Perilous AI Technologies Are On the Horizon Regardless

Late last week, Anthropic took its Claude Fable 5 and Mythos 5 AI models offline in response to a U.S. government export-control order prohibiting “any foreign national” from accessing the services. The company has been negotiating with the White House since Friday but has not yet reached an agreement that would permit the reinstatement of its offerings.

Since the launch of Mythos in April, Anthropic has asserted—and cautioned—that the model has sophisticated capabilities for identifying software vulnerabilities to assist defenders in patching them, as well as for discovering methods to exploit them, which could potentially be misused by malicious entities. Anthropic acknowledged this dual-use aspect during the launch of Mythos 5 and Claude Fable 5, stating, “A significant portion of advanced AI model applications is dual use: the same queries beneficial to cybersecurity experts and biology researchers can pose a threat if accessed by malicious actors,” as noted in a blog post last week.

In light of this, the company initially launched a version called Mythos Preview to an exclusive consortium as part of a working group known as Project Glasswing. Last week, Mythos 5 was also privately shared with this group, while Claude Fable 5, a Mythos-tier model, was publicly released with restrictions on answering queries about biology and cybersecurity.

However, at the end of last week, the Trump administration moved to impose restrictions on both models, citing concerns that Fable 5’s safeguards could be bypassed, allowing full access to Mythos 5’s functionalities, thus posing a national security threat.

Experts argue that this institutional conflict merely obscures a more profound reality: while Anthropic may currently be at the forefront, AI capabilities across various companies and open-source developers will likely have comparable abilities to Mythos 5 in the near future—if they don’t already.

“It’s exceedingly shortsighted to assume that no other competitors to Anthropic will develop similar abilities to Mythos, or that they haven’t already done so,” comments Tarah Wheeler, chief security officer at the cybersecurity consulting firm TPO Group. “Several other companies are closely following Anthropic and may possess similar capabilities that they are withholding for now, observing how Anthropic navigates the current regulatory landscape.”

Anthropic has been stressing this point since the Mythos Preview launch. “The core message is that this is not solely about the model or Anthropic,” said Logan Graham, the company’s frontier red team lead, in an interview with WIRED when Mythos Preview was introduced in April. “We must prepare now for a world where these capabilities become widely accessible in 6, 12, or 24 months.”

OpenAI, for instance, also conducted a private release of a cybersecurity-oriented model in mid-April and announced an expanded cybersecurity initiative.

Researchers emphasize that even before the emergence of these next-gen models, existing AI solutions could be repurposed for sophisticated vulnerability hunting and exploit development through refined utilization. A significant group of cybersecurity leaders conveyed this message to the administration in an open letter on Sunday, asserting that the White House’s export-control directive was misguided.

“It’s not just one model; it’s the overall trajectory of technology,” states Bruce Schneier, a researcher at Harvard University and the University of Toronto who has been closely analyzing the situation. “Smaller, more affordable, open-source models—individually or in combination—could rival the performance of Mythos/Fable with more advanced prompting. We should expect other models to match the creativity and persistence of Mythos/Fable within months, with a slightly longer timeline for open-source versions.”

Experts suggest that what the White House and governments worldwide should focus on is the democratic development of broader, more transparent strategies to address the advancements in AI capabilities related to cybersecurity and other sensitive sectors as they emerge.

“The policy question should not revolve around whether a technology presents risks,” states Chris Wysopal, co-founder of the cloud security firm Veracode. “The critical question is whether a particular restriction meaningfully diminishes that risk or simply hampers those striving to enhance safety in systems.”