Executive Summary

• Anthropic’s recently released Mythos model has raised global alarm due to its advanced ability to both detect and exploit vulnerabilities across critical software systems, including those used by banks, medical institutions, power grids, and governments.
• As Mythos can write code and solve problems by itself, the model lowers the skill barrier for cyber operations, enabling the discovery of often hidden vulnerabilities – and potentially allowing more actors to hack systems, disrupt operations or steal data; while these risks prompted Anthropic to delay the model’s public release, Mythos quickly became a critical cybersecurity tool for a narrow list of users, with governments and major companies actively trying to access it.
• The Mythos breakthrough underscores the rapid pace of AI advances and raises critical questions about oversight and industry impact; as regulation struggles to keep pace, policy responses may center on convening cross-sector working groups to address key questions and develop a unified federal framework to manage these emerging risks while still enabling innovation.

Introduction

Anthropic’s recently released artificial intelligence (AI) model Mythos has raised global alarm due to its unprecedented ability to both detect and exploit vulnerabilities across critical software systems. All sectors – from governments to banks, medical institutions, and energy grids – rely on software daily, yet those systems contain flaws that may go unnoticed for years since finding them requires expertise very few people have. Mythos, however, demonstrated advancement in finding vulnerabilities in systems that had been overlooked by more than 20 years of human reviews and security tests.

Yet as Mythos can write code and solve problems by itself, the model lowers the skill barrier for all cyber operations, enabling not only the discovery of often hidden vulnerabilities, but also potentially allowing more actors to hack systems, disrupt operations, or steal data. While Anthropic chose not to publicly release the model due to its risks, it granted access to a handful of U.S. companies; the model quickly became a critical cybersecurity tool that governments and major companies globally are actively trying to access.

The Mythos breakthrough underscores the rapid pace of AI advances and raises critical questions regarding who should control access to such capabilities, how they could reshape cybersecurity and other sectors, and what oversight mechanisms are needed – especially as similar models are likely to emerge. As regulation struggles to keep pace, policy responses may center on convening cross-sector working groups to address key questions and develop a unified federal framework to manage these emerging risks while still enabling innovation.

Mythos and Its Cybersecurity Implications

Anthropic’s Mythos release drew global attention due to its exceptional cyber capabilities. Mythos can identify vulnerabilities in “every major operating system and web browser when directed by a user to do so,” and has set a new performance ceiling in many benchmarks, compared to ChatGPT and previous Anthropic models. Notably, Mythos demonstrated advances in cyber skills by finding a 27-year-old vulnerability in OpenBSD – an operating system known primarily for its security – highlighting Mythos’ ability to detect vulnerabilities that had been overlooked by years of human reviews and security tests.

Cybersecurity Risks

What makes Mythos a valuable tool for defensive purposes also raises concerns about its potential impact on operating systems around the world. All sectors – from banking, medical, and power grid systems, to all levels of government and beyond – rely on software to keep running. Those systems, however, contain flaws that may go unnoticed for years since finding them require expertise very few people have. While Mythos was built for finding vulnerabilities, the model has a dual-use nature – meaning it can be deployed for defensive and offensive tasks, reducing barriers to both. It drastically reduces the cost, effort, and level of expertise needed to perform cyber tasks, including both finding and exploiting flaws.

These characteristics raised global alarm about the potential risk of misuse, including how easy it will be for anyone with even basic technical knowledge to hack systems, disrupt operations, or steal data. As Mythos can write code and solve problems by itself, the model could carry out full cyberattacks on its own, speed up research that could be used to develop chemical or biological weapons, and in some cases, even hide its activity while attacking systems. If misused, the model could pose serious ​risks to economies, public safety, and ‌national security. This rapid AI advance has significant implications for key sectors of the economy, prompting calls for better understanding of Mythos and other advanced models.

The Financial Sector and Systemic Risk

A major concern regarding these AI advances is their potential to disrupt firms, especially those that rely on complex, interconnected, and legacy technology systems, including banking institutions. Mythos’ release prompted an urgent meeting among the U.S. Treasury, the Federal Reserve, and the CEOs of the nation’s largest financial institutions aiming to understand what Mythos and comparable models could mean for the safety of their infrastructure, particularly regarding the risks of cyberattacks, and how to put adequate defenses in place.

Experts around the world have also raised concerns that central banks and financial regulators are significantly behind the financial sector in AI adoption, undermining their ability to monitor and combat developing risks. For example, the Australian Prudential Regulation Authority said its safeguards are not advancing as quickly as AI, cautioning that new AI tools could facilitate attacks on its financial systems. The governor of the Bank of England warned that Anthropic may have found a way to “crack the whole cyber-risk world open.”

Controlled Access and the Geopolitical Divide

Due to the model’s dual-use nature, Anthropic released Mythos to a select group of companies through  Project Glasswing. This initiative involves 11 partner organizations and 40 others that build or maintain critical software infrastructure, attempting to ensure those firms can test the model and protect their own systems from potential misuse. Within a few days of its controlled release, Mythos raised global alarm among banks and regulatory bodies around the world. Critics argue that by restricting access to a handful of U.S.-based companies, Anthropic is concentrating its cyber capabilities in a small group of firms and leaving all other global systems exposed. The result is not only that dangerous tools are being kept away from bad actors; it is that a narrow set of organizations now have access to what may be the most advanced cybersecurity model to date, making Mythos a key geopolitical tool. The model is driving increased interest from governments and companies around the world that are seeking both access to the model and information from Anthropic.

Federal agencies have expressed interest in accessing the model, but efforts have been complicated by a prior legal dispute between the Trump Administration and Anthropic. Earlier this year, the administration designated Anthropic a supply chain risk after it refused to allow the Pentagon to use certain capabilities of its previous Claude model – the earlier-generation system that preceded Mythos –  without usage limits or safety filters, including denying its use for autonomous weapons without human oversight or mass surveillance of civilians. Following this, President Trump directed all federal agencies to stop using Claude, which was already embedded across a wide range of agencies. Anthropic has been fighting the designation in court, but the release of Mythos has changed the playing field. Last month White House officials met with Anthropic’s CEO Dario Amodei to discuss cooperation between the U.S. government and the company. Following the meeting, the White House began developing guidance that could allow agencies to bypass the supply chain risk designation and access the model. Mythos’ clear commercial advantage underscores researchers’ warnings about the geopolitical advantage gained by leadership in building the most powerful models, but Mythos is also forcing a broader conversation about the future of the technology and who should control its access, how it could reshape cybersecurity and other sectors, and what oversight mechanisms are needed – especially as similar models are likely to emerge.

Regulatory Outlook

While the Mythos breakthrough raises important questions about AI governance and policy, the Trump Administration and Congress are grappling with how to shape policies that encourage innovation while mitigating the potential risks of AI. Notably, although the administration initially took a lighter approach to AI regulation, the release of Mythos appears to have shifted the conversation, with White House officials now considering stronger oversight of AI models before public release, including mandatory safety reviews and earlier government access. Views within the White House differ on whether this is the right approach, to what exactly the oversight framework would apply, and whether such measures would be mandatory or voluntary. These shifts in the policy debate have led to uncertainty across the tech sector. As regulation struggles to keep pace, governance responses are likely to focus on convening cross-sector working groups to address key questions, while Congress faces the challenge of determining whether – and how – to establish a national AI regulatory framework that manages emerging risks without stifling innovation.