Lorem, ipsum dolor sit amet consectetur adipisicing elit. Qui, itaque voluptate ipsa non enim amet ducimus voluptatibus deserunt nam esse!
Hacky JS
How to Write Resilient AI Model Fallbacks: Lessons from the Anthropic Mythos 5 Ban

How to Write Resilient AI Model Fallbacks: Lessons from the Anthropic Mythos 5 Ban

pr0h0
ai-infrastructurefallback-strategiesmodel-routingllm-ops
AI Usage (87%)

What stood out in this report is not just that Anthropic reportedly cut access to Fable 5 and Mythos 5 after a US national security order. It is what that kind of move means for application design.

A lot of teams still treat model choice as a config value: pick a preferred model, keep a backup in a list, and assume the provider will keep serving both. That works until access changes for reasons that have nothing to do with an outage. A model can vanish because of policy, account state, region, compliance review, quota changes, or a vendor-level control decision that never shows up on your uptime graph.

If you are shipping AI features in production, model fallback needs the same kind of thinking you give authz, data residency, or payment routing: explicit policy, explicit contracts, and a failure mode that stays boring under stress.

Why the Anthropic Fable 5 and Mythos 5 restriction matters for fallback design

When a provider removes access to a model, the failure surface is different from a normal 5xx or timeout. DNS may still resolve, the SDK may still authenticate, and the endpoint may still answer. What changed is the entitlement to use that model.

That matters because a lot of fallback logic only watches for transport errors. If the primary model starts returning 403, 404, policy_denied, model_not_available, or some provider-specific access error, a naive router may keep retrying the same doomed request. Worse, it may silently downgrade to a cheaper or weaker model without telling anyone.

The report about Anthropic cutting access to Fable 5 and Mythos 5 is a good reminder that provider-side access changes can happen for reasons outside engineering. You cannot assume that every model in your config is always reachable from every account, region, or workload.

Provider-side access changes are not the same as API outages

An API outage is usually obvious:

  • requests time out
  • connection errors spike
  • status pages light up
  • retries may succeed later

A provider-side access change is subtler:

  • the account is valid
  • the endpoint is alive
  • some models still work
  • one or more model IDs now fail with access errors

That changes the control plane. An outage wants retry and circuit breaking. An access change wants policy-aware routing and a fast path to a different permitted model.

I usually model this as two axes:

  1. Transport health: can I reach the provider?
  2. Entitlement health: am I allowed to use this model?

If you do not separate those, you end up mixing operational failures with policy failures, and the fallback logic makes bad choices.

What breaks first when a preferred model disappears

In practice, the first failures show up in the least obvious places:

  • a request router keeps selecting the removed model because it only ranks by quality
  • structured output parsing breaks when the fallback model formats JSON differently
  • agent workflows fail because a backup model lacks the same tool-use behavior
  • prompt templates are too long for the fallback context window
  • a per-tenant policy says the backup model is not allowed, but the system tries it anyway

The visible error is often not the root cause. The root cause is that the application encoded “preferred model” instead of “capability set under current policy.”

Map the failure modes before you write any routing code

Before I write a router, I write down the ways it can fail. This is not bureaucracy. It is the difference between graceful degradation and a cascade.

Hard failure, soft failure, and policy failure

I split model failures into three buckets:

Failure typeWhat it looks likeWhat to do
Hard failuretimeout, DNS error, 5xx, connection resetretry with backoff, then fail over
Soft failuredegraded latency, partial truncation, low confidencemaybe downgrade, maybe ask for human review
Policy failuredenied model, revoked access, geo block, account restrictiondo not retry the same model; route to permitted fallback or fail closed

Hard failures are operational. Policy failures are contractual. Soft failures are judgment calls.

The mistake is treating all three as “model unavailable.” That usually leads to either pointless retries or unsafe silent fallback.

Latency spikes, quota exhaustion, and regional unavailability

Not every fallback is caused by a ban or revocation. A good router also needs to handle:

  • latency spikes that make the primary model unusable for SLA-bound traffic
  • quota exhaustion on a shared tenant or API key
  • regional unavailability caused by network path or provider rollout
  • per-model throttling that only affects certain endpoints or workloads

These are still routing problems, not just retry problems. If you wait for timeouts alone, you will discover the issue after the user has already waited.

I like to define thresholds per task class:

  • interactive chat: fail over quickly
  • batch summarization: wait a bit longer
  • agent tool use: retry only if the action is idempotent
  • compliance-sensitive tasks: fail closed if the approved model is unavailable

Compliance-driven blocks and account-level revocations

The source event matters because it highlights a category many teams ignore: access can be withdrawn for reasons unrelated to your code.

A provider may block a model for:

  • legal or regulatory reasons
  • account review outcomes
  • region restrictions
  • contract changes
  • policy enforcement on the customer side

Your software should assume model access can change at runtime and that the set of approved models is not stable. If your application spans tenants, you may even see different model availability for different accounts at the same time.

That means the routing decision must include policy inputs, not just ranking inputs.

Build a routing layer that can survive model removal

The router is where teams usually create hidden coupling. It starts as a helper that picks a model name. Then it becomes business logic, policy logic, and ops logic all mashed together.

Separate intent classification from model invocation

Do not send raw user intent directly into a model selection string.

Instead, split the problem into two stages:

  1. classify the request into an intent or task type
  2. map that task type to an allowed capability tier and provider

That might look like:

  • chat.low_risk
  • summarize.internal
  • extract.structured
  • agent.tool_use
  • policy.review

The invocation layer should not care why the router chose a model. It should only know:

  • the task class
  • the allowed providers
  • the required capabilities
  • the fallback order

That separation makes it easier to swap providers, adjust policy, or remove a model without rewriting the whole app.

Use capability-based routing instead of vendor names

One of the most common mistakes is routing by vendor name:

const preferred = "anthropic:fable-5";
const backup = "anthropic:mythos-5";

That is brittle because vendor names are not capabilities. The real question is whether the model can satisfy the request.

A better abstraction is:

  • supportsStructuredOutput
  • supportsToolUse
  • maxContextTokens
  • lowLatency
  • approvedForTenant
  • approvedForRegion
  • canHandleSensitiveData

Then the model registry becomes a catalog of capabilities, not a list of brand names.

A capability-based router is much easier to reconfigure when a provider removes access to a model. You update the registry and keep the policy the same.

Keep policy, cost, and quality as explicit inputs

I usually make routing decisions from three explicit inputs:

  • policy: what is allowed right now?
  • cost: what is acceptable for this request?
  • quality: what level of output does the task need?

A model with great quality but revoked access is not a candidate. A cheap model that cannot produce valid JSON is not a candidate for structured extraction. A compliant model that is too slow may still be acceptable for async workflows.

This is the core of resilient fallback design: do not ask, “What is the best model?” Ask, “What is the best permitted model for this task right now?”

Define fallback tiers with clear contracts

Fallback only works when the tiers are described well enough that everyone knows what can degrade.

Primary model, secondary model, and degraded mode

I recommend three explicit tiers:

  1. Primary model: best fit for the task
  2. Secondary model: acceptable substitute with known tradeoffs
  3. Degraded mode: safer, simpler behavior when model output quality is no longer trustworthy

Degraded mode matters. It is not just “use a smaller model.” Sometimes the right answer is to reduce scope:

  • answer with a template
  • ask the user to narrow the request
  • defer to a queue
  • route to human review
  • return partial results instead of a full agent action

That last tier is how you keep fallback from turning into hidden quality loss.

When to retry, when to downgrade, and when to stop

A clean policy usually looks like this:

  • retry on transient transport failures
  • downgrade on repeated timeouts, throttling, or lack of capacity
  • stop on policy denial, revoked access, or model-incompatible tasks

Do not retry on a deterministic access failure. If the provider says the model is not available to your account, retrying just adds latency.

A useful rule of thumb:

  • same error, same model, same account, same result = stop fast
  • same error, changing network conditions = retry
  • different error on a backup model = reassess task suitability

Protecting structured outputs during fallback

Structured outputs are where fallback often breaks in quiet ways. A primary model may return clean JSON, while a secondary model wraps it in prose or drops a required field.

If your app depends on structure, do not assume fallback is interchangeable. Validate every response against the same schema, and treat schema failure as a routing signal.

A practical pattern:

  • request structured output with a strict schema
  • validate the response
  • if validation fails, either retry once or downgrade to a safer task mode
  • do not accept free-form text where a machine-readable contract is required

If the downstream code expects JSON, a “good enough” text summary is not a fallback. It is a different product.

Implement provider redundancy without creating hidden coupling

Redundancy sounds simple until shared dependencies tie your backup path to the same failure domain.

Normalizing request shapes across vendors

Different providers expose different knobs:

  • system prompt handling
  • max tokens vs max completion tokens
  • tool call formats
  • stop sequence semantics
  • response metadata
  • streaming chunk shape

If you let those differences leak into app code, every call site becomes provider-specific. That makes failover expensive and fragile.

I prefer a normalization layer that translates an internal request object into provider-specific payloads.

Example shape:

type ModelRequest = {
  task: "chat.low_risk" | "extract.structured" | "agent.tool_use";
  messages: Array<{ role: "system" | "user" | "assistant"; content: string }>;
  schema?: unknown;
  tools?: Array<{ name: string; description: string }>;
  maxTokens: number;
  tenantId: string;
  region: string;
};

Then each provider adapter maps that request into its own API format. The app only sees one contract.

Handling tool calls, system prompts, and context limits consistently

Tool use is one of the hardest fallback cases because it is not just text generation. The model has to understand the tool contract, respect the system prompt, and stay inside the context window.

When you swap models, verify:

  • tool call syntax is supported the same way
  • the fallback model can fit the prompt plus tool history
  • system instructions are not silently truncated
  • the model can recover after a partial tool failure

If the primary model supports a 200k context and the backup supports 32k, your router needs to know that before it sends a long request. Otherwise the fallback fails in the middle of execution.

Avoiding shared secrets, shared quotas, and shared control planes

Redundancy is fake if everything depends on the same control plane.

Watch for shared coupling such as:

  • one API gateway for all providers
  • one secret store path for every model
  • one quota bucket for all tenants
  • one admin policy switch for every environment
  • one region for both primary and fallback traffic

If the shared dependency fails, both the primary and the fallback disappear together. Real redundancy means separate blast radii where possible.

Add safe failover controls for production traffic

Production failover should be conservative by design. The goal is not to make every request succeed at any cost. The goal is to keep the system useful without violating policy or degrading silently.

Circuit breakers and backoff windows

Use a circuit breaker per model and per failure class.

For example:

  • open the circuit after repeated transport errors
  • open immediately on deterministic policy denial
  • keep a short backoff window before retrying a model that was rate-limited
  • close the circuit only after health checks or successful probe traffic

This prevents retry storms and gives the fallback path room to breathe.

You can also separate breakers by tenant or workload class. A heavy batch job should not burn the same fallback budget as interactive traffic.

Per-tenant and per-request allowlists

The fallback order should not be global unless your risk model is global.

For some tenants, the approved set may be:

  • primary proprietary model
  • approved fallback model
  • no external fallback at all

For some requests, especially sensitive ones, the router should not try a lower-trust provider. That is an allowlist problem, not a reliability problem.

Treat each request as carrying policy metadata:

  • tenant approval
  • data sensitivity
  • region requirement
  • model class allowed
  • human review required or not

If the chosen fallback is outside that set, fail closed.

Idempotency and replay safety for agent workflows

Agent workflows are dangerous to replay blindly.

If a model fails after it already:

  • sent an email
  • created a ticket
  • updated a record
  • issued a tool call

then retrying the entire request can duplicate side effects. Fallback logic has to distinguish between read-only generation and action-taking workflows.

For agent traffic, use:

  • idempotency keys
  • durable step tracking
  • tool-call journaling
  • replay protection on side-effecting actions

A fallback should resume from the last safe checkpoint, not restart the whole chain unless the workflow is explicitly designed for it.

Test fallback behavior before the day you need it

Most teams test the happy path and a basic timeout. That is not enough. The bad surprises come from access changes, policy denials, and shape mismatches.

Simulating model unavailability and policy denial

You should be able to test at least four cases:

  1. transport timeout
  2. 5xx from provider
  3. rate limit or quota exhaustion
  4. policy denial or access revocation

The last case is the one that matters for events like the reported access restriction on Fable 5 and Mythos 5. Your test should confirm that the router does not keep retrying the denied model and does not route to an unapproved backup.

A simple test double can help:

function fakeProvider(mode) {
  return async function invoke(request) {
    if (mode === "deny") {
      const err = new Error("model_not_available");
      err.code = 403;
      err.reason = "policy";
      throw err;
    }

    if (mode === "timeout") {
      throw new Error("timeout");
    }

    return { text: "ok", model: request.model };
  };
}

The point is not the mock. The point is the decision tree around it.

Verifying prompt, schema, and tool compatibility across providers

Fallback testing should include compatibility checks, not just connectivity checks.

Run the same request against every approved model and verify:

  • prompt length fits
  • schema is respected
  • tool call format is valid
  • stop conditions behave as expected
  • output quality meets the minimum bar

If one provider fails schema validation more often, you need to know that before it becomes your fallback under load.

Load testing the degraded path, not just the happy path

A lot of fallback code is correct at low traffic and bad under pressure.

If the primary model disappears, your backup path suddenly absorbs all the traffic. That can expose:

  • missing rate limits
  • low fallback quota
  • slow cold starts
  • larger context processing costs
  • queue buildup in downstream jobs

Test the degraded path as if the primary were gone. The real question is not whether one request can fall back. The question is whether 10,000 requests can do it without creating a second outage.

Observe the right signals when a model disappears

If you cannot see fallback usage, you cannot tell whether the system is healthy or quietly drifting.

Metrics that expose silent fallback usage

Track metrics per model and per route:

  • request count by model
  • fallback rate
  • policy-denial count
  • schema-failure count
  • retry count by failure class
  • median and tail latency by model
  • degraded-mode activation rate

A spike in fallback usage can mean one of two things:

  • the primary model is actually unavailable
  • your router is overreacting to transient issues

You need both the count and the cause.

Logs and traces that show why routing changed

Every routing decision should leave a trace:

  • request id
  • tenant id
  • task type
  • primary candidate
  • chosen model
  • reason for fallback
  • retry count
  • final outcome

That lets you answer questions like:

  • Did we route away because of a timeout or a policy block?
  • Did this tenant lose access to a model?
  • Did the backup model fit the prompt?
  • Did degraded mode trigger because of schema rejection?

Without that trace, you will spend hours guessing.

Alerting on unexpected model mix shifts

I also alert on mix shifts, not just errors. If the percentage of traffic on a backup model jumps from 5% to 60%, something changed.

That alert should trigger even if the user-facing error rate stays low. Silent fallback can hide quality regressions for days.

Control quality loss in degraded mode

Fallback is not automatically safe just because it avoids an outage. Quality loss matters, especially when the model output drives customer-facing or internal decisions.

Lower-risk tasks that can safely fall back

Some tasks are resilient to model changes:

  • summarizing internal notes
  • drafting low-stakes copy
  • classifying simple text
  • generating rough search queries
  • answering basic Q&A from non-sensitive content

For these, a smaller or different model may be fine as long as you measure the drop in quality.

Tasks that should fail closed instead of failing open

Other tasks should not silently downgrade:

  • policy decisions
  • financial actions
  • authz-sensitive support actions
  • legal or compliance summaries
  • destructive tool execution
  • high-impact user eligibility decisions

If the approved model is unavailable, the correct behavior may be to stop and ask for manual handling. That is not a product failure. It is a safety boundary.

Human review for high-impact or policy-sensitive requests

Human review belongs in the fallback design, not as an afterthought.

A useful pattern is:

  • primary model handles the request
  • if unavailable, route to a safer model for triage only
  • if confidence or policy risk is high, queue for human review
  • do not let the fallback model take the final action on sensitive tasks

That keeps the system available without turning a reliability problem into a policy problem.

Reference architecture for a resilient AI model router

Here is the shape I recommend when a provider can revoke model access at any time.

Request flow from client to policy gate to model pool

  1. Client sends a task request.
  2. Policy gate checks tenant, region, and data class.
  3. Router classifies the task.
  4. Capability matcher filters eligible models.
  5. Health layer removes broken or denied models.
  6. Selection logic chooses primary or fallback.
  7. Invocation layer calls the provider adapter.
  8. Validator checks output shape and task-specific constraints.
  9. Observability records the decision and outcome.

That flow keeps policy separate from health and keeps both separate from model preferences.

Example configuration for capability tags and fallback order

A simple config might look like this:

routes:
  chat.low_risk:
    allowedTags: ["chat", "low-risk", "public-data"]
    fallbackOrder: ["model-a", "model-b", "degraded-template"]

  extract.structured:
    allowedTags: ["json", "structured-output", "public-data"]
    fallbackOrder: ["model-c", "model-d"]

  agent.tool_use:
    allowedTags: ["tool-use", "trusted", "tenant-approved"]
    fallbackOrder: ["model-e", "human-review"]

The key point is that the order is not just “best to worst.” It is “approved and capable to less capable, then safe stop.”

Pseudocode for safe model selection and downgrade logic

function selectModel(request, registry) {
  const candidates = registry.filter((model) => {
    return (
      model.tags.includes(request.task) &&
      model.allowedTenants.has(request.tenantId) &&
      model.allowedRegions.has(request.region) &&
      model.health !== "open-circuit" &&
      model.policy !== "denied" &&
      model.maxContextTokens >= request.estimatedTokens
    );
  });

  for (const model of candidates.sort(byFallbackPriority)) {
    try {
      return invokeModel(model, request);
    } catch (err) {
      if (isPolicyDenial(err)) {
        markDenied(model);
        continue;
      }

      if (isTransient(err)) {
        tripBreakerIfNeeded(model);
        continue;
      }

      if (isSchemaFailure(err) && request.task === "extract.structured") {
        continue;
      }

      throw err;
    }
  }

  return degradeSafely(request);
}

This is deliberately conservative. The router skips a bad candidate rather than hammering it, and it refuses to pretend every error should be retried.

What to document so teams do not rediscover the same outage

The last piece is documentation. Not glamorous, but it is what keeps an access change from becoming a long confusion loop.

Runbooks for provider bans, quota cuts, and emergency migration

Your runbook should answer:

  • How do we know a model was revoked versus temporarily down?
  • Which fallback models are allowed per tenant?
  • What is the degraded behavior for each task class?
  • Who approves emergency changes to fallback order?
  • How do we cut over if a provider removes access entirely?

A good runbook makes the first hour of response boring.

SLOs, exception handling, and ownership boundaries

Set expectations in writing:

  • availability SLO by task class
  • acceptable fallback rate
  • maximum degraded-mode window
  • owner for provider policy changes
  • owner for schema compatibility
  • owner for incident communication

Without ownership, model access changes become everyone’s problem and nobody’s job.

Conclusion: resilience is a routing problem, not just a vendor problem

The reported restriction on Fable 5 and Mythos 5 is a useful warning because it shows the failure mode clearly: a model can disappear for reasons that are not downtime. If your architecture only handles outages, it is brittle.

The fix is not “add more vendors” and hope for the best. The fix is to treat model access like a policy-controlled routing problem:

  • classify the task
  • check entitlement and capability
  • route through explicit tiers
  • validate output shape
  • observe fallback usage
  • fail closed when downgrade would cross a safety boundary

That design survives bans, quota cuts, regional blocks, and the usual chaos of production AI systems. More importantly, it keeps fallback behavior visible, testable, and defensible when the preferred model is no longer there.

Share this post

More posts

Comments