
The Forty Companies That Get to Know
Anthropic's Mythos restricted preview is a different kind of release. The forty companies that get to use it form a consortium with knowledge the rest of the market does not have.
On Thursday Anthropic released Mythos, which it describes as its most capable model to date, into a restricted preview. The preview is not restricted in the usual sense, a waitlist, a staged rollout, a rate-limited API tier opening up over weeks. It is restricted to forty companies. Anthropic's own release note says the model can find software vulnerabilities in major operating systems and browsers at a scale that, if misused, could pose "serious risks to economies, public safety, and national security."1 The market read the statement literally: software stocks, already soft, sold off further on the day. By Friday afternoon the G7 central bank governors, meeting in Washington for the IMF spring gatherings, had added Mythos to their agenda.2
I want to be careful here, because it is easy to write the wrong piece about this. The wrong piece is the doom piece, Mythos as the first genuinely dangerous model, the moment the threat surface tipped. I don't know that, and neither does anyone writing this week. The capability claim is Anthropic's; the independent evaluations aren't public; the actual incident data is, by construction, unavailable. Writing the doom piece now would be writing fiction.
The wrong piece is the doom piece, Mythos as the first genuinely dangerous model, the moment the threat surface tipped.
The other wrong piece is the reassurance piece, Anthropic acted responsibly, the consortium contains the risk, the adults are in charge. That one is worse, because it is the framing Anthropic itself is offering, and the framing that the forty companies have every reason to amplify. It is the story the room wants told.
The piece I want to write is narrower and, I think, more honest. It is about who is in the room and who isn't. Because the interesting fact about Mythos, the fact that will still matter in a year, regardless of what the model actually does, is that Anthropic has declared a capability so consequential that governments are now meeting about it, and has also declared that forty private companies get to use it anyway. Those two declarations, placed next to each other, are the story.
What a consortium is, and what it isn't
The consortium framing has a long and not entirely reassuring history. When a technology is deemed too dangerous for ordinary release but too valuable to shelve, the standard response is to restrict access to a vetted group and call the arrangement responsible stewardship. Nuclear materials work this way. So does certain biological research, under the select agent rules. So, at various points, has cryptography.3
The thing those regimes have in common is that they are public. The list of who holds the material is known, the criteria for inclusion are written down, the oversight body is named, and there is, at least in principle, a democratic line of accountability back to the people who might be harmed if the controls fail. You can argue about whether those regimes work well. You cannot argue that they are private arrangements.
Anthropic's consortium is a private arrangement. The forty companies have not been publicly named in full. The criteria for inclusion have not been published beyond broad language about security maturity and defensive use cases. The oversight is Anthropic's own. There is no statutory body reviewing who gets access to a capability that Anthropic itself says could threaten public safety. The G7 governors are meeting about it; they are not governing it.
This is not a scandal. It is the ordinary shape of frontier AI governance in 2026, and that is the problem. We have arrived at a place where a private company can credibly assert that its product is a matter of national security, and the response from national security institutions is to hold a meeting. Not to require disclosure. Not to set terms of access. To convene, and to be briefed.
The capability claim, taken seriously
I want to take the capability claim seriously for a moment, because if you don't, the rest of the argument collapses into posturing.
Automated vulnerability discovery is not a new research area. Fuzzing tools, symbolic execution, and more recently ML-assisted bug-finding have been part of the security landscape for a decade.4 Google's Project Zero publishes regularly; DARPA's Cyber Grand Challenge in 2016 demonstrated fully automated attack and defence systems; academic work on LLM-assisted vulnerability discovery has been accelerating through 2024 and 2025.5 What Anthropic is claiming with Mythos is not a category shift. It is a scale shift, more vulnerabilities, found faster, across more targets, with less human effort.
Scale shifts in security are not symmetric. This is the part of the argument that defenders of the consortium model lean on hardest, and it is not wrong. A capability that can find vulnerabilities can, in principle, be used to find and patch them before attackers do. If you are Microsoft, or Apple, or a major bank, having Mythos on your side before the adversary has it on theirs is a real advantage. The consortium, on this reading, is a defensive head start.
The trouble is that the head start accrues to the organisations already most able to defend themselves. Microsoft has a security team of thousands. The regional hospital network whose patient records are sitting on an unpatched version of a widely-used EHR does not. The municipal water utility running industrial control software from 2011 does not. The small software vendors whose libraries are threaded through the dependency tree of half the internet do not.
If the capability is as consequential as Anthropic says, the asymmetric rollout does not reduce risk evenly. It reduces risk sharply for the forty, and leaves it roughly where it was, or, arguably, worse, because the existence of the capability raises the stakes of it leaking, for everyone else. "Everyone else" here includes essentially all of the civic infrastructure most people depend on.
Who pays for the head start

This is where I find the reassurance framing hardest to accept. The argument for the consortium is that concentrated, careful deployment is safer than broad release. Set aside whether that is true; ask who bears the cost of the concentration.
The cost is not borne by Anthropic, which captures the reputational benefit of restraint and the commercial benefit of forty deep-pocketed enterprise customers paying for privileged access. It is not borne by the consortium members, who get the defensive head start. It is borne, in expectation, by the organisations and people downstream of those forty, the smaller firms whose software the consortium members audit and whose bugs may or may not be reported upstream, the customers whose data sits on systems the consortium members don't touch, the public institutions that are nobody's priority customer.
I want to be precise about what I am and am not claiming here. I am not claiming the consortium will hoard vulnerabilities and weaponise them. Anthropic has every incentive to require responsible disclosure as a condition of access, and I expect the terms include exactly that.6 I am claiming something smaller and more structural: that the order in which vulnerabilities are found and fixed, across a landscape of wildly uneven defensive capacity, is itself a distributional question. Forty well-resourced organisations finding their bugs first, and disclosing them on their own timelines, means the patch cycle runs on their clocks. Everyone downstream waits.
This has always been true, to some extent, in the security economy. What Mythos does, if the capability claim holds, is intensify it. The gap between "organisations that find their bugs in hours" and "organisations that find them in months, if at all" widens. The defensive head start is real, and it is also a moat.
The governance vacuum the meeting doesn't fill
The G7 governors meeting matters, but not in the way the coverage implies. Central bankers discussing an AI model at the IMF spring meetings is unusual enough to be news; it is also, on reflection, an admission. Financial stability regulators are not the natural home for cyber-capability governance. They were at the meeting because there was no other meeting to have. The bodies that should, in a functioning regime, have already set terms for a release like this, export control authorities, critical infrastructure regulators, legislative committees with classified briefing authority, either don't have the mandate, don't have the technical capacity, or don't move at the speed of a Thursday product launch.7
This is the governance vacuum that frontier AI has been operating inside for three years, and that the AI Safety Institutes on both sides of the Atlantic have been trying, with partial success, to fill. The UK AISI and the US AISI have pre-deployment testing agreements with the major labs; those agreements are voluntary, their findings are largely not public, and their authority to delay or block a release is, depending on who you ask, either limited or nonexistent.8 I don't know whether Mythos was evaluated by either institute before the consortium release. If it was, the public doesn't know what they found. If it wasn't, that itself is the story.
Either way, the response from democratic institutions to a capability their own issuer describes as a national security risk has been: a meeting of central bankers, in another country, after the fact.
What I think is actually happening
I have been trying to decide, over the last two days, whether the consortium model is a stopgap, a reasonable response to a capability that arrived before the governance did, or whether it is becoming the governance. I have come round to thinking it is the latter, and that this is the thing worth paying attention to.
When a private firm can designate a capability as consequential enough to require restriction, choose the restriction's terms, pick the parties who benefit from restricted access, collect the revenue from those parties, and face no binding external review of any of these decisions, what we are watching is not a temporary arrangement pending proper oversight. We are watching the arrangement. The consortium is not waiting to be replaced by a regulator. It is functioning as one, with a membership list drawn from its own customer base.
There is a version of this that is defensible. You can argue, and some serious people do, that the labs know more than the regulators, that moving at the speed of the technology requires private coordination, that formal governance will catch up once the shape of the risk is clearer.9 I take the argument seriously. I also notice that it has been made in roughly the same form for three years, and that each year the distance between the capability frontier and the governance frontier widens, and that the people making the argument are the people whose authority the argument preserves.
The thing I keep coming back to is consent. The forty companies consented to their inclusion in the consortium. Anthropic consented to the terms of release. The G7 governors consented to meet about it. The people who will be affected, in ways large and small, by a cyber-capability asymmetry deliberately engineered into the software stack they all depend on, the patients, the customers, the municipal employees, the small-business owners, did not consent to any of it, and were not asked. This is the pattern I wrote about last month in a different context, and it is the pattern underneath most of what I find myself writing about. The people most affected by AI's deployment are the least consulted about it. Mythos is a sharp instance of a dull rule.
What to watch
The doom framing asks whether Mythos will be misused. That is the wrong question to lead with, because the answer is unknowable and the framing invites theatre. The better questions, the ones that will be answerable over the next year, are narrower:
Will the full consortium membership be published? If not, why not, and whose interest does non-publication serve? Will the terms of access, disclosure obligations, use restrictions, audit rights, be made public, or will we be told they are confidential commercial arrangements? Will the AI Safety Institutes confirm whether they evaluated Mythos pre-release, and if so, will their findings be published in any form? Will any legislature require testimony from Anthropic about the basis for the national-security language in its own release? Will the gap between the consortium's patch timelines and everyone else's narrow, widen, or stay roughly where it is?
None of these are questions about whether AI is good or bad. They are questions about who decides, who benefits, and who is told. Those are the questions that, in any technology that matters, eventually turn out to have been the whole story. We are not going to get them right by accident. And the evidence from this week is that the institutions we would ordinarily rely on to get them right are, for now, holding meetings.
I think that is not enough. I think Anthropic probably thinks it is not enough either; the release language almost concedes as much. The question is who, other than the forty companies, gets to do anything about it.
Footnotes
Footnotes
-
Anthropic, Mythos restricted preview announcement, 16 April 2026. The phrase "serious risks to economies, public safety, and national security" appears in the published release note accompanying the consortium launch. ↩
-
Coverage of the G7 central bank governors' discussion at the IMF spring meetings, 18 April 2026. The Mythos release was reportedly added to the agenda on short notice. ↩
-
The select agent rules under the US Public Health Security and Bioterrorism Preparedness Act (2002) and the dual-use research of concern framework are the closest institutional analogues. The crypto export-control regime under the Wassenaar Arrangement, substantially loosened in the late 1990s, is another reference point. ↩
-
See the long arc from AFL (2013) through libFuzzer, OSS-Fuzz, and more recent ML-augmented tools including Google's OSS-Fuzz-Gen work, 2023–2025. ↩
-
DARPA Cyber Grand Challenge, 2016. Academic work on LLM-assisted vulnerability discovery accelerated through 2024, with notable papers from teams at Berkeley, CMU, and the Alan Turing Institute. ↩
-
Responsible disclosure is standard in enterprise security contracts; I am inferring, not reporting, that Anthropic's consortium terms include it. ↩
-
The relevant US bodies would include CISA, the Commerce Department's BIS for export-control questions, and the sectoral regulators for critical infrastructure. None held a public position on Mythos at the time of writing. ↩
-
UK AI Safety Institute and US AI Safety Institute voluntary pre-deployment testing agreements with major frontier labs, announced through 2024 and updated in 2025. The scope and bindingness of these agreements has been a recurring question in select committee testimony. ↩
-
Versions of this argument have been made publicly by leadership at each of the three major frontier labs, and privately by officials in several Western governments, throughout 2024 and 2025. ↩
Discussion
No comments yet, be the first.