Skip to main content
  1. Articles/

The White House's August 1 Deadline: Anthropic's Jailbreak Scale Becomes US Policy

·1356 words·7 mins·
Florent Clairambault
Author
Florent Clairambault
CTO & software engineer — writing daily about spec-driven development and agentic coding

The White House’s August 1 Deadline: Anthropic’s Jailbreak Scale Becomes US Policy

Three weeks ago this blog covered Anthropic getting a global product pulled from the market by the US Commerce Department over a single jailbreak. Two weeks ago it covered that ban getting lifted after Anthropic shipped a new safety classifier. Last week it covered the four-company framework Anthropic published to formalize how it scores jailbreak severity going forward. This week, all three threads converge into something bigger than any one of them: a government-brokered deal, due to be finalized by August 1, that turns Anthropic’s scoring scale into shared federal policy and gives Washington a standing 30-day look at frontier models before anyone else gets one.

What Actually Got Announced
#

The mechanism is Trump’s June 2 executive order, “Promoting Advanced Artificial Intelligence Innovation and Security.” It asks frontier AI developers to give the federal government access to a model for up to 30 days before public release — but only for models the NSA designates as “covered frontier models” through a classified benchmarking process the order itself doesn’t define yet. That definition is what’s due August 1: the NSA, Treasury, and CISA have that deadline to deliver the classified benchmark spelling out which models trigger the review window, what materials get shared, who participates, and how confidentiality is protected.

Running in parallel, and explicitly folded into the same negotiation, is the jailbreak scoring system Anthropic published on July 2: the Cyber Jailbreak Severity (CJS) framework, built jointly with Amazon, Microsoft, and Google as Glasswing partners. Five tiers, CJS-0 (Informational) through CJS-4 (Critical), scored across four dimensions — capability gain, breadth across attack categories, ease of weaponization, and discoverability — combined on an exponential rather than linear scale. Anthropic’s own example is the cleanest explanation of why the scale is exponential: a technique that surfaced the Log4Shell vulnerability before its 2021 disclosure would score CJS-4. The identical technique today, after Log4Shell became textbook knowledge, scores zero. Severity isn’t about what the jailbreak reveals — it’s about what it reveals that isn’t already public.

Reporting this week says an announcement formalizing both pieces — the review mechanics and the shared scoring scale — is expected as early as the first week of August, timed to land right after the classified-benchmark deadline.

“Voluntary” Is Doing a Lot of Work
#

Read the executive order’s own language and the framework looks genuinely optional: “Nothing in this section shall be construed to authorize the creation of a mandatory governmental licensing, preclearance, or permitting requirement.” Companies can legally decline to participate.

Except Anthropic just spent nineteen days finding out what happens to a company that effectively declines. Fable 5 and Mythos 5 went dark globally on June 12 after Amazon’s own researchers reported a jailbreak, restored only on June 30 after Commerce Secretary Howard Lutnick was satisfied with Anthropic’s response. The price of restoration, per Lutnick’s letter, was three standing commitments: proactively detect and address security risks, work with government on protocols and standards, and inform the government of any malicious activity discovered — plus, going forward, pre-release access to future models and real-time reporting on jailbreak and misuse patterns. That’s not a voluntary framework Anthropic is choosing to join. That’s the settlement terms of an emergency shutdown, generalized into a template the other four labs are now being asked to adopt before the government decides they need the same treatment.

This is the same pattern this blog has flagged with the Cyber Jailbreak Severity scale as a technical artifact and with Project Glasswing as an access program: Anthropic keeps turning a defensive necessity into the industry’s reference implementation. CVSS didn’t become the universal vulnerability-severity standard because vendors loved being scored — it became universal because someone had to build the first version, and first movers set the vocabulary everyone else argues in afterward. Anthropic is positioning CJS the same way, and the White House’s August 1 deadline is about to hand it the closest thing to regulatory backing that a private company’s risk framework has gotten in this industry.

The Part That Should Worry Every Other Lab
#

Google is reportedly already in discussions with the government before releasing coding models with cyber capabilities beyond earlier generations — meaning Gemini 3.5 Pro’s already-delayed GA timeline now has a second gate to clear that has nothing to do with training quality. OpenAI’s GPT-5.6 Sol/Terra/Luna family is living proof of what happens once a model clears “covered frontier” status: it’s been sitting in limited preview with roughly 20 government-vetted organizations since June 26, with GA pushed to “coming weeks” for a model that was originally expected in early July. If the August 1 framework formalizes the review window industry-wide, every lab shipping a model with meaningful cyber capability inherits Anthropic’s timeline problem, not just Anthropic’s scoring vocabulary.

What This Actually Means If You Build on These Models
#

For a developer running Claude Code, GitHub Copilot, or Gemini CLI day to day, none of this changes your terminal tomorrow. But it changes the shape of the pipeline feeding your terminal, in three concrete ways.

Release cadence gets a new bottleneck. The 30-day pre-release window applies before a model reaches “trusted partners,” which in Anthropic’s case has historically meant Claude Code getting access before the general API. A NSA classified benchmark that’s slow to update, or a dispute over whether a given model crosses the “covered frontier” line, is now a variable in how fast frontier capability reaches your CLI — on top of the usual training and eval timelines.

Jailbreak classifiers will keep producing false positives, and now there’s a shared vocabulary for arguing about it. The classifier Anthropic shipped to satisfy Commerce blocks the Amazon-discovered attack pattern in over 99% of attempts — and, by Anthropic’s own admission, also misfires on legitimate coding and debugging requests, routing them to Opus 4.8 instead of Fable 5. If your team relies on the highest-tier model for a debugging session that happens to resemble a blocked pattern, CJS is the reason you got downgraded mid-task without an obvious explanation. Knowing the scale exists at least gives you a name for the mechanism when you’re filing the support ticket.

“Covered frontier model” is about to become a real compliance category, the way “critical infrastructure” or “covered entity” already are in other regulatory regimes. If your company builds products on top of frontier APIs — not just uses Claude Code, but ships an agent, a copilot, or an automated pipeline built on Claude, GPT, or Gemini — the August 1 definitions are worth reading when they land, because they’ll shape which upstream model updates arrive on a predictable schedule and which arrive on a government-review schedule instead.

The Honest Take
#

None of this is Anthropic acting in bad faith. A company whose flagship product just got yanked from the global market by executive order has every incentive to build the tightest possible case that its safety process is rigorous, standardized, and worth trusting with less oversight next time. CJS is a genuinely useful piece of engineering — a CVSS-style common vocabulary for jailbreak severity is overdue, and the exponential decay-with-public-knowledge design is smarter than a naive linear scale.

But it’s worth being clear-eyed about what’s actually happening here: a private company’s internal risk framework, built under duress after a real regulatory crisis, is on track to become the operative federal standard for an entire industry within about four weeks, negotiated by five companies and two government agencies with no public comment period in between. Whether that’s the fastest path to a genuinely safer AI industry or a permanent structural advantage for whoever wrote the first draft depends entirely on what the NSA’s classified benchmark actually says on August 1 — and by design, most of us won’t get to read it.


Sources: Anthropic — More details on Fable 5’s cyber safeguards and our jailbreak framework · NPR — Trump’s new AI safety order seeks voluntary review of new models · Tech Times — AI Model Safety Standards Deal Targets August 1 · Awesome Agents — US Ends Fable 5 Ban, Sets Jailbreak Severity Scale · Let’s Data Science — Trump’s June 2026 AI Executive Order

Related