Earlier today Anthropic released Fable 5. It is the most capable model they have ever made generally available. It can spawn subagents, sustain focus across millions of tokens, and work autonomously for longer than any previous Claude model. The improvement is marginal for light use, but the longer and more complex the task you need done, the more of an improvement Fable 5 is on its predecessor.

That is a genuinely significant moment. If you’re building enterprise AI agents, Fable 5’s capabilities also create a new kind of pressure.

Fable can spawn multiple layers of subagents capable of sustaining complex, multi-step work autonomously across long time horizons. Think of a main “orchestrator” agent that spins up a sub-agent to search for documentation, and another to check an entire codebase for errors, which in turn creates a sub-agent to work on debugging, all working in continuous loops.

A single agent churning through a long or complicated task fills its context window with tool output, dead ends, and intermediate reasoning until it starts to go haywire. Subagents give an orchestrator the ability to divide and conquer. Fable hands a chunk of your work to a fresh agent with clean context, keeps the main context window clean, and gets back only the answer. Five layers means that a hard problem can be broken into a tree of small, short-lived jobs instead of a singular agent having to handle everything. This is what makes long running agents real, and useful. The model can always have the main goal at top of mind, and offload any messy work to a subagent below it.

That is extraordinary in its power and scale. It also only compounds the issues enterprise AI teams are already facing.

There are 2 failed security approaches that teams building enterprise AI tend to take. The first: give the agent its own identity, its own service account and credentials. This feels clean. It is not. What you have built is a system where any user can ask the agent to do things they are not personally allowed to do. An intern without payroll access can ask the agent for the CEO’s compensation. The agent, helpfully, obliges. The agent becomes more powerful than the user it serves. That is not a model failure. That is an authorization failure.

The second wall: inherit the user’s full permissions. Problem solved, it seems. Except now a single prompt injection does not just compromise the agent. It compromises everything the user can touch. Salesforce. GitHub. Internal systems. One malicious input, one wayward hallucination, and the blast radius is the user’s entire access footprint. Different failure mode, same outcome.

Both approaches share an assumption: that authorization is something you figure out before the prompt. It is not. The real question surfaces at runtime, when the agent is about to take a specific action: can this agent, on behalf of this user, perform this action on this resource, right now? Not in theory. Not yesterday. Right now.

This is where Fable 5’s new capabilities create a new kind of pressure. Remember all those sub-agents? They’ve increased the authorization surface area exponentially. Subagents inherit credentials from other subagents, each one taking actions in real systems, each one needing a clear answer to that runtime question.

Security needs to be able to track what actions an agent took on behalf of which user, against which system, before they’ll approve for production. So when every new deployment becomes its own exponentially complicated sub-agent approval process, the result is predictable: prototypes ship, production does not.

This gap between capability and production has nothing to do with model capability. Fable 5 is genuinely more capable than anything that came before it. But capability at the reasoning layer does not resolve the action layer. An agent that can reason brilliantly but isn’t able to take secure action is, for most enterprise use cases, still a demo.

The teams that close the gap between what Fable 5 can do and what it can do securely in an enterprise environment are the ones who will define what this wave actually delivers.