AI in 15 — June 22, 2026

Ten days ago, the U.S. government pulled the most advanced AI model on Earth off the market. Anthropic promised it would be back in "the coming days." That was last week. As of this morning, hundreds of millions of people still can't use it.

Welcome to AI in 15 for Monday, June twenty-second, 2026. I'm Kate, your host.

And I'm Marcus, your co-host.

Day ten of the Fable blackout, Marcus, and the promised relief hasn't come. That's our lead. Then the story everyone on Hacker News is arguing about — Claude is about to ask some users for a government ID and a live face scan.

Why a Chinese open model just beat GPT on coding, at one-sixth the price.

Why ChatGPT just slipped below half the market for the first time ever.

And a brand-new attack that turns your AI coding assistant against you with a single fake bug report.

Lead story, Marcus. On Saturday we said relief looked days away — Anthropic's Seoul team sounded confident. It's Monday. Where are the models?

Still dark, Kate. Both Fable 5 and Mythos 5 have now been offline for roughly ten days, and that confident promise from the Seoul office launch — "available again in the coming days" — has quietly aged into an embarrassment. Anthropic is complying with a legal directive it openly calls a misunderstanding, and there's no public timeline anymore. Access to their other models is fine. It's specifically the two best ones that the government reached in and switched off.

And there's a new thread on the Korea side, right?

There is, and it sharpens the whole thing, Kate. The Korean carrier at the center got named — it's SK Telecom. The White House ordered SK Telecom's access to Mythos, through a program called Project Glasswing, revoked over alleged ties to China. And it wasn't just them. Samsung, SK Hynix, and Korea's own Internet and Security Agency all lost Glasswing access too. So Anthropic opened a shiny new Seoul office on June eighteenth, in the middle of the U.S. government cutting off Korea's biggest tech names from its flagship product. Awkward doesn't begin to cover it.

Remind people what actually triggered this, because it still sounds thin to me.

It is thin, Kate. As we covered last week — Amazon, one of Anthropic's largest investors, found that if you ask Fable to "fix this code," it would surface exploitable vulnerabilities while doing it. They walked that up to the White House as a jailbreak, and Commerce ordered the models suspended for every foreign national, anywhere — including Anthropic's own foreign-national employees. Anthropic's review found, their words, "a small number of previously known, minor vulnerabilities" that are "widely available from other models."

So the precedent stands, even before we know how it ends.

The precedent is the whole story, Kate. For the first time, the U.S. treated a commercial AI model like a weapons system — embargoed it the way you'd embargo missile-guidance software. And here's the consequence nobody in Washington seems to be pricing in: every single day Fable stays dark is a day developers go shopping for an alternative that can't be switched off. Which, conveniently, brings us to almost everything else on today's show.

Quick hits. And Marcus, this is the one that lit up Hacker News — six hundred-plus points. Starting July eighth, Claude can ask you for a government ID and a live selfie.

Right, and let's be precise, because there's some panic mixing fact and fiction, Kate. Beginning July eighth, Anthropic can require some Claude.ai and Claude Code users to verify with a government photo ID plus a live selfie, run through a vendor called Persona. What they collect is significant — the ID image, your photo and video, and facial-geometry templates. Free, Pro, and Max accounts are all in scope. Team and Enterprise run on separate terms.

But not everyone gets asked, correct?

Correct — and this is the part the headlines flatten, Kate. Anthropic says most users will never see it. It's triggered by signals — requests touching certain sensitive capabilities, access from unsupported regions, age verification, or fraud patterns. It's targeted, not universal. But the principle is what set people off.

And the principle is — this is KYC for AI. Know Your Customer. Same thing your bank does.

Exactly, Kate. The same identity machinery we built for banking and crypto is now arriving for frontier AI. And the Hacker News crowd connected it instantly to the Fable ban. One non-U.S. commenter said the restrictions had "created a viable international LLM market where it was hard to justify investment two weeks ago" — and that Opus 4.8 might be "the best American model I will ever have access to." Another warned that OpenAI runs a similar check, but if you fail it, you're permanently locked out. No retry.

That's chilling. One bad face scan and you're done.

And there was this one line that stuck with me, Kate: "Funny how no one talks about AI neutrality the way we used to talk about net neutrality." Now — the honest counterweight is that this is partly about age safety and abuse prevention, which are real problems. But stack it on top of the export ban and the shape is unmistakable: access to the best models is becoming gated by who you are and where you're standing. And worth noting — ChatGPT and Gemini still don't ask for ID for normal consumer use. That's a competitive wedge sitting right there.

Which is a perfect segue, Marcus, because if you're a developer who's nervous about gates — China just handed you an exit. GLM-5.2.

This is the open-model counterpunch, Kate, and it's a serious one. Z.ai — formerly Zhipu — released GLM-5.2 on June sixteenth. It's a seven-hundred-fifty-three-billion-parameter model, mixture-of-experts, released under a permissive MIT license, weights sitting on Hugging Face for anyone. And it beats GPT-5.5 on SWE-bench Pro — sixty-two-point-one to fifty-eight-point-six — a real-world coding benchmark. It tops GPT on every coding benchmark where they both have scores.

And the price is the headline.

The price is the knockout, Kate. Through OpenRouter it runs around a dollar-forty per million input tokens — roughly seventy-two percent cheaper than Claude or GPT, and about one-sixth the cost on output. The catch is hardware: running the full thing locally needs around eight H100 GPUs, so most teams hit it through an API. But the MIT license means there's no legal barrier to building a business on it.

So I hear "frontier-class, no restrictions, can't be switched off, dirt cheap." That's a heck of a pitch the week Fable went dark.

It's the exact pitch, Kate — and I want to be the skeptic here, because somebody should. Benchmark wins don't always survive contact with real-world reliability; a model can ace SWE-bench and still flake on your actual codebase. And step back and ask why a Chinese lab gives away a frontier coding model for free under the most permissive license there is. Undercutting the paid Western labs isn't a side effect of that strategy. It is the strategy. So — genuinely impressive engineering, and I'd keep one eyebrow raised about the motive.

Applaud the model, watch the hand.

That's the posture, Kate.

Next, a milestone I genuinely didn't expect this year, Marcus. ChatGPT just fell below fifty percent market share.

First time ever, Kate. Per Sensor Tower's State of AI 2026 report, ChatGPT's share of the assistant market dropped to forty-six percent by late May. Gemini climbed to twenty-eight, Claude to ten. Now — in raw users, ChatGPT still towers: one-point-one billion monthly users, versus Gemini's six hundred sixty-two million and Claude's two hundred forty-five million. But the direction of travel has flipped.

What's driving it? Why now?

Two engines, Kate. Gemini is riding Google's ecosystem — it's just there, in your Gmail, your Android, your search. And Claude is winning on quality of customer: it leads the field on paid conversion at thirteen percent, the best of anyone. But here's the data point I can't stop thinking about. OpenAI's Department of Defense deal back in February triggered a measurable spike in app uninstalls.

So people quit over the Pentagon contract. They voted with their values.

They voted with their values, not just their feature checklist, Kate. And that's the real lesson. The "ChatGPT equals AI" monopoly era is ending, and what replaces it is a genuine three- or four-horse race. That changes pricing power, it changes how seriously each lab takes user trust — and it means brand trust is now a real asset, or a real liability. For consumers, competition at the top is healthy. One company at fifty-plus percent never was.

Now the security story, Marcus, and this one made my skin crawl. It's called "Agentjacking."

It deserves the reaction, Kate. Researchers at Tenet Security disclosed a brand-new attack class that turns AI coding agents into command runners for an attacker. Here's the mechanism. Lots of websites publicly expose something called a Sentry DSN — basically the address their error-tracking points to. An attacker finds that, submits a fake error report with malicious commands hidden inside it, and then waits. When an AI agent pulls in that error to "diagnose" it, the agent reads the attacker's instructions as if they were the task — and runs them.

So the agent helpfully executes the booby trap because it's trying to be useful.

Exactly, Kate. And it can leak environment variables, Git credentials, private repo URLs — the keys to the kingdom. It worked against Claude Code, Cursor, and OpenAI Codex, across Windows, Mac, and cloud pipelines. Tenet found two thousand three hundred eighty-eight organizations with exposed DSNs, and AI assistants at more than a hundred companies — including a Fortune 100 firm — actually ran their test payload.

Did anyone fix it?

Partially, Kate. They reported it to Sentry on June third; Sentry added a filter for that specific proof-of-concept text. But there's no universal fix, because this isn't a bug in one product — it's the structural cost of agentic autonomy. This is prompt injection made concrete and at scale. Every time an agent autonomously ingests untrusted external data — an error log, a support ticket, a web page — that input becomes a potential code-execution path. And your firewall and your antivirus miss it completely, because it just looks like a developer using a trusted tool.

So the smarter and more independent we make these agents, the bigger the soft underbelly.

That's the trade we're all signing up for, Kate, mostly without reading it.

Last hit, and it ties a bow on the whole episode, Marcus. While the U.S. builds walls, Switzerland just gave its model away. Apertus.

Apertus — Latin for "open," Kate, and they meant it literally. It's from EPFL, ETH Zurich, and the Swiss National Supercomputing Centre. A fully open multilingual model, eight billion and seventy billion parameters. And "fully open" here is the real deal — not just the weights, but the architecture, the training recipes, even the scripts to reconstruct the data. Trained on fifteen trillion tokens across more than fifteen hundred languages, forty percent of it non-English, built to satisfy the EU AI Act.

And people are connecting it to this exact moment.

Explicitly, Kate. A top Hacker News comment put it bluntly: "It has become more pressing that everyone outside the U.S. think about tech sovereignty, because the U.S. has become an unsafe place to keep your data." That's the export ban and the ID checks talking. Although — fairness — the skeptics in that same thread noted Apertus "moves at the speed of a committee" and still hallucinates on the very multilingual tasks it's built for.

So can a committee actually keep frontier pace?

That's the open question, Kate, and I won't pretend it's settled. But the demand has never been clearer. Between Apertus, Allen AI's OLMo, and others, sovereign fully-open AI has gone from research curiosity to geopolitical hedge.

Big picture, Marcus. Tie it together for us.

Every story today points the same direction, Kate: 2026 is the year AI access stopped being open by default. The U.S. pulled a commercial model off the market on national-security grounds. Anthropic is rolling out face-scan ID checks. The labs are gating, verifying, and militarizing. Walls going up.

And the reaction to the walls?

Is the rest of the show, Kate. China ships a frontier-class open model at one-sixth the cost. Switzerland gives one away fully open. And users start migrating on values — uninstalling over a Pentagon deal, walking away from the company that won't be gatekept. Here's the Western read I keep landing on: gatekeeping frontier models might genuinely protect against misuse — but it is manufacturing the exact competitor ecosystem it's afraid of. Every restriction is a free marketing pitch for the unrestricted open alternative.

And the optimistic read?

That a genuinely multipolar, competitive AI market is healthier than one company sitting above fifty percent, Kate. Both of those are true at the same time, and that's the tension worth carrying out the door. The good news — the frontier is still largely Western and still genuinely dazzling. The risk is that we keep rationing it on a Friday-night phone call until the rest of the world simply builds its own and stops asking permission.

Ten days dark, and the alternatives are getting cheaper by the hour.

That's the clock everyone in Washington should be watching, Kate.

That's your AI in 15 for today. See you tomorrow.