Skip to main content
Alexandre Bally
· 5 min read
Share:

Could your business survive losing an AI tool overnight?

Anthropic withdrew Claude Fable 5 within hours of a US government order. Why every business in the DACH region and the UK should now design its AI dependencies for resilience.

ai-resiliencethird-party-riskoperational-resiliencedachsme
AI-assisted content · Human-reviewed·Report an issue

Last week Anthropic withdrew Claude Fable 5 within hours of a US government order. The model was only days old, so few teams felt it. That makes it a low-cost preview of a risk worth designing for now, calmly, across the DACH region and the UK.

On Friday evening, a US export-control directive ordered Anthropic to cut off access to its two newest and most capable models, Claude Fable 5 and Claude Mythos 5, for any foreign national. To comply, the company switched both off for every customer, in every region, within hours. Every other Claude model kept running. Fable 5 had been generally available for only a few days, so very few teams had wired it into anything that mattered yet. The disruption, this time, was small.

That is exactly why it is worth a careful look. The mechanism is what matters, not how few people it caught. A model released a year ago, woven into hundreds of workflows and sitting behind features your customers touch, could be withdrawn in the same way and the same few hours, for the same kind of reason. The trigger here was a real security concern, and a government should be able to act on one. But the shape of the action, switching everything off for everyone at once to comply, turns a sound security decision into an operational event for every company downstream. You can agree the call was right and still need a plan for the morning the tool is gone.

Most companies cannot yet name the outside services their operations depend on. A few are obvious and sit in a procurement file: the ERP, the bank, the cloud host. The rest arrived through the side door. An engineer signed up for an AI assistant on a company card. A team began routing customer queries through a tool nobody formally approved. None of it went through a review, so none of it reached a register, so nobody asked the question Friday just made concrete: what keeps working if this is gone tomorrow?

For anyone responsible for security, the AI case has a sharper edge. These tools have spread fastest inside security work itself: triage, log review, drafting detection rules, reviewing code. A capable model gives a stretched team real hours back. It also means part of your defences may now lean on something an export order can switch off without notice, and switch off precisely because the model is good at security. The better the tool, the more it is worth depending on, and the more it is worth having a way to replace. Assuring an AI system has grown past checking its outputs. It now includes whether you can still operate the morning it disappears.

None of this is a new category of risk, and your regulator has already pointed at it. In the EU, DORA gives a whole section to ICT third-party risk and asks regulated firms to map their critical providers and plan for exit, with concentration called out by name; NIS2 puts supply-chain security and business continuity among its core duties. In the UK, the FCA and PRA have run an operational-resilience regime for years, and in January 2025 a new critical third parties regime took effect, built by the Bank of England and the regulators because too much of the financial system had come to rely on the same few providers. ISO 27001 and the NIST framework have carried supplier and cloud controls for as long as anyone has held a certificate. The direction of travel is settled. A frontier AI tool has simply joined the list of suppliers that can vanish, and it can do so in hours.

The shape of the response is not a secret. It rests on three things: knowing which outside tools you genuinely cannot run a normal day without, having a deliberate second option for the ones that matter, and proving the switch works before you need it. Most teams can name the first tool on that list in a single meeting.

The difficulty is never the list; it is the judgment underneath it. You have to tell a tool you would merely miss from one the business would halt without. The fallback has to genuinely cover you, not fail for the same reason at the same moment. And the switch has to hold on a bad morning, not in a tidy test. That judgment is what turns a register into resilience, and it is where last week separated the teams that barely noticed from the ones that scrambled.

This is the part we do, on both sides of the Channel, and you do not have to work it out alone. Small Scale builds operating models and compliance-by-design for SMEs across the DACH region, so the way you work keeps running when a supplier does not. CRMG brings deep cyber risk management to the UK and beyond, including the third-party risk and AI assurance this episode turns on. We help you find the dependencies that actually matter and choose fallbacks that hold, so the switch becomes something you have rehearsed rather than feared.

What is the one tool your business could not lose tomorrow, and do you have a second one ready to take its place?

Book a conversation with Small Scale →

Alexandre de Sousa Bally is Principal Consultant at Small Scale, which builds operating models and compliance-by-design for SMEs across the DACH region.

This piece also appears on the Small Scale insights page.

Comments are not configured yet.