Commentary
Anthropic’s newest artificial intelligence (AI) model, Mythos, can do what teams of elite human hackers cannot do or would take weeks or months to achieve—and it can do so in a matter of hours.
Mythos can autonomously discover and exploit zero-day vulnerabilities across major operating systems and web browsers. It has shown that it can chain exploits, generate working proof-of-concept attacks, and expose flaws that have survived decades of human review and millions of automated tests.
Although Mythos is currently being used to improve cybersecurity, its potential for damage is enormous. Such a model in the wrong hands—such as state actors, elite hacking groups, or even “script kiddies”—could unleash devastating cyberattacks on critical infrastructure.
Banks, power grids, military command and control, hospitals, transportation networks, and government systems all rely on the kind of software Mythos can penetrate and take control of, causing widespread outages, unprecedented data breaches, trillions of dollars in economic losses, and even loss of life. These are not hypothetical scenarios; they are the direct implications of technology that empowers sophisticated attacks that can outpace existing defenses.
Anthropic itself recognized the risk and chose not to release Mythos generally. Instead, it launched Project Glasswing, restricting access to vetted partners, including AWS, Apple, Microsoft, Google, NVIDIA, Cisco, CrowdStrike, and roughly 40 others. These partners are using Mythos for strictly defensive purposes, such as finding and patching vulnerabilities.
This two-edged technology is regulated primarily by Anthropic’s own internal rules and policies: its responsible scaling policy (RSP v3.0) and frontier compliance framework, rather than any binding government mandate. Anthropic’s self-imposed safeguards are a credit to Anthropic, but that we are relying on Anthropic discretion is Exhibit A for why the current regulatory landscape is wholly inadequate to protect humanity from AI risks.
History is replete with well-intentioned companies proclaiming the security of their systems, only to suffer major security breaches or lapses.
Equifax assured Americans its credit files were safe until 2017, when a known vulnerability exposed the personal data of roughly 148 million people.
The SolarWinds supply-chain attack in 2020 compromised approximately 18,000 organizations, including key U.S. government agencies, after hackers inserted a back door into legitimate software updates.
The MOVEit file-transfer vulnerability in 2023 affected more than 2,500 organizations and exposed the data of tens of millions.
Breaches have continued into 2025 and 2026. Time and again, executives and officials vowed “robust protections” only to suffer a major cybersecurity failure. Sophisticated actors need only one successful entry point.
As an enabler of hacking, AI’s potential for harm is off the charts. All it takes is a person with the right level of access inside Anthropic or one of its Glasswing partners—a disgruntled employee, a compromised account, an insider threat, or even a simple configuration mistake—to release Mythos into the wild.
Recent incidents, including accidental leaks at major AI labs, show how fragile even careful organizations can be. Once loose, a Mythos-class model could be copied, modified, and weaponized at a rate faster than regulators or defenders could respond. As things stand, Mythos relies on dozens of partners to be flawless in preventing its release into the wild. This is a fragile foundation on which to base humanity’s future safety.
We are living in the AI Wild West. Despite years of summits, principles, and proclamations, there is no comprehensive, binding global framework and no unified federal law in the United States, much less the world.
The European Union’s AI Act continues its phased rollout; prohibitions on “unacceptable risk” practices are already in effect, and high-risk obligations are scheduled for August 2026. But enforcement remains uneven, guidance is still catching up, and the rules apply unevenly across borders.
In the United States, the Trump administration’s March 2026 National AI Policy Framework calls for a “minimally burdensome” national standard with federal preemption of overly restrictive state laws. The draft of the TRUMP AMERICA AI Act proposed by Sen. Marsha Blackburn (R-Tenn.) aims to codify similar ideas, emphasizing child safety, national security, and innovation. Although they are thoughtful proposals, they remain proposals—not enacted law.
States have attempted to fill the vacuum with their own experiments: California’s SB 53 and AB 2013 impose transparency and safety reporting on frontier models (effective January 2026). The Federal Trade Commission polices “AI washing” under existing consumer laws, the National Institute of Standards and Technology’s voluntary AI Risk Management Framework serves as a helpful but nonbinding benchmark, and international efforts such as Organisation for Economic Co-operation and Development principles offer advisory standards without real teeth.
This patchwork of advisory guidelines, voluntary commitments, and frameworks, still awaiting full enforcement, simply cannot keep up with frontier AI. Capabilities such as those in Mythos are becoming the norm. Models are moving from narrow tools to agentic systems that plan, execute, and adapt in ways that challenge human oversight. Self-regulation has its place.
Anthropic’s RSP v3.0 and Project Glasswing are attempts at responsible stewardship, but such efforts, absent enforcement mechanisms and the universal adoption or acceptance of regulations and safeguards, are inherently limited.
Internal policies can be reinterpreted under competitive pressure. If a Mythos-class model emerges from a less cautious actor, or if access controls fail, the consequences could cascade faster than any regulator can respond. Voluntary standards and state-by-state rules create compliance complexity without delivering consistent protection.
However, along with working hard to implement standards with teeth and clear national rules that preempt conflicting state laws, powerful AI systems themselves will be 100 percent necessary to counter other AI threats. Anthropic is defensively deploying Mythos’s immense capabilities via Glasswing to harden critical software faster than attackers can exploit it.
In the coming AI-driven era of cybersecurity, defensive AI systems that detect anomalies, automate patching, simulate attacks, and outpace offensive tools will be essential. Human oversight and regulation provide the guardrails, but only advanced AI can match the speed, scale, and adaptability of adversarial AI. AI frameworks without the AI horsepower to power defensive measures will be wholly inadequate.
Waiting for perfect legislation risks ceding ground to whoever moves fastest. But pretending that scattered advisory frameworks and self-policing will suffice is equally reckless. Powerful technologies such as firearms, aviation, pharmaceuticals, and nuclear energy evolved under regimes that balanced innovation with public safety. AI deserves the same pragmatic approach.
Private organizations such as Anthropic are doing their best to fill the gap. Yet depending on corporate discretion—and the hope that no single insider or lapse will let a malevolent jinn escape to wreak havoc—is not sufficient. Responsible industry organizations working with the government need to find the right balance between allowing innovation and safety, and erring on the side of safety could save a lot of grief.
Views expressed in this article are the opinions of the author and do not necessarily reflect the views of The Epoch Times.
Friends Read Free
Copy
Facebook
Tweet
