Anthropic has built an AI model so effective at finding software security flaws that the company says releasing it publicly would be reckless. Central banks and financial regulators are treating the development as a systemic risk.
Why it matters: If the model or one like it were leaked or replicated, attackers could discover and exploit weaknesses in banking, government, and infrastructure systems faster than defenders can fix them. The question of who controls powerful AI capabilities is no longer theoretical.
What the model does
Mythos Preview, as Anthropic calls it, identified thousands of zero-day vulnerabilities during internal testing — flaws that software makers did not know existed. Anthropic said these included critical weaknesses in every major operating system and web browser.
The company described the model as a “step change in capabilities” beyond its existing publicly available systems.
Project Glasswing
Rather than releasing Mythos publicly, Anthropic launched Project Glasswing, a defensive initiative limiting access to 12 partner organisations. The group includes Microsoft, Apple, Amazon, Cisco, CrowdStrike, the Linux Foundation, and Palo Alto Networks.
The idea is to give defenders a head start: patch the vulnerabilities Mythos finds before anyone else builds a tool that can find the same flaws.
The case for restriction
Anthropic argues that responsible disclosure requires controlled access. The partner organisations whose software underpins most of the digital economy get to use the model to strengthen their systems. Public release would hand the same capability to attackers.
The case for concern
Critics say the approach concentrates extraordinary power in one company’s hands. Security researchers have pointed out that restricting access does not prevent adversaries from developing similar capabilities independently. The genie, they argue, is already leaving the bottle.
What happens next
The Bank of England’s risk chief, Duncan Mackinnon, has convened banking and insurance executives to discuss the threat. In Washington, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell held a separate meeting with Wall Street CEOs.
No regulatory framework currently governs the controlled release of AI systems based on their offensive capabilities. Both the EU and the US are scrambling to catch up.