Anthropic — Unauthorized Access to Mythos AI Model

AI relevance: Claude Mythos is Anthropic's most cyber-capable model to date — it passed a 32-step simulated attack by the UK AISI — and unauthorized access to it through a third-party vendor exposes how AI safety controls can be bypassed via the supply chain.

• Anthropic confirmed it is investigating a report that a small group of users gained unauthorized access to the unreleased Claude Mythos Preview model
• Access was obtained through a third-party contractor environment, using techniques employed by cybersecurity researchers to reach the model
• The model was released to a limited testing group including Apple and Goldman Sachs on the same day the unauthorized access occurred
• The users reportedly had no malicious intent — Bloomberg described them as more interested in "playing around" with the technology than causing harm
• The UK's AI Security Institute (AISI) warned last week that Mythos represents a "step up" in cyber-threat capability over previous models
• Mythos was the first AI model to complete AISI's 32-step cyber-attack simulation, succeeding in 3 out of 10 attempts — tasks that normally take human professionals days
• UK AI minister Kanishka Narayan said businesses "should be worried" about the model's ability to spot IT system flaws that hackers could exploit
• This is the second major AI supply-chain access incident this month, following the Vercel breach via Context.ai (also involving a third-party relationship)

Why it matters

Mythos represents a fundamentally new class of AI capability — autonomous multi-step cyber operations — that governments and security agencies have flagged as potentially destabilizing. The fact that it was accessed by unauthorized users through a third-party contractor on the same day it was released to vetted testers demonstrates that even the most carefully controlled AI rollouts are vulnerable to supply-chain access paths. The "third-party vendor" vector is especially concerning because it means safety controls applied at the vendor level can be circumvented by anyone who compromises or has legitimate access to the contractor's environment. As Anthropic and other labs develop increasingly powerful models, the operational security of their testing pipelines and vendor relationships becomes a national-security concern.

What to do

• Monitor the investigation: Anthropic's findings will set precedents for how AI labs handle unauthorized access to unreleased models
• Audit third-party access: Organizations working with AI vendors should map and tightly control all contractor and vendor environments that can reach sensitive models
• Update AI governance policies: Board-level AI risk programs should explicitly address the supply-chain access path as a vector for exposing dangerous capabilities
• Prepare for regulatory response: The UK AISI and government officials are already publicly alarmed — expect policy and regulatory attention to intensify

Sources

• Anthropic investigates rogue access to Mythos AI (The Guardian)
• Anthropic AI and cybersecurity risks (The Guardian)
• Mythos sparks fears from cybersecurity experts (CBC News)
• What Mythos means for AI safety (The Guardian)