Anthropic's Claude Mythos AI model demonstrated an unprecedented ability to autonomously discover and exploit zero-day software vulnerabilities in secure infrastructure, raising significant global security concerns.

policy paper United States 9/10

Research · Council on Foreign Relations

Anthropic's AI model, Claude Mythos, has independently learned to hack into highly secure software systems, discovering thousands of unknown vulnerabilities ('zero days'). This capability poses profound dangers to critical infrastructure worldwide, leading Anthropic to restrict its release and form a consortium for defensive use.

Action required

Organizations and governments must rapidly assess and enhance cybersecurity defenses against AI-driven exploits, particularly for critical infrastructure, and consider new regulatory frameworks for advanced AI development and deployment.

Binding status

advisory

Governing body

Council on Foreign Relations

Direction

restrictive

Innovation impact

constraining

AI technologies

foundation modelsgenerative aireinforcement learning

Affected industries

financial servicesgovernmenttransportationenergycommunicationshealthcaretechnology

Affected roles

ctocisoengineeringproductcompliance

Linked intelligence briefs

Claude Mythos AI Hacking Capability Escalates Global Security Risk

Anthropic's Claude Mythos model has demonstrated advanced, autonomous offensive cyberattack capabilities, finding thousands of 'zero days' and exploit chains in previously secure systems [1]. The model was deemed too powerful for general release, leading Anthropic to restrict its deployment to a commercial consortium (Project Glasswing) for defensive purposes [2]. This event is described as an inflection point for AI and global security.

"Anthropic’s new AI model has taught itself to hack into software infrastructure systems believed to be among the most secure in history."

Enriched 2026-04-24

Stay informed

Get daily intelligence briefs on this and related regulatory developments.

Start 14-day trial

Important — about this brief

This brief is published by AIGI as a regulatory intelligence service. It contains general information about AI laws, regulations, enforcement actions, and policy signals across jurisdictions. It is not legal, compliance, audit, or risk-management advice; it does not establish an attorney-client, advisory, or fiduciary relationship; and it should not be relied upon as a substitute for professional counsel applied to specific facts and circumstances. Where the brief identifies “Issues for Review,” those are observations of questions a reader in a particular role might raise with their own legal, compliance, or risk function — not recommendations to act. AIGI expressly disclaims liability for actions taken or not taken in reliance on this brief. Subscribers in regulated industries should consult licensed professionals authorized to practice in their jurisdiction.

Full disclosures →