The same AI model. Three governments. Three responses.
That’s the story the UK AISI’s reported evaluation of Claude Mythos Preview makes visible. Understanding what each government did, and why the differences matter, is more useful for enterprise security and compliance planning than the specific attack chain figures, which remain pending confirmation against the primary source.
What the AISI Evaluation Found (Qualified)
The UK AI Safety Institute is an independent government body established to evaluate frontier AI models for safety risks. It sits outside Anthropic’s organizational structure and is funded by the UK government. In the benchmark hierarchy, its evaluations rank as Tier 2: independent reproduction, above vendor self-report.
According to press coverage of the evaluation, AISI tested Claude Mythos Preview against a 32-step corporate network takeover simulation. The model reportedly completed an average of 22 of 32 steps and achieved full network takeover in 3 of 10 attempts. AISI reportedly also characterized frontier model cyber capabilities as doubling every four months, a significant statistical claim that hasn’t been independently verified and is pending Epoch AI tracking data.
These figures come from press coverage, not from the AISI report itself, whose primary source URL is currently broken. The methodology behind the simulation, how the 32 steps were defined, what constitutes “full takeover,” whether the test environment reflects realistic enterprise network configurations, can’t be assessed from press summaries alone. Once the official AISI report is available, those methodological details will matter for interpreting what the findings actually mean.
What the findings represent institutionally is unambiguous regardless of the specific numbers: a government safety institute, not a vendor, characterized a commercially available frontier model as demonstrating autonomous multi-step attack capability. That institutional framing has consequences that persist even if the figures shift on direct review.
The UK Response: Public Disclosure
Reports indicate the UK Business Secretary issued an emergency open letter to corporate leaders following the AISI evaluation’s publication, urging review and hardening of cyber defenses. If confirmed, this represents a specific government decision: that the public, including enterprise leaders, should know about these capabilities and act on them.
The public disclosure approach reflects a specific theory of AI safety governance. Transparency about evaluated capabilities allows the private sector to make informed security decisions. It creates accountability for model developers. It signals that the UK government treats AI safety evaluation as a public good rather than an internal policy input.
The UK AISI has published evaluation results before, its pre-deployment assessments of GPT-4 and Claude 3 were made available with varying levels of detail. The Mythos evaluation, if confirmed, continues that pattern at a higher capability threshold.
The US Response: Private Briefing
Prior reporting established that Anthropic briefed the Trump administration on Mythos, its cybersecurity capabilities, its restricted access model, and the reasoning behind keeping it from public deployment. No public advisory followed that briefing.
This isn’t a criticism of either government’s approach in isolation. Private briefings let policymakers receive sensitive capability information without creating public disclosure of attack methodologies. There’s a legitimate argument that detailed public capability assessments create a roadmap for bad actors alongside a warning for defenders.
But the divergence creates a real problem for multinational enterprises. A UK-headquartered company received a government advisory to harden its defenses based on the same capability assessment that a US-headquartered company never saw. Both operate in global technology markets. Both face the same threat landscape. The information asymmetry isn’t about risk, it’s about disclosure policy.
The EU Dimension: Does This Trigger Annex III?
The EU AI Act’s Annex III enumerates high-risk AI categories. None of them explicitly address offensive cybersecurity capabilities, the Act’s high-risk framework focuses on domains like employment, credit, critical infrastructure, and law enforcement, not on AI systems evaluated for attack capability.
But the EU AI Office’s reported Article 6 guidance this week, which addresses autonomous agents operating with “significant influence” on consequential decisions, opens a related question. A model capable of autonomous multi-step network intrusion doesn’t fit neatly into Annex III’s existing categories. It might fit under critical infrastructure if deployed in that context. It might fit under biometric identification or law enforcement categories depending on use case. What it doesn’t have is a dedicated high-risk category for autonomous offensive cyber capability.
This is an emerging gap in the EU regulatory framework. The Act was designed for AI deployed in decisions affecting people, not for AI deployed as a security tool or threat. The AISI findings may accelerate EU legislative attention to that gap, particularly as GPAI obligations (which do apply to frontier models like Claude Mythos) include systemic risk assessment requirements that arguably should capture this category of capability.
Access Governance: The Question All Three Jurisdictions Are Circling
Prior TJS coverage mapped how OpenAI, Anthropic, and Google DeepMind have built different access models for their most capable cybersecurity AI. The AISI evaluation of Mythos brings the access governance question into sharper focus: who should decide which organizations can work with a model that has demonstrated autonomous enterprise attack capability?
In the US, that decision is currently being made by Anthropic under its restricted access program, a private company making a governance call with national security implications. In the UK, a government body is now publicly characterizing the capability risk. In the EU, no specific framework yet addresses this category of model.
The three governments aren’t just responding differently to the same model. They’re operating under different assumptions about who bears responsibility for capability governance. US posture: developer-led access controls. UK posture: government evaluation with public disclosure. EU posture: regulation-of-deployment with a framework gap for offensive capability.
What Enterprise Security and Compliance Teams Should Do
Three actions are defensible regardless of how the AISI figures resolve on direct review.
First, map your AI security tooling against the access governance frameworks of whichever models you’re using or evaluating. If a vendor’s access program doesn’t specify how they govern distribution to organizations with sensitive infrastructure exposure, that’s a procurement risk question, not just a security question.
Second, brief your CISO and legal teams on the transatlantic disclosure divergence. If your organization has UK operations, you’ve received an implicit advisory via the government’s public response. If your organization is US-only, you haven’t. The threat landscape is the same.
Third, watch for the AISI report URL. When it surfaces on an official UK government domain, it will be the most specific public documentation of autonomous AI attack capability available. The methodology section will tell security teams more than the headline figures.
The capability threshold the AISI reportedly documented isn’t a surprise to people who’ve followed Mythos closely. The governmental response, and the divergence between jurisdictions, is the development that changes how compliance teams need to think about AI safety governance as a cross-border accountability question.