Anthropic Withholds Mythos as Restricted-AI Era Begins

When Anthropic announced in April that its newest model had systematically probed every major operating system and web browser for exploitable flaws, the company did something unusual: it decided not to ship it. Claude Mythos remains locked behind a restricted program called Project Glasswing, available to roughly 50 vetted organizations. The fallout from a broader release, Anthropic warned, could be severe for economies, public safety, and national security.

That framing signals a structural shift in how frontier artificial intelligence gets developed and distributed. According to Nature, Helen Toner, interim executive director at Georgetown University's Center for Security and Emerging Technology, called the Mythos decision likely to be replicated across the industry. "I would expect this to more be the first in a series rather than a one-off," said Toner, who formerly sat on the board of OpenAI.

The prediction aged quickly. By late April, Price Per Token was tracking a TechCrunch report confirming that OpenAI had moved to restrict access to its own model, Cyber, after initially criticizing Anthropic for limiting Mythos. Both companies pivoting within weeks of each other suggests restricted access is hardening into a de facto norm rather than an outlier policy decision.

What makes Mythos different

The core concern is offensive security capability. As Gerrit De Vynck, who covers AI for The Washington Post, explained in a PBS NewsHour segment, all software carries bugs, but exploiting them requires deep expertise - the ability to sift through enormous codebases to find gaps that enable system compromise. Mythos performs that kind of sustained, methodical analysis at the level of a skilled human security researcher over a full workday, compressed into a fraction of the time.

Its capabilities go beyond simple scanning. The model excels at agentic, long-horizon reasoning - pursuing complex multi-step tasks without losing context across extended sessions. That same quality that makes it valuable for legitimate security auditing is precisely what makes unrestricted access hazardous.

Anthropics current approach threads a narrow path: grant access to more than 40 companies, including direct competitors, in exchange for structured vulnerability disclosure. The goal is to map what the model can do under controlled conditions before any wider deployment is considered. Whether that arrangement scales to dozens of future restricted models is an open question nobody has answered yet.

The governance gap

The Mythos episode arrives during a broader reckoning about whether governance structures can keep pace with advancing AI capability. At the ATxSummit conference in Singapore this month, experts warned that waiting for a catastrophic incident before acting would be a strategic mistake. Stuart Russell, computer science professor at UC Berkeley, framed the stakes bluntly: if a Chernobyl-scale AI disaster occurred, the societal response - not just the regulatory one - could demand a full industry shutdown, erasing trillions in accumulated investment.

Computer Weekly reported that Karan Bhatia of Google pushed for a deeper, ongoing rhythm of collaboration between regulators and industry, arguing that traditional governance timelines are structurally incompatible with how fast the technology moves. Elham Tabassi of the Brookings Institution added that safety cannot function as a post-release checklist - it needs to be designed into systems from the start.

What none of these frameworks yet addresses is who decides when a model is too dangerous. Anthropic made that call internally, then disclosed it publicly. No independent body holds authority to audit the decision, no agreed threshold would trigger mandatory restriction, and no standardized protocol governs what a controlled release looks like in practice. Project Glasswing is a company initiative, not an industry standard.

That gap matters more as capability compounds. If the restricted-model era is indeed beginning, the rules governing access will need to live somewhere other than each company's internal risk team.

Whether more models will be withheld from general release already seems likely - OpenAI followed within weeks. The harder question is whether governance infrastructure gets built before it becomes urgently necessary, or only after a failure forces the issue.

---

Frequently Asked Questions

What is Claude Mythos and why is it restricted?
Mythos is Anthropic's most capable model as of April 2026, restricted from public release because it can identify exploitable vulnerabilities across major operating systems and browsers at the level of a skilled human security researcher.

What is Project Glasswing?
Project Glasswing is Anthropic's controlled-access program that gives roughly 50 vetted organizations, including rival AI companies, limited access to Mythos for structured vulnerability testing.

Did other AI companies follow Anthropic's approach?
Yes. OpenAI restricted access to its own model, Cyber, in late April 2026, shortly after publicly criticizing Anthropic for limiting Mythos.

Who decides when an AI model is too dangerous to release?
Currently, individual companies make that determination internally. There is no independent regulatory body or industry standard that governs when or how restricted releases must be conducted.