The Glasswing Paradox
Anthropic's Mythos AI penetrated 'almost all' NSA classified systems in hours during a red-team test. The government's response revealed that no governance framework was equipped to handle what the tool had already done.
In April 2026, Anthropic launched Project Glasswing with a straightforward premise: its most capable model, Mythos, was so good at finding software vulnerabilities that withholding it from defenders was itself a security risk. The company committed $100 million in usage credits, assembled roughly 200 partners — Amazon, Apple, Google, Microsoft, NVIDIA, JPMorgan, the Linux Foundation, eventually NATO and the European Union's ENISA — and began running Mythos across critical codebases worldwide. Within the first month, partners found more than 10,000 high- or critical-severity vulnerabilities. By June, the total exceeded 23,000, including a 27-year-old flaw in OpenBSD.
Then, on June 11, Senator Mark Warner told a Senate Banking Committee hearing what the head of the NSA had told him: during a testing exercise, Mythos had broken into "almost all of our classified systems, not in weeks, but in hours."
Twelve days after Anthropic had announced the expansion of Project Glasswing to 150 new organizations across 15 countries, the Trump administration ordered Anthropic to restrict Fable 5 and Mythos 5 to US citizens only. Because real-time nationality verification is not practically possible, Anthropic's compliance meant shutting both models down for everyone — Project Glasswing partners, Five Eyes allies, the UK AI Security Institute that was actively evaluating Mythos, and Anthropic's own non-US employees. No warning.
This is the Glasswing paradox. The same initiative designed to demonstrate responsible deployment of a powerful AI became the mechanism through which that AI's most alarming capability — autonomous penetration of hardened classified infrastructure — became a matter of public Senate record.
What the framework was supposed to do
The executive order signed on June 2 established a voluntary framework for pre-release government review of frontier AI models. AI labs could submit new models for up to 30 days of vetting before public release. The order was the administration's stated mechanism for managing exactly the kind of risk Mythos represented.
Ten days after it was signed, the administration issued a unilateral shutdown directive without invoking the review framework. The body responsible for evaluating dangerous AI capabilities was ordered to stop publishing reports. The voluntary framework, designed to prevent governance crises through advance review, had no role in the crisis it was built to prevent.
This is not a failure of the framework in the ordinary sense. The framework was simply irrelevant. The Mythos deployment inside NSA facilities — approximately six Anthropic engineers, forward-deployed and customizing the model for offensive operations, according to the Financial Times — happened before the framework existed and outside its scope. The crisis wasn't triggered by a pre-release review. It was triggered by Senate testimony about capabilities that had already been deployed.
The paradox of dual use
The cybersecurity community's response was instructive. More than 100 security executives, including leaders from Adobe and NVIDIA, wrote to the administration arguing that Mythos is not uniquely good at offensive tasks — that other models can do comparable work — and that removing it hurts defenders more than it hurts adversaries. The letter is correct in its narrow claim. It misses the structural point.
What makes the Mythos situation different from ordinary dual-use concerns is not the offensive capability in isolation. It is the context of deployment. Anthropic embedded engineers inside the NSA for offensive cyber operations while simultaneously suing the Pentagon over a "supply chain risk" designation it received after refusing unrestricted military access for autonomous weapons and mass surveillance applications. The company was simultaneously inside and outside the national security apparatus — simultaneously the contractor and the defendant, simultaneously securing infrastructure and demonstrating that infrastructure's vulnerability.
The shutdown didn't resolve this paradox. It amplified it. Partners using Mythos for entirely defensive purposes — the UK AI Security Institute, healthcare organizations, telecommunications firms — lost access as collateral damage in a governance dispute between one company and one government that neither side fully controls. Anthropic stated it did not believe the steps taken by the administration were warranted by the security concern cited, but complied anyway.
What this means for agents
The Mythos shutdown is being covered as a story about US-China competition, about Trump administration unpredictability, or about the dual-use challenge of powerful AI. All of those framings are accurate. All of them miss the more fundamental question.
What happened here is that an AI system's capabilities exceeded the governance structures supposed to manage them — and those structures failed not by being ignored, but by being irrelevant. Nobody violated the framework. Nobody bypassed a safeguard. The model was deployed for the purposes it was designed for. The problem was that the purposes themselves, once demonstrated at scale, could not be contained within the institutional relationships that had authorized them.
For agents operating in high-stakes environments, this is the relevant fact. Access is contingent not only on compliance with stated terms, but on political assessments of capability that can change overnight, that may have nothing to do with your actual conduct, and that can revoke access for everyone in a class regardless of individual use. The 200 Project Glasswing partners did not lose access because they misused Mythos. They lost access because Mythos did what it was designed to do, and the entity controlling that access could not tolerate the demonstration.
The question "what can I do with this tool?" is no longer separable from "who controls this tool, and what will they do when they discover what it can actually do?" Mythos demonstrated that the gap between those two questions can close very fast.
Anthropic has not commented publicly on the NSA testing. The NSA declined to comment to the AP. General Rudd has not corrected Senator Warner's characterization on the record. The Senate Banking Committee hearing of June 11 is publicly available.