Anthropic restricts access to its strongest AI model Mythos amid security concerns

Fortune reports that Anthropic has decided to limit access to its most advanced AI model, Mythos, citing concerns that it is exceptionally capable at discovering and exploiting software vulnerabilities. Researchers warn that the “nightmare” may have started well before Mythos, as the underlying capabilities are increasingly within reach of attackers.

Anthropic restricts Mythos to a small group

Rather than making Mythos widely available, Anthropic plans to provide it only to a limited set of large technology conglomerates that operate platforms for global digital services. The stated aim is to give defense teams additional time to strengthen their “walls” before attackers gain access to comparable tools.

Experts note that Mythos is viewed as highly intelligent and dangerous in cyberattack scenarios, raising concerns that broad release could weaken existing digital defenses.

Big Tech competition and tighter controls

Anthropic’s move is not isolated. OpenAI is also believed to be developing “Spud,” an internal project with cyberwarfare capabilities described as comparable to Mythos.

According to Axios, OpenAI intends to roll out Spud in phases, prioritizing strategic partners. Researchers say this reflects a broader shift in how advanced AI models are treated: high-end systems are increasingly positioned as strategic tools requiring strict access controls rather than consumer products.

Why researchers see a scaling risk

Researchers’ primary concern is not only the intelligence of these systems, but their scale and accessibility. Previously, conducting sophisticated cyberattacks required extreme expertise—for example, scanning millions of lines of code or chaining exploits.

With systems like Mythos, those tasks can become automated or semi-automated. That could allow less experienced attackers to launch large-scale operations targeting thousands of systems at once. If critical infrastructure—such as banks, power grids, or healthcare systems—is not protected in time, experts warn of a destructive wave of attacks.

Feasibility with smaller models and autonomous verification

Some researchers from AISLE argue Anthropic’s framing is overly optimistic. They contend that much of what Mythos can do could be achieved with smaller, cheaper models already available online.

AISLE’s research says the “decade-old” vulnerabilities Anthropic highlights are detectable using open-source AI. The key difference, they argue, is that Mythos can operate autonomously—scouring large code bases and verifying vulnerabilities without human intervention.

Spencer Whitman, Product Manager at Gray Swan, says the ability to locate “deadly weaknesses” across millions of code lines and verify them is a significant advance, but also a risk.

Governance gaps and lessons from past leaks

Restricting Mythos access also concentrates power within private companies. Jonathan Iwry of the Wharton Accountable AI Lab raises a governance question: whether cybersecurity should be entrusted to a small group of private individuals who are not directly accountable to the public.

He points to history showing that even advanced government hacking tools can end up in the wrong hands. The article cites the 2016 leak of NSA tool caches by the Shadow Brokers, which contributed to major outbreaks such as WannaCry and NotPetya.

Autonomy compresses timelines for defenders

As AI systems become more autonomous, the risk increases. Hamza Chaudhry of the Future of Life Institute warns that AI agents can set their own sub-goals and act in ways their creators cannot fully predict.

Emanuel Salmona, CEO of Nagomi Security, argues that security teams are not being given time. In the past, there was often a delay between vulnerability disclosure and exploitation. With AI, that window is shrinking.

Projected impact on security models

Experts quoted in the report say Mythos could discover vulnerabilities within weeks—work that might take humans decades to uncover. They add that within the next 6 to 18 months, as these capabilities become widespread, traditional security models may become unusable.

The report concludes that enterprises that do not integrate AI into their defense systems promptly could fall behind and face exposure to a new generation of attackers.

Source: Fortune