Cybersecurity, Claude Mythos, is Anthropic's model in the hands of the Nsa? - Il Sole 24 ORE

Detailed Analysis

Anthropic's cybersecurity-focused AI model, Mythos, has reportedly been deployed by the National Security Agency despite an ongoing institutional conflict between Anthropic and the Pentagon that has classified the AI company as a supply-chain risk. Mythos Preview, announced in April 2026, is a specialized model that Anthropic has deliberately withheld from public release due to its advanced offensive and defensive cybersecurity capabilities. The system has demonstrated the ability to detect thousands of zero-day vulnerabilities across operating systems and browsers, with approximately 99% of those vulnerabilities remaining unpatched — a statistic that underscores both its power as a defensive tool and its potential for misuse. Anthropic has restricted access to roughly 40 organizations, publicly naming only 12, reflecting an unusually cautious deployment strategy even by the standards of frontier AI labs.

The NSA's reported use of Mythos creates a significant contradiction at the heart of U.S. government AI policy. The Pentagon's classification of Anthropic as a supply-chain risk traces back to a July 2025 Department of Defense contract worth $200 million, which soured after Anthropic inserted usage restrictions barring Claude from deployment in mass domestic surveillance operations or as a component of autonomous weapons systems. Those provisions triggered legal disputes that remain unresolved, yet a separate intelligence agency within the same federal government is simultaneously leveraging the company's most sensitive AI product. The UK's AI Safety Institute has also reportedly obtained access to Mythos, suggesting that allied intelligence communities are pursuing their own integration strategies independent of the bilateral tensions between Anthropic and the U.S. military establishment.

This episode illustrates the fragmented and often inconsistent nature of government AI procurement and risk management. Different agencies within the same national security apparatus are arriving at opposite conclusions about the same vendor — one treating Anthropic as a liability, another treating it as a critical capability provider. This incoherence reflects a broader challenge facing governments worldwide: AI systems with dual-use potential do not map neatly onto traditional procurement frameworks designed for hardware or conventional software. Cybersecurity AI in particular occupies a uniquely sensitive position, since the same capabilities that enable defensive vulnerability discovery can be repurposed for offensive intrusion at scale.

The Mythos situation also reveals a maturing dynamic between frontier AI developers and state actors. Anthropic's decision to impose ethical usage conditions on DoD contracts — and to restrict Mythos to a curated set of vetted organizations — represents a deliberate assertion of corporate governance over national security deployments, a posture that was largely absent in earlier cycles of defense technology contracting. That the NSA apparently proceeded with Mythos access anyway, without public comment from either party, suggests the relationship is being managed through quiet bilateral channels rather than transparent policy frameworks. As AI capabilities grow more consequential to national security infrastructure, the absence of clear interagency coordination and public accountability mechanisms becomes an increasingly pressing structural risk, both for governments navigating vendor relationships and for companies like Anthropic attempting to enforce responsible deployment at the frontier.