Anthropic's new AI model Claude Mythos can locate critical software vulnerabilities that have gone undetected for decades, prompting governments and financial institutions worldwide to reassess how they manage AI capabilities that could undermine digital infrastructure security. The model, revealed in early April 2026, has already identified thousands of high-severity bugs in major operating systems and web browsers, raising questions about whether such powerful tools should exist at all and who should control them .

What Makes Claude Mythos Different From Other AI Models?

Claude Mythos is part of Anthropic's broader Claude AI system, which competes with OpenAI's ChatGPT and Google's Gemini. What sets Mythos apart is its exceptional ability at cybersecurity tasks. Researchers who tested the model, known as "red-teamers," found it was "strikingly capable at computer security tasks." The tool can locate dormant bugs lurking in decades-old code and easily exploit them without much oversight .

Anthropic claimed that Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. One particularly striking example: the model discovered a vulnerability that had been present in a system for 27 years without being detected . This capability has alarmed officials across multiple sectors because it suggests AI models are approaching a threshold where they could pose genuine risks to critical infrastructure.

Why Are World Leaders So Concerned About This Technology?

The response from government and financial officials has been swift and serious. Canadian finance minister François-Philippe Champagne told the BBC that Mythos had been discussed at an International Monetary Fund meeting in Washington, describing the technology as an "unknown unknown." He emphasized that the issue is "serious enough to warrant the attention of all the finance ministers" .

Bank of England boss Andrew Bailey expressed similar concerns, stating that regulators are "having to look very carefully now what this latest AI development could mean for the risk of cyber crime." The European Union has also opened discussions with Anthropic about its concerns surrounding Mythos .

The anxiety stems from a fundamental problem: if an AI model can find vulnerabilities that humans have missed for decades, what happens when that capability becomes widely available? Financial systems, power grids, and government networks all depend on cybersecurity measures that may not be equipped to defend against AI-powered attacks.

How Is Anthropic Managing Access to This Powerful Tool?

Rather than release Mythos to the general public, Anthropic created Project Glasswing, described as "an effort to secure the world's most critical software." The company gave 12 major tech companies access to the model, including:

• Cloud Computing Giant: Amazon Web Services, which operates much of the internet's infrastructure
• Device Manufacturers: Apple, Microsoft, and Google, whose operating systems and software affect billions of users
• Chip Makers: Nvidia and Broadcom, which produce the processors powering AI systems globally
• Security Companies: Crowdstrike, which learned painful lessons about software vulnerabilities after a faulty update caused a major global outage in July 2024

Beyond these 12 companies, Anthropic has given access to more than 40 organizations responsible for critical software . The strategy reflects a deliberate choice: instead of keeping the tool secret, Anthropic is using it to help fix vulnerabilities before bad actors might exploit them.

Anthropic CEO Dario Amodei said in a video released with Project Glasswing's launch that the company had offered to work with US government officials to "help defend against the risk of these models" .

Dario Amodei

What Do Skeptics Say About These Claims?

Not everyone is convinced that Mythos lives up to the hype. Many independent cybersecurity analysts and experts have not yet been able to test the model themselves, and some remain skeptical about its actual performance capabilities. The AI industry has a history of making grand claims that don't always hold up under scrutiny .

The UK's AI Safety Institute, after analyzing Mythos, concluded that while it is a very powerful model, its biggest threat would be against poorly defended, vulnerable systems. "We cannot say for sure whether Mythos Preview would be able to attack well-defended systems," the institute's researchers stated . This distinction matters enormously: if well-maintained systems can defend against Mythos, the risk is significantly lower than Anthropic's warnings suggest.

Ciaran Martin, former head of the UK's National Cyber Security Centre, acknowledged the tension between justified concern and potential hype. "For some this is an apocalyptic event, for others it seems to be a lot of hype," he told the BBC. However, he also noted that whether it is this tool or subsequent ones made by Anthropic or its rivals, there is an opportunity alongside the risk: "In the medium-term, there's an opportunity to use these tools to fix a lot of the underlying vulnerabilities in the internet" .

Steps Organizations Can Take to Prepare for AI-Powered Threats

Rather than panic, cybersecurity experts recommend a practical approach to managing the risks posed by models like Mythos:

• Prioritize Basic Cybersecurity: Most hackers do not need super AI tools to breach systems when much simpler attacks often suffice. Organizations should focus on getting fundamental security practices right before worrying about AI-specific threats
• Patch Known Vulnerabilities: The UK's AI Safety Institute emphasized that Mythos poses the greatest threat to poorly defended systems. Keeping software updated and patching known weaknesses is the most effective defense
• Engage With Disclosure Programs: Organizations responsible for critical software should consider participating in initiatives like Project Glasswing to get early access to vulnerability information before it becomes public

Martin stressed that the most important action now is not to panic but to focus on building a safer online world. The existence of tools like Mythos, whether the capabilities are as dramatic as claimed or not, serves as a wake-up call for organizations that have delayed basic cybersecurity improvements .

What Does This Mean for the Future of AI Governance?

The Mythos situation reveals a fundamental tension in AI governance: how do you manage the release of powerful capabilities that could be used for both defense and offense? Anthropic's approach, giving access to trusted organizations while withholding from the general public, represents one strategy. But it raises questions about whether any single company should make these decisions unilaterally .

The involvement of finance ministers, central bankers, and international institutions like the IMF suggests that governments are beginning to treat powerful AI capabilities as matters of national and economic security, similar to how they treat nuclear technology or advanced weapons systems. This shift could reshape how AI companies develop and deploy their most powerful models in the coming years.