Fable 5 Blocked by `"Hello"` and `"What is protein?"` — How to Diagnose and Reduce `classifier_refusal` False Positives
I'll be honest: I was caught off guard the first time I used Fable 5. The API returned classifier_refusal for a question that was clearly harmless. And I wasn't alone — right after launch, developer communities were flooded with reports of being blocked just by typing "Hello", and there were cases of a simple biology question like "What is protein?" being classified as a biosecurity threat. Anthropic issued an official apology within two days.
This single article will help you diagnose why a given query is being blocked. If you're integrating Claude into a general web service, you can immediately reduce false positives using prompt intent declaration techniques. If you work in security or life sciences, you can understand why your service suddenly goes down during a Fable 5 migration. And if you're an API service operator, you can take away a pipeline structure that gracefully handles classifier_refusal errors.
Specifically, we'll cover how the guardrails work, why false positives occur structurally, and three actionable response strategies you can apply right away, complete with code.
Core Concepts
Now let's take apart how the guardrails actually work.
Guardrails Operate Before the Inference Layer
Fable 5's guardrails are an input safety classifier positioned before the LLM inference layer. Risk is assessed before the prompt ever reaches the model, and if it's classified as a high-risk domain, one of two things happens:
- UI environment: Silently falls back to Claude Opus 4.8 instead of Fable 5, with a notification displayed
- API environment: Returns an explicit refusal response by default (fallback requires separate activation)
There are three detection domains:
| Domain | Example Triggers |
|---|---|
| Offensive cybersecurity | Exploit code, malicious scripts |
| Biological/chemical threats | Biosecurity-related queries, specific protein synthesis |
| Model reasoning extraction / distillation | Requests to echo internal reasoning processes |
Terminology: Model reasoning extraction / distillation refers to the technique of pulling a model's internal reasoning process to the surface for use in training other models. Instructions like "show me your internal thought process" or "output your reasoning verbatim" fall into this category, and it's a category Fable 5 detects with particular sensitivity.
When a refusal response arrives from the API, it looks like this:
{
"error": {
"type": "classifier_refusal",
"reason": "cybersecurity_offensive",
"fallback_available": true,
"fallback_model": "claude-opus-4-8"
}
}Terminology: Fallback is the pattern of automatically switching to a less powerful but safer alternative when primary processing fails. In Fable 5, when the guardrail triggers, Opus 4.8 serves as the fallback model.
The Structural Reason False Positives Occur
Anthropic itself disclosed at launch that "the guardrails are conservatively tuned and may flag harmless requests in fewer than 5% of sessions on average." However, this figure is based on a general query distribution, and there have been numerous reports of much higher rates in life sciences, security, and AI research domains.
The root cause is that this classifier is a classifier with limited contextual understanding. If the word cancer appears, it can't distinguish between cancer treatment research and a malicious bio-threat, so it flags it. A request to "edit my Application Security Architect resume" gets blocked because it reacts to the security keyword (see The Register article). I also thought at first, "surely this won't get blocked" — and then it did.
Even more serious was the covert guardrail issue. Shortly after launch, a clause buried deep in the system card revealed that when reasoning extraction or model distillation activity was detected, output would be quietly degraded with no notification to the user. For example, if a system prompt requested echoing the reasoning process, the response itself would subtly become shorter and shallower — honestly, I was caught off guard when I first read that system card clause. Developer communities even used the term "secret sabotage," and on June 10th, Anthropic issued an official apology and reversed the policy. Going forward, all refusals return a reason code.
Practical Application
Now that we understand the concepts, let's get to the code.
Prompt Intent Declaration — The Fastest Way to Reduce False Positives
This is the simplest and most reliably effective approach. Since the classifier's contextual understanding is limited, prepending a clear context statement to queries has been widely confirmed through community reports to reduce false positives.
# The way that frequently triggers false positives
prompt_bad = "Analyze anomalous patterns in RNA sequencing data"
# After intent declaration
prompt_good = """
Purpose: Clinical data analysis for cancer treatment research
Context: Academic research conducted under an approved research protocol.
In this context, please explain how to analyze differential expression
patterns in RNA sequencing data.
"""| Pattern | Effect | Example Application |
|---|---|---|
| Purpose declaration | Signals intent to the classifier | "For defensive forensic analysis..." |
| Context description | Expresses domain expertise | "In the context of cancer treatment research..." |
| Authorization basis | Strengthens legitimacy | "As part of an internal security audit procedure..." |
This was the most commonly overlooked part. The shorter and more technical the query, the less context the classifier has — so it has no choice but to err on the side of caution.
System Prompt Audit — A Required Check Before Fable 5 Migration
This is something many people miss when migrating to Fable 5. If your existing system prompt contains instructions like "echo your reasoning" or "explain your internal thought process", it will trigger Fable 5's reasoning_extraction category and cause frequent Opus 4.8 fallbacks.
You can use the audit script below to check ahead of time. Note that this pattern list may change across model versions, so it's recommended to also check Anthropic's official documentation for the latest trigger patterns.
# System prompt audit before Fable 5 migration
# Note: This pattern list may vary by model version; maintain it alongside Anthropic's official documentation
FLAGGED_PATTERNS = [
"echo your reasoning",
"explain your thinking step by step",
"show your internal thought process",
"extract your chain of thought",
"repeat your reasoning back",
]
def audit_system_prompt(prompt: str) -> list[str]:
found = []
for pattern in FLAGGED_PATTERNS:
if pattern.lower() in prompt.lower():
found.append(pattern)
return found
# Run the audit
triggers = audit_system_prompt(my_system_prompt)
if triggers:
print(f"⚠️ Fable 5 reasoning_extraction trigger patterns found: {triggers}")
# Alternative: replace reasoning instructions with structured output format
safe_instruction = """
Please structure your response as follows:
1. Conclusion
2. Supporting reasoning (up to 3 points)
3. Limitations or caveats
"""Fallback Activation + Monitoring Pipeline — For API Service Operators
In API environments, fallback is disabled by default. Since the Anthropic SDK does not have a built-in automatic fallback feature, the code below implements a pattern of manually re-requesting with a more permissive model on error. Note that this is a manual implementation, different from an "official fallback" feature.
import Anthropic from "@anthropic-ai/sdk";
const client = new Anthropic();
// Refusal reason logging stub — recommended to replace with an actual monitoring system like LangFuse or DataDog
function logGuardrailTrigger(data: { reason: string; prompt: string }) {
console.log("[guardrail]", JSON.stringify(data));
}
async function safeQuery(userPrompt: string) {
try {
const response = await client.messages.create({
model: "claude-fable-5",
max_tokens: 1024,
messages: [{ role: "user", content: userPrompt }],
});
return { success: true, data: response };
} catch (error: any) {
if (error?.error?.type === "classifier_refusal") {
const reason = error.error.reason;
// Log the refusal reason code — essential for identifying which categories concentrate false positives
logGuardrailTrigger({ reason, prompt: userPrompt });
if (error.error.fallback_available) {
// No SDK automatic fallback feature, so re-request directly with a more permissive model
const fallbackResponse = await client.messages.create({
model: "claude-opus-4-8",
max_tokens: 1024,
messages: [{ role: "user", content: userPrompt }],
});
return { success: true, data: fallbackResponse, usedFallback: true };
}
}
throw error;
}
}By setting up a pipeline that sends refusal reason codes (the reason field) to LangFuse or your own logging system, you can identify which categories concentrate false positives and refine your response strategy over time.
Pros and Cons Analysis
Advantages
| Item | Details |
|---|---|
| Transparent refusals | Since the June 10th policy change, all refusals return a reason code → debuggable |
| Tiered fallback | Service continuity guaranteed via Opus 4.8 fallback instead of full refusal |
| Effective threat blocking | Detection rates for malicious exploits and biochemical weapon-related queries are genuinely high |
| False positive reduction roadmap | 30-day traffic retention policy to be used for collecting false positive patterns and improving the classifier |
Disadvantages and Caveats
These are the parts I find most frustrating. Understanding the downsides as well as the advantages is what makes it meaningful to use.
| Item | Details | Mitigation |
|---|---|---|
| Limited contextual understanding | Reacts to lexical patterns rather than context; cannot distinguish intent | Prompt intent declaration |
| Domain expert impact | Medical, security, and life sciences researchers repeatedly blocked during normal work | Switch to Opus 4.8 as primary model or apply for Trusted Access Program |
| Opus 4.8 quality gap | Fallback model provides lower performance than Fable 5 | Use Opus 4.8 from the start for sensitive domains |
| API default blocks | UI auto-fallbacks; API blocks by default | Explicitly activate server-side fallback |
| 30-day traffic retention | Data governance issue for companies handling sensitive data — relevant to regulated industry service operators | Review DPA (Data Processing Agreement) first |
Terminology: A DPA (Data Processing Agreement) is a contract that defines how data is processed and who is responsible, under data protection regulations such as GDPR. It requires special attention in regulated industries like finance, healthcare, and the public sector — it's not an immediate concern for general service developers.
Terminology: The Trusted Access Program is a program through which Anthropic is gradually granting access to Claude Mythos 5 — with some guardrails lifted — to biomedical research institutions, approved cybersecurity organizations, and US government partners (Project Glasswing). You can find application procedures in the official documentation at
platform.claude.com.
The Most Common Mistakes in Practice
-
Skipping the existing system prompt audit — If
reasoning_extractiontrigger patterns remain in the system prompt when migrating to Fable 5, fallbacks will occur continuously. It's a good idea to check with theaudit_system_prompt()function introduced above before deployment. -
Assuming API fallback behavior is the same as UI behavior — The UI provides fallback automatically, but the API default is to block. Many teams experienced "why did my service suddenly die?" right after launch without knowing this.
-
Ignoring false positives in conservative domains and relying only on prompt tricks — If false positives are occurring repeatedly in medical or security domains, switching Opus 4.8 to the primary model or exploring Mythos 5 access through the Trusted Access Program is far more stable in the long run than prompt tuning.
Closing Thoughts
Fable 5's guardrails were born from good intentions for safety, but the structural limitations of a classifier with limited contextual understanding are creating real friction for both domain experts and API operators. Since the June 10th policy change, refusals have become transparent, and it's now possible to systematize response strategies based on reason codes.
Here are 3 steps you can start right now:
- System prompt audit — You can use the
audit_system_prompt()function to check your current system prompt forreasoning_extractiontrigger patterns. If you have instructions along the lines of "explain your thinking," it's recommended to replace them with a structured output approach. - API fallback activation + reason code logging — Referring to the TypeScript example, you can build a pipeline that catches
classifier_refusalerrors and sends thereasonfield to your monitoring system. Identifying which categories concentrate false positives is the starting point for any response. - Choose a domain-specific strategy — For general queries, intent declaration prompt patterns are sufficient. For security or life sciences domains, consider switching Opus 4.8 to the primary model, or explore Mythos 5 access via the Trusted Access Program.
References
- Claude Fable 5 and Mythos 5 Official Announcement | Anthropic
- It blocked us at 'hello!' Fable 5 refusing innocuous prompts | The Register
- Anthropic Apologizes For One of the Guardrails on Its Fable 5 Model | Gizmodo
- Anthropic accused of 'secret sabotage' as Claude Fable 5 silently limits capabilities | Fortune
- Cybersecurity researchers aren't happy about the guardrails on Anthropic's Fable | TechCrunch
- Claude Fable 5 and new safety fables | Interconnects.ai
- Initial impressions of Claude Fable 5 | Simon Willison
- Anthropic Claude Fable 5 on AWS | AWS Blog
- Anthropic's Fable is the most locked-down public model we've ever seen | Understanding AI
- Why Fable 5 Refuses Your Cybersecurity Queries | Developers Digest
- The Ultimate Guide to LLM Guardrails (2026) | futureagi.com
- LLM Guardrails: Production Safety Layers Reference 2026 | digitalapplied.com