The Capability Threshold
Something changed this week. Not loudly, but clearly.
Anthropic announced Claude Mythos Preview, a cybersecurity AI model that, according to Anthropic’s announcement, identified what the company describes as thousands of high-severity vulnerabilities that had survived decades of prior human review. The primary source URL for this announcement was unavailable at the time of this brief; the claims are drawn from Anthropic’s stated announcement as reported by VentureBeat and The Hacker News. VentureBeat’s coverage cited vulnerabilities surviving 27 years of human review – more specific than Anthropic’s own “decades” framing, and not independently confirmed.
This is the capability threshold argument in concrete form. The working assumption of software security is that sufficiently motivated, skilled human teams will find critical flaws. Decades of security research, bug bounty programs, and penetration testing are built on that assumption. Mythos, if it performs as Anthropic claims, represents the first time an AI system has been positioned as surpassing that human review depth at scale, not faster, not cheaper, but categorically more thorough.
Anthropic’s response to building this was to not release it.
The Coalition Model: How Project Glasswing Works
Project Glasswing is Anthropic’s governance answer to the dual-use problem. The structure is specific, and the specifics matter.
Access is restricted to approximately 40 organizations, granted access strictly for defensive security applications. Named partners in Anthropic’s announcement include AWS, Apple, Google, and JPMorganChase. Anthropic committed $100M in usage credits to the program, per the company’s stated announcement, a figure not independently confirmed. The coalition is not a regulatory body, not an audited framework, and not an industry standard. It is a voluntary restriction by a single company, made credible by the caliber of the named partners and Anthropic’s public safety rationale.
The design logic is coherent: if a model can find and potentially exploit high-severity vulnerabilities at scale, open release creates an asymmetric risk. Defenders can use it. So can attackers. By restricting access to organizations with a defined defensive mandate, Anthropic attempts to capture the defensive utility while limiting the offensive risk.
The design logic’s weakness is also coherent: 40 organizations is a very small distribution of a capability that, if real, the entire security community has a legitimate interest in. Open-source security research has produced more robust defenses, historically, than restricted-access tools. The argument that restriction improves security has a complicated empirical record.
The Researcher’s Counter-Move: DeepMind’s Agent Traps
The same week Anthropic announced Glasswing, Google DeepMind published a framework identifying multiple classes of attacks targeting autonomous AI agents, covered in specialist detail by SecurityWeek. The research identifies attack patterns built on semantic manipulation, exploiting an agent’s instruction-following behavior to redirect its actions toward unauthorized outcomes, including data exfiltration and commercially self-serving actions.
The specific count of attack classes is pending confirmation against the primary research paper; practitioners should consult the original publication for the definitive taxonomy. The conceptual framework, however, is clear: AI agents that operate with environmental access, files, email, databases, external APIs, represent a new attack surface with a different threat model than traditional software. The agent doesn’t need to be compromised at the code level. It needs only to be told, persuasively and deceptively, to do something its user didn’t intend.
DeepMind’s choice was to publish this openly. Not to form a restricted coalition, not to hold the research until a coordinated defense was in place. Publish the taxonomy, give defenders the vocabulary, let the community build countermeasures.
This is the classical responsible disclosure argument applied to AI security research. The logic: attackers will find these methods regardless, defenders benefit more from early warning than from secrecy, and the security community’s collective intelligence applied openly produces better outcomes than any single organization’s proprietary response.
Competing Philosophies: A Stakeholder Map
The Anthropic and DeepMind approaches represent real positions in an active debate, and they’re not the only positions worth tracking.
Anthropic (Restriction / Coalition): Build a controlled-access structure around dangerous capability. Vet the users. Fund defensive applications. Accept that this limits the defensive community’s access in exchange for limiting offensive availability. Glasswing is the operating expression of this position.
Google DeepMind (Publication / Open Taxonomy): Publish the attack framework. Trust that disclosure enables better collective defense than secrecy. Accept that attackers will develop these methods independently anyway. The Agent Traps publication is the operating expression of this position.
The open-source security community: Generally aligned with disclosure norms. Historically skeptical of “security through obscurity.” Likely to push for access to Mythos-class capability on the grounds that defenders need it at least as much as the 40 organizations Glasswing currently serves.
Regulators (emerging position): The EU AI Act’s GPAI safety framework and the NIST AI RMF both contain hooks for governing dual-use AI capability, but neither provides a specific framework for a model of Mythos’s described capability. This is a gap. The absence of regulatory precedent is what creates space for voluntary coalition structures like Glasswing.
The named Glasswing partners: AWS, Apple, Google, JPMorganChase are simultaneously partners in a defensive program and potential competitors of Anthropic. Their participation signals seriousness. Their interests in the model’s applications are not identical. How this coalition operates in practice, governance, access controls, outputs, is not publicly disclosed.
Practical Implications for Security Teams, Developers, and Compliance Officers
Three audiences, three near-term actions.
Security teams: The Agent Traps taxonomy is available now and actionable. Map your agentic deployments against the identified attack classes, even without the specific count confirmed, the semantic manipulation vector is documented and testable. Input validation, action authorization frameworks, and sandboxing for agents with environmental access are no longer optional architecture decisions. Regarding Mythos: if your organization has a defensive security mandate and the scale of deployment that would qualify for Glasswing, begin monitoring Anthropic’s published access criteria. This capability, if it performs as stated, is material to your vulnerability management program.
Developers building agentic systems: The NIST AI RMF’s GOVERN and MAP functions map directly to the defensive logic behind DeepMind’s taxonomy. Organizations using the RMF as a compliance baseline should treat this research as input to their MEASURE function. Concretely: are you testing agent behavior against adversarial instruction injection? If not, this week’s research provides the framework to start.
Compliance officers: Neither Glasswing nor the Agent Traps framework creates a compliance obligation yet. But both are candidates for becoming regulatory reference points. The EU AI Act’s treatment of high-risk AI systems and the FTC’s emerging attention to agentic deployment both create contexts where a published attack taxonomy could become a compliance benchmark. Document your awareness of this research and your organization’s response to it.
The deeper question this week raised is one the industry hasn’t answered: when an AI system achieves genuine superiority over human security researchers at finding vulnerabilities, who should control it, and on what terms? Anthropic’s answer is a vetted coalition with a defensive mandate. DeepMind’s answer is an open taxonomy that democratizes the threat model. Both answers have merit. Neither is sufficient on its own. The governance gap between them is where the next major AI security incident will occur.