Table of Contents
GitHub Copilot Model Picker 2026: Best Model for Agent Work and the New Security Layer
Copilot's model picker now lists more than ten models. Most teams click through it once, land on Auto, and never look again. Since June 9 that shrug has a price tag and a compliance flag attached to it, because Claude Fable 5 went generally available in the picker and it does not play by the same rules as every other Claude model you've been using (GitHub Changelog, June 9 2026).
Here is the short version before the table. For everyday completions and chat, Auto is fine and free. For a long agent session where the model has to plan, edit twenty files, run tests, and not lose the plot, Fable 5 is the new top pick, but it bills at provider list pricing and forces 30-day data retention. For most teams in between, Opus 4.8 is still the workhorse. And whatever model writes the code, GitHub now scans agent-generated pull requests automatically, with a new /security-review command in Copilot CLI for the changes that haven't hit a PR yet.
Pick a model in 30 seconds
Token prices below are per 1 million tokens, billed in GitHub AI Credits where 1 credit equals $0.01, all per GitHub Copilot's models and pricing page (fetched June 12 2026).
| Model | Best for | Cost signal (per 1M tokens, in AI Credits) | Data retention |
|---|---|---|---|
| Auto | Everyday completions and chat; lets Copilot route | Default Copilot routing, no usage-based surprise | ZDR |
| Claude Haiku 4.5 | Fast inline edits, cheap review passes | $1.00 in / $5.00 out (source) | ZDR |
| Claude Sonnet 4.5 | Mid-weight chat and short agent runs | $3.00 in / $15.00 out (source) | ZDR |
| Claude Opus 4.8 | The default for serious agent work | $5.00 in / $25.00 out (source) | ZDR |
| Claude Fable 5 | Long-horizon autonomous sessions | $10.00 in / $50.00 out (source) | 30-day retention required |
Code completions and next-edit suggestions are not billed in AI Credits at all; they stay unlimited on every paid plan (same page).
If you already worked through Copilot's June 1 pricing changes, this is the next decision: now that you're on a plan, which model do you actually point at each job, and how do you keep agent-written code from shipping a vulnerability.
What changed in the week of June 9
Three changelog entries dropped inside 48 hours, and together they shift how you set up Copilot for agent work.
Claude Fable 5 hit GA in the picker on June 9. It's the first model from Anthropic's Mythos class, built for long-horizon autonomous coding, and it shows up everywhere Copilot has a model dropdown: VS Code, Visual Studio, Copilot CLI, the cloud agent, github.com, JetBrains, Xcode, and the rest (GitHub Changelog, June 9 2026). Rollout is gradual, so an empty slot in your picker today is normal.
The same day, GitHub turned on automatic security validation for every third-party coding agent, not just its own cloud agent. Connect Claude or OpenAI Codex to a repo and the code those agents write now gets the same automatic checks Copilot's cloud agent already had (GitHub Changelog, June 9 2026).
A day later, on June 10, the /security-review slash command landed in Copilot CLI as an experimental public preview. It runs a security scan on your local changes from the terminal, before any of it reaches a pull request (GitHub Changelog, June 10 2026).
None of this lands in a vacuum. It sits 11 days on top of the June 1 billing overhaul that moved Copilot to usage-based AI Credits, which is exactly why a model choice now has a dollar cost you can see on an invoice.
How to read the picker
Auto is the safe default and it is genuinely fine for most of your day. It lets Copilot route the request, it does not burn usage-based credits the way a hand-picked frontier model can, and for inline completions you would not notice the difference if you tried. The picker stops mattering at the completion layer. It starts mattering the moment you open an agent session.
Think of the list in three buckets:
- Completions and quick chat. Auto, or a lightweight model like Haiku 4.5 when you want speed and the task is small. Completions are free regardless, so optimize for latency, not cost.
- Standard agent work. Opus 4.8 is the workhorse here. It's a Powerful-category model at $5 in / $25 out per million tokens, and it has handled real multi-file refactors and bug fixes for months (pricing page). If you already had a model habit before June 9, it was probably this one.
- Long-horizon autonomous runs. This is the new Fable 5 lane. A session where the agent plans, edits across a dozen files, runs the suite, reads the failures, and keeps going for half an hour without you babysitting it.
The catch with hand-picking a frontier model: chat and agent turns on it bill against your AI Credits at the rates in the table, while Auto and completions don't. A single long Fable 5 agent run can move the needle on a monthly invoice in a way a day of Auto completions never will.
Claude Fable 5 in Copilot: what it costs, who can turn it on
Fable 5 is the most capable model Anthropic has released widely. Per Anthropic's own spec, it carries a 1M-token context window, up to 128k output tokens per request, and bills at $10 per million input tokens and $50 per million output (Anthropic docs, fetched June 12 2026). Those are the same numbers GitHub passes through, since Fable 5 is billed at provider list pricing under Usage Based Billing (GitHub Changelog, June 9 2026).
That's double the per-token cost of Opus 4.8 ($5 / $25). So the math only works when Fable 5 finishes in fewer steps than Opus would. GitHub's claim is exactly that: in its internal benchmarks on autonomous coding workflows, Fable 5 completed equivalent work with fewer tool calls and lower token consumption than previous Opus-tier models (GitHub Changelog, June 9 2026). Read that as a vendor benchmark, not a guarantee for your repo. The shape is right, though: you pay more per token and hope to spend fewer of them.
Who can turn it on
Fable 5 is available to Copilot Pro+, Max, Business, and Enterprise plans. For Business and Enterprise, a plan administrator has to flip the Claude Fable 5 policy in Copilot settings, because it ships off by default (GitHub Changelog, June 9 2026). If you're on Business and the model isn't in your picker, that's the first place to look before you assume the gradual rollout hasn't reached you yet.
The data-retention requirement, read plainly
This is the part to get exactly right, because it's the part that decides whether Fable 5 is even an option for you.
Every other Claude model in Copilot (Opus 4.8, Sonnet 4.5, Haiku 4.5) runs under Zero Data Retention. Fable 5 does not. Anthropic's safety architecture for this model retains your prompts and outputs for up to 30 days to run safety classifiers that detect harmful or abusive use, then deletes them after 30 days. That retention applies only to Fable 5 (GitHub Changelog, June 9 2026).
The fear most teams have is the wrong one. Anthropic does not use this retained data to train its models (GitHub Changelog, June 9 2026). The retention exists for abuse detection, not training. Say that to your security lead before they say no on reflex.
The hard constraint is this: if your organization has a Zero Data Retention agreement with GitHub, Fable 5 is not available to you unless an admin explicitly enables the Fable 5 policy, and enabling that policy is an acknowledgement of the retention requirement (GitHub Changelog, June 9 2026). Leave the policy off and the model stays off the menu. For a regulated team with a ZDR posture, that policy gate is a deliberate compliance decision, not a settings toggle someone clicks on a Tuesday.
One more behavior worth planning for if you also call Fable 5 through the API directly: its safety classifiers can decline a request. When that happens, Anthropic's Messages API returns stop_reason: "refusal" as a normal HTTP 200, not an error, and you can pass a fallbacks parameter to retry on another Claude model (Anthropic docs, fetched June 12 2026). Inside Copilot you mostly won't see this plumbing, but it explains why Fable 5 occasionally hands a task back.
When Fable 5 is worth it, and when to stay on Opus 4.8
Pick Fable 5 when the work is genuinely long-horizon: a multi-step migration, a feature that touches many files, an agent run you want to start and walk away from. The fewer-tool-calls claim is most likely to pay off when the task is big enough that step count actually dominates the bill.
Stay on Opus 4.8 for everything else, which is most things. It's ZDR by default, so there's no policy conversation, and at half the token cost it's the right pick for standard agent work and day-to-day chat. We cover where Opus 4.8 fits in the broader plan picture in the Opus 4.8 Copilot pricing breakdown. Drop to Sonnet 4.5 or Haiku 4.5 when latency matters more than depth, like quick edits or a cheap review pass.
The two-layer security setup for agent code
Here's the mental model that makes the June 9 and June 10 releases click: GitHub now gives you two security layers for agent-written code, firing at different moments. One is automatic and runs on the pull request. The other is on demand and runs in your terminal before a PR exists. They aren't redundant. They cover different points in the timeline.
| Layer 1: automatic PR validation | Layer 2: /security-review in CLI | |
|---|---|---|
| When it runs | On the pull request, after the agent opens it | On local, uncommitted changes, before you push |
| What triggers it | Automatic, on by default | You type /security-review in Copilot CLI |
| What it uses | CodeQL, GitHub Advisory Database, secret scanning | A Copilot-driven scan, separate from those tools |
| Catches | Vulnerabilities, vulnerable dependencies, leaked secrets | Injection, XSS, insecure data handling, path traversal, weak crypto |
| Status | Generally available | Experimental public preview |
Layer 1: automatic validation on the PR
Since June 9, when a third-party coding agent writes code in your repo, GitHub automatically analyzes it for vulnerabilities with CodeQL, checks any newly introduced dependencies against the GitHub Advisory Database, and runs secret scanning to catch API keys and tokens. If it finds something, the agent tries to fix it before finalizing the pull request (GitHub Changelog, June 9 2026).
The big change is the word "third-party." This protection already existed for Copilot's own cloud agent; now Claude, OpenAI Codex, and other connected agents get the same treatment, so every line of agent code goes through the same gate regardless of which agent wrote it (GitHub Changelog, June 9 2026).
Two things matter for setup. It's on by default and it follows your repo's existing Copilot settings for which validation tools fire, so if you already configured this for the cloud agent, third-party agents inherit it with zero new work. And you do not need a GitHub Advanced Security license for it (GitHub Changelog, June 9 2026). The configuration lives in the same agent settings you'd use to turn the built-in validation tools on or off per repo.
Layer 2: /security-review for local changes
The question every developer asks here is fair. We already have code scanning, so why add another scanner? The answer is timing. /security-review runs on your local, uncommitted changes, before anything reaches a pull request. It's a shift-left tool, not a replacement for the automatic PR-level scan.
Turn on experimental mode in Copilot CLI, then run the command in any project:
# Inside an interactive Copilot CLI session, with experimental mode on
/security-reviewIt analyzes your current changes and returns high-confidence findings scored by severity and confidence, plus suggestions you can apply without leaving the terminal. The scan is tuned for common, high-impact classes: injection flaws, cross-site scripting, insecure data handling, path traversal, and weak cryptography (GitHub Changelog, June 10 2026).
The line GitHub draws is explicit: this is a Copilot-driven scan that does not rely on GitHub code scanning, Dependabot, or secret scanning. It complements them by giving you a lightweight, on-demand pass on your changes before you commit (GitHub Changelog, June 10 2026). So the right workflow is both layers in sequence: run /security-review while the code is still on your machine, fix what it flags, then let the automatic CodeQL and secret-scanning layer act as the backstop on the PR.
A worked example of the loop:
# 1. Let an agent write the change, locally
copilot
# ...agent edits src/handlers/upload.ts...
# 2. Scan before you commit
/security-review
# -> flags: path traversal risk in upload.ts (high severity, high confidence)
# 3. Apply the suggested fix, then commit and push
git commit -am "Add upload handler"
git push
# 4. Open the PR. CodeQL + Advisory DB + secret scanning run automatically as the backstop.This is the same shift-left pattern you'd recognize from connecting MCP tools in coding agents: catch the problem at the desk, not at the gate.
FAQ
Does Claude Fable 5 in Copilot count against my AI Credits? Yes. Fable 5 is billed at provider list pricing under Usage Based Billing, which means chat and agent turns on it draw down your AI Credits at $10 per million input tokens and $50 per million output (GitHub Changelog, June 9 2026). Code completions stay unlimited and unbilled. For how AI Credits work across your whole plan, see the Copilot AI Credits pricing guide.
Can I use Fable 5 with Copilot Business, not just Pro+ or Enterprise? Yes, Fable 5 is available to Copilot Pro+, Max, Business, and Enterprise. On Business and Enterprise, a plan administrator has to enable the Fable 5 policy first, because it's off by default (GitHub Changelog, June 9 2026).
Does the automatic agent security validation require GitHub Advanced Security? No. Security validation for third-party coding agents does not require a GitHub Advanced Security license (GitHub Changelog, June 9 2026).
How do I turn off agent security validation for a specific repo? It follows your repository's existing Copilot agent settings for which validation tools to use, so you control it in the same place you'd enable or disable the built-in code-quality and security tools for the cloud agent (GitHub Changelog, June 9 2026). The default is on.
What's the difference between /security-review and GitHub code scanning?
Timing and engine. /security-review is a Copilot-driven scan you run on local, uncommitted changes from the terminal, and it does not use GitHub code scanning, Dependabot, or secret scanning under the hood. It complements them (GitHub Changelog, June 10 2026). GitHub code scanning (CodeQL) runs as part of the automatic PR-level layer after you push. Use /security-review to catch issues early; let code scanning be the gate.
What we'd set up tomorrow morning
If you run agents in Copilot, do three things this week. Leave Auto as your completion default and stop overthinking the picker for inline work. Pick Opus 4.8 for standard agent sessions, and reach for Fable 5 only on genuinely long, autonomous runs where its fewer-tool-calls claim has room to pay back the doubled token price, and only after your admin has made a deliberate call on the 30-day retention policy. Confirm the model is available on GitHub Copilot's plans for your tier first.
On security, the setup is mostly already done for you. The automatic PR validation is on by default and inherits your existing repo settings, so the only new habit to build is the local one: wire /security-review into your pre-commit routine in Copilot CLI so agent code gets a scan while it's still on your machine. Catch it at the desk. Let CodeQL be the backstop at the gate.