Anthropic restricts access to vulnerability-finding AI, raising questions about disclosure and governance

Anthropic introduced Claude Mythos Preview last week, a vulnerability-detection AI model the company deemed too risky for public release. Instead of general availability, access was capped at approximately 50 organizations, including cloud providers and infrastructure vendors, through an initiative called Project Glasswing. The company released highlights of the model's capabilities: discovery of thousands of vulnerabilities spanning major operating systems and browsers, including flaws that had persisted for decades, and the ability to convert Firefox security gaps into 181 functional attacks—a significant increase from its predecessor model's two.

Schneier acknowledges that restricting access to a powerful security tool reflects responsible practice in principle. However, he highlights a critical gap: Anthropic disclosed that security contractors agreed with the model's severity ratings 198 times with 89 percent agreement, but did not publish data on false positive rates. Research on similar AI systems shows they often identify authentic bugs with high precision while simultaneously generating plausible-sounding false alarms. Without this unfiltered output data, the disclosed examples may not represent typical model behavior.

A second structural concern centers on software types. Mythos was trained primarily on widely distributed open-source projects, major browsers, and popular frameworks—precisely the systems used by the 50 organizations granted access. This creates a natural advantage for early patching in mainstream software. Conversely, software outside the training distribution—industrial control systems, medical device firmware, specialized financial infrastructure, older embedded systems—represents the domain where Mythos is theoretically least capable in raw form. Yet an adversary with specialized knowledge in these fields could use the model's reasoning capabilities as a multiplier to probe systems that Anthropic's own engineers lack expertise to audit.

Schneier argues that meaningful risk reduction would require structured access for academic researchers, domain specialists, and civil-society organizations—cardiologists partnering with medical device security teams, control-systems engineers, and researchers focused on less mainstream software ecosystems. Fifty companies, however carefully selected, cannot replicate the distributed expertise that would enable comprehensive independent evaluation and defense across the full spectrum of critical infrastructure. He notes that OpenAI has announced similar restrictions on its GPT-5.4-Cyber model, and that smaller, cheaper public AI models have partially replicated some of Anthropic's published findings, raising questions about the true novelty of these releases.

Beyond capability assessment, Schneier frames the governance question as one of democratic legitimacy. A private company, even one acting in good faith, should not unilaterally decide which pieces of global critical infrastructure receive security resources first. He calls for mandatory transparency—aggregate performance metrics, independent auditing frameworks, and funded access for researchers outside the vendor circle. Absent such frameworks, each restricted release of a Mythos-class model places society on the edge of an unobservable precipice regarding unknown vulnerabilities, he writes, without meaningful public input into decisions that affect collective security.