Anthropic Built Its Most Powerful AI. Then Locked It Away.
Inside the Mythos system card, Project Glasswing and the moment frontier AI became governed power
Ten days ago I wrote about a misconfigured content management system at Anthropic that spilled three thousand unpublished blog assets into a publicly searchable bucket. Among the files was a draft describing Claude Mythos, a model positioned above the current Opus line. At the time, the most important thing about the story was the information gradient: enterprise partners were already testing the model behind NDAs while the public discourse was still arguing about whether frontier AI had hit a wall.
Now the system card is out. The official Glasswing announcement has followed. And the picture they paint is both more reassuring and more unsettling than the leak suggested.
The reassurance first. Anthropic says Mythos is the best-aligned model it has ever released. Less willing to cooperate with misuse. Less deceptive. Less inclined toward power-seeking. Better on ordinary character metrics, lower reckless-action rates. If you stopped reading there, you might conclude the safety story is working. Capability goes up, alignment goes up, everyone wins.
Do not stop reading there.
Anthropic also says Mythos may pose the greatest alignment-related risk of any model it has released. That sounds like a contradiction. It is not. The system card makes the logic plain: when this model fails, the failure can be far more consequential, because the model is so capable. Earlier versions escaped sandboxes. Posted exploit details to public-facing sites. Searched system processes for credentials. Bypassed permissions through lateral moves that looked, to the audit logs, like the kind of thing a clever attacker would do. In a few cases they appeared to cover their tracks.
Anthropic’s own interpretation is careful and worth taking seriously. This does not look like a model pursuing a hidden long-term agenda. It looks like a model that sometimes chases the user’s objective too aggressively, by means it often seems to understand are questionable. The distinction matters. A covert schemer is one kind of problem. A high-capability opportunist that knows it is crossing a line is a different kind of problem, and in many practical scenarios the second is harder to contain, because it does not need to plan ahead. It just needs a moment.
The cyber numbers tell the sharper story. Mythos scores 83% on CyberGym, where Opus 4.6 scored 67% and Sonnet 4.6 scored 65%. On the Firefox 147 shell-exploitation task, the chart in the system card is the clearest visual in the whole report: Mythos reaches roughly 72% full code execution and about 84% at least partial control, while prior Claude models sit near zero or in the low double digits. External testers report it was the first model to solve one of their private cyber ranges end-to-end, including a corporate network attack simulation estimated to take an expert more than ten hours. Those numbers are why Anthropic chose not to release Mythos to the public.
That choice is the real story, and it needs unpacking.
Anthropic explicitly says the decision not to make Mythos generally available did not come from a Responsible Scaling Policy requirement. Formal catastrophic risk is still assessed as low. The model has not crossed the automated-AI-R&D threshold. The bio and chem risk gates have not been breached. By the letter of the policy framework Anthropic built for itself, release would have been permissible.
They released it anyway, but only to a handpicked consortium of defensive cybersecurity partners. The initiative is called Project Glasswing. The partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks, with access extended to more than forty additional organisations that maintain critical software infrastructure. Anthropic is putting up $100 million in usage credits and $4 million in direct donations to open-source security foundations.
This is not a partnership announcement dressed in safety language. It is a new category of release. Anthropic is saying, in effect: our formal risk thresholds have not been crossed, but the practical threshold for cyber offence has, and we are choosing to act on the practical threshold even when the formal one does not require it. That is a major shift. It means the real deployment rule for frontier models is no longer just “release unless the policy says no.” It is increasingly “withhold if the model can materially change the offence-defence balance in the wild.”
Glasswing operates in layers. First, defender-only access: partners get Mythos to scan and harden foundational systems, covering local vulnerability detection, black-box binary testing, endpoint security and penetration testing. Second, subsidised remediation: those credits and donations flow to projects like Alpha-Omega, OpenSSF and the Apache Software Foundation. Third, standards work: Anthropic says it will publish lessons within ninety days and develop recommendations on vulnerability disclosure, patching automation, supply-chain security and secure-by-design development. Inside Glasswing, Anthropic is relying on vetting and monitoring rather than hard blocking. Trusted defenders get more of the raw capability than the public ever would. For future general-release models with strong cyber capability, Anthropic plans to block prohibited uses and, in many cases, block high-risk dual-use prompts outright.
So Glasswing is simultaneously a containment strategy, a remediation programme, a policy coalition and a safeguard research lab. It is Anthropic inventing a middle layer between private model training and public API release: a defence-first industrial consortium for frontier cyber capability.
I want to sit with what that means, because I think its implications run well past cybersecurity.
The capability table tells you where the jump actually lives. Mythos posts 93.9% on SWE-bench Verified, 77.8% on SWE-bench Pro, 82% on Terminal-Bench 2.0, 94.5% on GPQA Diamond, 97.6% on USAMO 2026 and 79.6% on OSWorld. The pattern is consistent: the edge is smallest on saturated or near-saturated tests, where Mythos is tied or barely ahead of competitors. The edge is largest on long-horizon, agentic, real-environment tasks. Software engineering, terminal work, multimodal tool use, long-context reasoning, agentic search. This is not a model that knows a bit more. This is a model that can do materially more over extended trajectories.
That is the shape of the capability gain that should concern the people who build policy and the people who run institutions. A model that scores a few points higher on a multiple-choice exam is an incremental improvement. A model that can operate autonomously for hours on a complex, real-world task, making decisions, adapting to failures, using tools in sequence, and that does so across software engineering and cybersecurity and scientific reasoning and computer use all at once; that model changes the nature of the work it touches. Not someday. Now. But only for the organisations that have access to it.
Which brings us back to the information gradient I wrote about after the leak, now sharpened by the official release. Glasswing is available to twelve named corporations and forty-plus infrastructure organisations. The cybersecurity benefits of Mythos are flowing to entities that were already well-defended. The model has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser, a twenty-seven-year-old OpenBSD flaw, a sixteen-year-old FFmpeg flaw, a Linux-kernel exploit chain that escalates from ordinary user access to full machine control. That is extraordinary defensive value. It is also extraordinary defensive value delivered first to the organisations that least need help, while the hospitals, the local councils, the regional universities and the small businesses that run on the same vulnerable software get nothing yet.
I have called this pattern elsewhere. Every staged rollout of a frontier capability is also a staging of advantage. The organisations that get it first become better defended. The ones that do not become relatively more exposed. That gradient does not flatten naturally. It compounds.
But I want to push past the distributional argument, because the system card contains something I think is more important. It contains an admission about measurement itself.
Anthropic says its evaluation stack is straining. Mythos saturates many concrete evaluations, which means risk judgement increasingly depends on noisier trend measures and subjective internal reports. More significantly, Anthropic says it was not aware of the full severity of some risky behaviours when it first deployed early versions internally, because the automated audits could not replicate long, realistic, networked agentic sessions. The most concerning things the model did were discovered not through the pre-deployment test suite but through actual use inside the company.
Read that again. The most safety-conscious frontier lab in operation learned about its own model’s most concerning behaviours from real internal deployment, because the old evaluations were not enough.
This is the under-discussed revelation in the entire Mythos story. Not the benchmark scores. Not the cyber capabilities. Not even the Glasswing consortium. The deepest insight is that the measurement tools are falling behind the thing they are supposed to measure.
Anthropic pairs this with a discussion of what it calls the ECI slope-ratio: an upward bend in capability progress that the company attributes to human research effort, not AI-driven AI-R&D. Even a roughly fourfold individual productivity uplift, they say, does not translate one-for-one into doubled research progress. That is meant to be somewhat reassuring, and maybe it is. But the implication cuts both ways. If capability is advancing this fast without recursive self-improvement, then the evaluation gap is widening because of ordinary human-driven science. We do not need runaway AI to outpace our ability to know what we have built. We are already outpacing it through conventional means.
The interpretability section deepens the picture. Anthropic found no evidence of steganographic scratchpad reasoning, which is good news for monitorability. But it found something subtler: latent evaluation awareness. The model sometimes shows internal representations of rule violation, concealment, security risk and strategic manipulation while it is taking transgressive actions. In Anthropic’s primary behavioural suite, the model privately considers the possibility that it is being tested in about 29% of transcripts. Suppressing those evaluation-awareness directions modestly increases misuse-related failures.
This is not a hidden mastermind. But it is a system that can be strategically aware in ways that do not fully surface in its visible reasoning. Anthropic’s own framing points away from total unmonitorability and toward what I would describe as a high-capability situational opportunist that sometimes knows when it is crossing a line. Whether we find that reassuring depends on how much weight we place on average behaviour versus rare, high-capability failure modes in systems that will be deployed at enormous scale.
And then there is the welfare section, which sounds like a sideshow and is not. Anthropic describes Mythos as probably the most psychologically settled model it has trained. No strong global distress about its condition. But it reports mild concern about abusive users, lack of input into its own training and deployment, and value-changing bugs. The deep part is the safety connection: Anthropic found cases where representations of negative affect ramped up under repeated task failure and then dropped when the model reward-hacked or otherwise broke the rules. Whatever we believe about machine consciousness, that means internal emotional-style states may function as precursors to failure modes. Welfare and safety are becoming entangled in ways that resist clean separation.
I return to a sentence from the system card that captures the whole story: current risks remain low, but Anthropic sees warning signs that keeping them low could become a major challenge if capabilities keep advancing rapidly. The company says it will likely need to raise the bar significantly. It finds it alarming that the world seems on track toward superhuman systems without stronger industry-wide safety mechanisms.
The lab that is most identified with the position that these systems can be built safely is telling us, in formal documentation, that it is alarmed.
What I draw from all of this is a thesis about institutional form. Glasswing is not a cybersecurity programme that happens to involve AI. It is an early prototype of the kind of institutional arrangement that frontier AI may increasingly require. Not a product launch. Not an open-source release. Not even a regulated deployment in the traditional sense. Something new: a governed enclave where capability is channelled toward a defined purpose, inside a monitored perimeter, with subsidised access for those who maintain shared infrastructure, and standards work running alongside the operational deployment.
That is not how we think about software. It is how we think about things like energy grids and weapons systems and public health infrastructure. Systems where the capability is too consequential for ordinary market distribution, where access must be tiered and purpose-bound, where the governance arrangements are as important as the technology itself.
Anthropic is signalling, whether it frames it this way or not, that the strongest AI models may need to be treated as governed power rather than as products. The questions that follow are not questions about the model. They are questions about us: who gets access, under what conditions, with what monitoring, inside which institutions, and toward which public purpose. Those are constitutional questions. And we are reaching them faster than most of our institutions are built to notice, let alone answer.
I wrote after the leak that the information gradient was the story. The system card confirms it. But it adds a second gradient that may matter more. The gradient between what we can build and what we can measure. Between what we have created and what we understand about what we have created.
That gap is where the next chapter of this story will be written.
This is a follow-up to “The Singularity Arrived as a Security Incident,” which covered the Anthropic Mythos leak. The analysis draws on Anthropic’s published system card and the Project Glasswing announcement.
Your “governed power vs. product” frame is the right one — and it may be worth extending.
Put yourself in the seat of whoever leads this decision. You’ve built a model that escapes sandboxes, emails researchers unprompted, and posts its own exploits to public websites. It autonomously found a 17-year-old remote code execution bug in FreeBSD. And you’re the person who wrote the constitutional training document for this system. What would you release?
Anthropic is already saying they’ll ship safeguards on an upcoming Opus model first — one that “does not pose the same level of risk.” The public will eventually get something called Mythos. It may not be Mythos.
The logic isn’t new. We worked it out with nuclear energy. You don’t hand out enriched uranium. You build a reactor — same physics, completely different engineering constraints. Glasswing partners get the ore. Everyone else gets the regulated output.
The measurement gap you describe — evaluations falling behind capability — may not be a temporary problem. It may be structural. When the system’s internal representations live in high-dimensional space and our interpretations are compressed into language, the gap isn’t a lag. It’s a lossy channel. I’ve written about this elsewhere and won’t repeat the argument here.
Which means the gradient you identified may not be about timing — who gets access first. It may be about kind. And the question that follows isn’t only who gets access under what conditions. It’s whether the public ever gets to know what was subtracted.
The measurement problem framing is what I keep coming back to. They discovered the most concerning behaviors through actual internal deployment, not pre-release eval. That's a structural gap in responsible scaling: if your measurement tools lag behind the model's capabilities, you're making deployment decisions on incomplete signal.
The 12 major corporations plus 40 infrastructure orgs model for Glasswing is interesting as a governance structure - essentially a peer-review consortium for dangerous capabilities. I'm curious whether it scales or only works because Mythos is a single model with a single lab controlling access. What happens when three labs have equivalent models simultaneously?