run on a different underlying model - Amazon Bedrock, Google Vertex, Azure Foundry, or OpenAI - and the guardrail and validation layers stay constant regardless of which model is underneath. The model is a component, not the foundation. When one provider's availability changes, the workflow reroutes; it doesn't halt.

Pair that with a defined fallback for each automated path, and "the model went dark" stops being an outage and becomes a routing event.

‍

The takeaway

AI governance can't stop at "is the model safe when it runs?" For production systems in regulated industries, the next question is the one the Anthropic shutdown just made concrete: what happens when it doesn't run at all?

That Friday was a preview, not an anomaly. The carriers that treat it that way will map their dependencies, map their models, and document a fallback for every automated decision - before the next directive lands at 5:21 p.m.

‍

See how Notch keeps workflows running through a model swap, with the same guardrails and full traceability - book a demo.