Anthropic is limiting access to its latest AI model, Mythos. The real risks may already be out there

Anthropic’s new AI model, Mythos, is causing a stir among cybersecurity experts and policymakers. The company says its new model is so skilled at finding and exploiting software vulnerabilities that it’s too dangerous to release. Instead, it is limiting access to a small group of major technology companies whose software is the foundation for many other digital services, hoping to give defenders time to strengthen their systems.

Anthropic is not the only AI lab producing models with these kinds of capabilities, or considering similar release strategies to try to ensure cyber defenders have access to these systems before hackers do. OpenAI is reportedly preparing a new model—internally known as “Spud”—that could match Mythos in cybersecurity capabilities. According to a report from Axios, the company is also working on an advanced cybersecurity-focused system that it plans to release in a phased rollout to a small group of partners, again to try to give defenders a head start.

Some analysts have dismissed these cautious, limited releases as more about marketing and creating hype around new models, rather than purely safety-driven decisions. But most agree that AI-driven cyber capabilities have reached a dangerous tipping point. Even without the powerful new model, they say, existing, publicly available AI models can already carry out sophisticated cyberattacks—sometimes in minutes.

Researchers are concerned about both the scale and accessibility of AI‑enabled attacks. Tasks that once required advanced expertise—like scanning code for vulnerabilities or running attacks that require chaining multiple exploits together—are increasingly being automated or semiautomated by AI systems. Attackers, even those lacking high-level technical skills, can now launch highly automated attacks across thousands of systems at once in a massive, coordinated assault.

In practical terms, that raises questions both for enterprises and policymakers about how to protect critical infrastructure in a world where these advanced AI capabilities will soon be in the hands of bad actors and hostile nation states. Unless government and industry harden defenses, the world could see a wave of devastating cyberattacks taking down banking systems, power grids, hospitals, or water systems. It is exactly such a nightmare scenario that Anthropic says it is hoping to head off by limiting Mythos’s release.

What some researchers say is not clear, however, is how much the new models increase the chances of this kind of cyber-Armageddon. But the reason for their skepticism is not reassuring: They say that much of what Mythos can do may already be possible with smaller, cheaper, openly available models.

Recent research from AI security firm AISLE suggests that several of the vulnerabilities Anthropic highlighted in its announcement—including decades-old bugs—could have been detected by openly available models that anyone can download and run for free.

There are a couple of caveats: Rather than simply pointing an AI model at an entire software application or a complete codebase and asking the AI model to find a way to hack it—as Anthropic appears to have done with Mythos—the AISLE researchers already knew which segments of code contained the bugs and fed the models these code chunks. Smaller models generally have narrower context windows, meaning they can’t take in an entire large codebase at once. But it is possible to imagine a pipeline in which a large codebase is broken into smaller pieces, each of which is fed in turn to a small AI model, allowing it to examine each segment for possible exploits, experts said.

According to Spencer Whitman, chief product officer at AI security firm Gray Swan, the hard part of what researchers achieved with Mythos was autonomously finding the vulnerabilities within large codebases and then testing those exploits. “Finding vulnerabilities is hard because it requires locating weak points buried within millions of lines of code and verifying that these targets result in a real exploit,” he told Fortune. “Mythos claims it autonomously completed both steps.

“The fact that some of these vulnerabilities sat undetected in codebases for decades underscores just how hard the first step actually is—and why automating it is significant,” he added.

Smaller models may be able to achieve comparable results to Mythos, according to Charlie Eriksen, a security researcher at Aikido Security, but they require more technical skill, careful prompting, and better-designed tooling to get there. Models like Mythos, however, may make it considerably easier for even those with less technical skill to carry out sophisticated and devastating cyberattacks.

“This technology is moving so fast that it’s naive to assume others aren’t able to easily replicate similar results, if not already, at least very soon,” he said. “Anybody with a computer can develop very powerful offensive cyber capabilities in a short amount of time, without needing a lot of expertise in cybersecurity.”

A concentration of power

Anthropic’s decision to limit Mythos’s release is also putting unusual power in the hands of a single company. Even though Anthropic says it is consulting with the U.S. government on Mythos’s capabilities and the vulnerabilities it is uncovering (and there are calls for it to work with other allied governments, too), the company is effectively deciding who gets access to one of the most advanced cyber capabilities ever developed.

Some security experts and software developers—especially those committed to open-source software, that is, publicly accessible and often usable for free—argue the world would be safer if Mythos were released so that every defender, not just Anthropic’s chosen partners, could use it to find and patch vulnerabilities.

“Whatever the right judgment call is, the most striking aspect of this situation is how reliant we are on the judgment of a handful of private actors who aren’t accountable to the public,” said Jonathan Iwry, a fellow at the Wharton Accountable AI Lab.

Anthropic did loop in the government early. According to reporting from Axios, the company actively warned U.S.government officials about a new, powerful model that significantly increased the risk of cyberattacks at least a month ago. Anthropic, in a blog post announcing Project Glasswing, later said briefing the government on what the model could do, where the risks were, and how it was managing them, was a “priority from the start.”

Despite these efforts, there’s also a growing “governance gap,” according to Hamza Chaudhry, AI and national security lead at the Future of Life Institute. These systems are being integrated into offensive cyber operations faster than policymakers can build the frameworks to govern how these capabilities are used or secured. In the past, even cyber capabilities developed by and for the use of government, particularly hacking tools developed by the U.S. National Security Agency, have ended up in the hands of bad actors.

For example, in 2016, a hacking group called the Shadow Brokers published a cache of hacking tools and exploits used against major software systems—including Microsoft Windows—that were widely believed to have been developed by the NSA. Some of the leaked NSA exploit code was later used in WannaCry, while NotPetya also relied on the NSA-linked EternalBlue exploit, helping make both attacks among the most damaging in recent history.

The cyber abilities of AI models such as Mythos pose completely new governance challenges, too. With previous hacking tools, a human had to deliberately choose to deploy those exploits. But, according to Anthropic, in safety tests, Mythos would sometimes use its hacking abilities to accomplish some other goal in ways that surprised its creators.

The safety issue is often not the AI model’s coding skills, per se, but its autonomous capabilities, Chaudhry said. As AI systems become more agentic, they are able to set sub-goals, adapt their approach, and continue operating without direct human instruction at every step. The concern is that an AI system might pursue an objective in ways that extend beyond what its operator explicitly intended.

“The agent … pursues its objective function through whatever pathways its intelligence and autonomy identify as optimal,” he said. “An adversary state or non-state actor deploying an autonomous AI agent … is no longer directing actions so much as initiating a process whose specific trajectory they cannot fully predict.”

What enterprises should do

Whether companies have access to Mythos or not, experts say those not currently using AI to secure their systems may already be falling behind. Even with Anthropic limiting widespread access to its new models, AI-driven offensive capabilities are out there in less powerful forms, for those who know how to use them.

Most security teams operate on the assumption that time is somewhat on their side—that there’s at least a gap between a vulnerability existing and an attacker finding it, and another gap between finding it and being able to use it. For most of recent history, that was roughly true. But advanced AI models are collapsing both gaps at once, according to Emanuel Salmona, cofounder and CEO of Nagomi Security.

“Mythos found critical vulnerabilities across every major operating system and browser—some of them decades old—in weeks,” he said. “When that capability is broadly available, and Anthropic’s own people are saying six to 18 months, the organizations that were already behind [on security] don’t just fall further back. The model they built their programs around stops working entirely.”

This story was originally featured on Fortune.com