The Voluntary Access Model for Dangerous AI: Glasswing vs. Trusted Access, and What Neither Resolves

The same week, two decisions. Neither coordinated. Neither required. Both pointing to the same gap.

Anthropic restricted access to Mythos Preview after its red team documentation found the model capable of identifying and exploiting zero-day vulnerabilities across every major operating system and web browser. OpenAI introduced Trusted Access for Cyber, a framework for expanding frontier cybersecurity capabilities to vetted partners under controlled conditions.

Both companies concluded their models were too capable for general release. Both created their own access governance architectures. Neither was required to. Neither was reviewed. Neither consulted a regulatory body.

That’s not a criticism of the decisions. It’s a description of the governance architecture, or rather, its absence.

Two Models, Two Architectures

The Anthropic and OpenAI approaches to voluntary access restriction differ in structure, and the differences are instructive for governance audiences evaluating which model, if either, provides meaningful accountability.

Project Glasswing (Anthropic) operates as a consortium trust model. Anthropic selects partner organizations, commits up to $100 million in Claude usage credits to the program, and restricts Mythos Preview to that partner group. The partner selection criteria, which organizations qualify, what vetting standards apply, what ongoing monitoring exists, are determined by Anthropic. The program structure resembles a controlled research consortium more than a governance framework: vetted partners get privileged access; everyone else does not. Canadian banking executives and regulators convened to assess the risks the model poses, a response that emerged from the banking sector’s own risk processes, not from any AI governance mechanism that triggered it.

Trusted Access for Cyber (OpenAI) takes a framework-based approach: a trust-based structure that expands access to frontier cybersecurity capabilities to a limited set of vetted partners. The framing is slightly different, where Project Glasswing restricts from a baseline of broad access, Trusted Access for Cyber expands from a baseline of restricted access. The functional result is similar: a small group of vetted partners receives capabilities that are not available to the general developer market.

The table below maps both programs across four governance dimensions:

Both columns look the same in the two most consequential rows.

What Existing Frameworks Say, and Don’t Say

The NIST AI Risk Management Framework addresses high-risk AI deployment but was not designed around the scenario of a lab restricting its own model while simultaneously deploying it to selected partners. The RMF’s governance and mapping functions provide useful scaffolding for organizations assessing risk, but they apply to deployers and operators, not to the labs’ own access restriction decisions.

The EU AI Act’s GPAI provisions place obligations on providers of general-purpose AI models with systemic risk designations, including requirements for model evaluation, adversarial testing, and incident reporting. The GPAI systemic risk tier is triggered by training compute thresholds, models above 10^25 FLOPs face the highest obligation tier. Whether Mythos Preview meets that threshold is not publicly confirmed. What is confirmed is that the EU AI Act’s GPAI obligations, even at full scope, do not give any regulatory authority the power to review Anthropic’s or OpenAI’s partner selection criteria for voluntary access programs.

The US federal framework landscape is evolving. The White House’s National Policy Framework for Artificial Intelligence (released March 20, 2026) addressed AI governance at the national level, but the framework’s legislative recommendations focus on preempting state laws and establishing coherent national governance, not on oversight mechanisms for voluntary capability restriction decisions by frontier labs.

The honest assessment: no existing framework was designed for this. That’s not a failure of regulators, it reflects how quickly frontier capability has outpaced governance architecture.

The Accountability Gap: Four Questions No Framework Answers

Voluntary access restriction raises accountability questions that existing frameworks don’t resolve. Governance professionals should be tracking all four.

1. Who has authority to require restriction when a company doesn’t volunteer it? Neither Anthropic nor OpenAI was required to restrict these models. For organizations deploying frontier cybersecurity AI without voluntary restraint, no regulatory mechanism currently exists in the US to compel restriction based on capability assessment alone.

2. Who reviews partner vetting criteria? Both programs restrict access to “vetted” partners. The vetting standards are internal to each company. No external body reviews whether those standards are adequate, whether they’re applied consistently, or whether they exclude appropriate categories of risk.

3. Who is notified of access changes? Both programs are reversible at the company’s discretion. If Anthropic or OpenAI decides to expand access, or restrict it further, there’s no notification requirement to regulators, affected industries, or the public. The Canadian banking sector’s response to Mythos Preview illustrates that affected parties may not learn about access changes through any formal channel.

4. Who assesses cumulative risk? Two voluntary restriction programs operating in parallel, each with its own partner network and its own vetting criteria, create a fragmented access landscape. No body currently assesses the cumulative risk profile across both programs, or the risk of partner network overlap.

Historical Pattern: Where This Goes

Voluntary self-restriction by industry actors is a documented precursor to regulatory formalization across technology categories. In biosecurity, the Asilomar Conference voluntary moratorium on recombinant DNA research preceded federal oversight frameworks. In cryptography, export control regimes followed industry-led restraint periods. The pattern is not deterministic, not all voluntary frameworks become regulated ones, but the trigger conditions are consistent: when voluntary restraint is perceived as insufficient by affected institutional actors, regulatory demand follows.

The Canadian banking sector’s institutional response to Mythos Preview is the earliest visible signal that affected industries are already assessing whether the voluntary framework is sufficient. That assessment typically precedes regulatory action by months to years, depending on how acute the perceived risk becomes.

What to Watch

Three triggers would signal the voluntary framework is approaching its limits: a major institution publicly demanding oversight authority for partner vetting decisions; a regulatory body (EU AI Office, NIST, or a sector regulator) initiating formal inquiry into voluntary capability restriction programs; or a capability incident traced to a partner organization in one of these programs. None of these has occurred. The absence of a trigger is not evidence the framework is adequate – it’s evidence the framework hasn’t been tested.

TJS Synthesis

The significance of Project Glasswing and Trusted Access for Cyber isn’t that two companies built dangerous models and chose not to release them. Responsible decisions by capable actors deserve acknowledgment. The significance is the governance architecture those decisions reveal: when capability reaches a threshold that even the developers consider unsafe for general release, the only check on access is the developer’s own judgment.

That arrangement works when companies make good calls. It stops working the moment a company’s risk calculus diverges from the public interest, and there’s no mechanism, under current frameworks, to detect that divergence before it becomes consequential. Building that mechanism is the governance problem voluntary access restriction exposes. It remains unsolved.