Anthropic’s Mythos and the new cyber risk asymmetry

Article
Published: 

The release of Anthropic’s Mythos Preview has sparked considerable debate across the cyber sector, regulatory communities, and industry.

Early reports suggest Mythos Preview can identify and exploit vulnerabilities at an unprecedented scale, raising important questions about how organisations will manage cyber risk in an AI-enabled threat landscape.

There are, of course, two sides to this discussion. One view is that tools like Mythos will transform cyber security in the short and long term by finding thousands of high-severity vulnerabilities, including in major operating systems and web browsers, faster and more cost effectively than is currently possible. Another view is that the widely cited 27-year-old vulnerability may already have been discovered but not reported or targeted because the incentives for auditing open-source code are often limited. Further, Anthropic has not yet released the data relating to false positives and manual human intervention during testing as a comparison to existing security tools.

At this stage, Anthropic has chosen not to make the model publicly available due to its advanced capabilities and the associated risks. Instead, it has been rolled out selectively to a limited group of partners known as Project Glasswing. 

Beyond the headlines and debate, there are several takeaways and actions for modern businesses to consider.

Cyber security

AI is rapidly closing the window between vulnerability discovery and exploitation. Traditional perimeter defences, static code scanning, and point-in-time manual testing become inefficient when an AI agent can autonomously surface novel attack vectors overnight. Boards and CISOs must now ask: “Are our defensive programs keeping pace with AI-augmented offence?” The asymmetry is clear: AI dramatically lowers the barrier for attackers, enabling sophisticated exploitation at a scale and speed that most defensive programs were never designed to handle. As a result, organisations cannot close this gap through traditional means alone.

Agentic AI redefines operational models

Beyond cyber security, Mythos-level AI capabilities herald the arrival of truly autonomous engineering agents. Organisations can accelerate development velocity, reduce technical debt, and reallocate talent toward higher-value innovation. However, without appropriate oversight, agentic systems introduce new risks, including non-human identity challenges, supply-chain compromise, unintended code propagation, and alignment drift.

Regulatory and reputational pressure will intensify

Regulators worldwide are already scrutinising AI safety and cyber security. In Australia, APRA and the Australian Signals Directorate are sharpening expectations around AI risk management and cyber resilience. The Mythos precedent, voluntary restriction paired with defensive collaboration, will likely influence forthcoming standards. Clients in regulated sectors (such as finance, healthcare and critical infrastructure) should anticipate heightened expectations around AI risk assessments, third-party model vetting, and incident response planning.

Competitive advantage through responsible adoption

Businesses that can leverage governed access to frontier AI models will outpace peers in both innovation and resilience. But the inverse is equally true. Organisations that cannot govern AI agents and data effectively will find themselves unable to safely adopt frontier models at all, compounding both their risk exposure and their competitive disadvantage.

Practical steps for organisations

AI governance and enforcement

So, what can businesses do to manage the risks and advantages of AI?

Many organisations have limited AI governance and responsible AI processes, preventing the oversight and protection needed for responsible AI use.

The action: Create an AI Strategic Plan that defines how your business will safely and effectively leverage AI to achieve its goals, outlining priority use cases, required capabilities, governance structures, risk controls (including accountability and human oversight), and investment pathways. After governance has been established, implement automated software enforcement mechanisms to ensure controls are actively maintained at the technology layer, not merely documented.

The value: This focus will set clear guardrails for ethical, secure, and compliant adoption while building the workforce, data foundations, and operating model needed for sustainable AI maturity. By automating governance enforcement, you demonstrate active control rather than passive policy, ensuring those guardrails are maintained at the technology layer.

Non-Human Identity (NHI) governance

Businesses have spent decades building identity governance around individuals. As AI agents become embedded across the organisation, those same controls don't apply. Non-human identities, service accounts, API keys, and application credentials operate outside traditional frameworks, and AI agents often carry the same permissions as the humans who triggered them. This is a security loophole that no policy document will close.

NHI governance must therefore be a core pillar of your organisation-wide AI governance framework, not an afterthought bolted onto legacy identity and access management (IAM).

The action: Discover every non-human identity across your environment. Govern them consistently by registering each with a unique identity and least privilege access scope. Enforce controls at the technology level through automated credential expiration, continuous monitoring, and access revocation.

The value: This is two-fold. With appropriate controls in place that contain the risk, organisations can confidently leverage AI agents to significantly accelerate manual tasks without fear of unchecked exposure. It also provides the peace of mind that compliance obligations are being actively met, rather than reactively managed.

Prioritise cyber-hygiene for AI readiness

While Mythos has limited availability, you can assume that offensive AI will soon have these capabilities. 

The action: Conduct an immediate AI surface area audit. Use existing AI to help inventory legacy code, outdated APIs, and ‘shadow IT’ that an agentic model could exploit.

The value: Patching the low-hanging fruit is no longer optional when AI can find and chain exploits in seconds. 

Data discovery and governance

The reason AI is so powerful is its ability to handle substantial context. Even without AI, the battle is won or lost on data quality.

The action: Discover and classify your data assets across structured and unstructured sources, including PDFs, internal wikis, and collaboration software logs. Evaluate the risk profile, apply appropriate controls, and ensure the data is governed consistently and formatted for optimal use.

The value: Well-governed data delivers significantly greater AI returns than a data swamp. It makes retrieval-augmented generation (RAG) systems more effective, ensures agents only draw from accurate, controlled sources, and defines what AI agents can and cannot access. This is why data governance and NHI governance must be designed together, not in isolation.

The move from “chat” to “automated reasoning”

The Mythos news suggests that AI's greatest value is now in autonomously chaining tasks, a method where AI agents or automated systems break down complex goals into a sequence of smaller, manageable sub-tasks, with the output of one task automatically becoming the input for the next.

The action: Move beyond basic Q&A prompts toward multi-step "reasoning chains." Instruct the AI to critique its own logic, cross-reference multiple documents, and solve for specific business outcomes rather than just generating text.

The value: By treating AI as a reasoning engine rather than a chatbot, firms reduce the risk of AI hallucinations and move from information retrieval to higher-fidelity problem solving. This shift allows partners to automate the “first 80%” of complex logic tasks, increasing throughput without sacrificing the rigour required for professional advisory.

Moving forward

As AI continues to evolve, organisations cannot afford to treat adoption as optional. However, releases like Anthropic’s Mythos highlight that adoption without governance is exposure. The organisations that will win are those that establish clear AI governance frameworks, govern their data and non-human identities with the same rigour as their people, and enforce controls at the technology level rather than the policy level. Done right, this is both risk mitigation and a competitive advantage. Mythos reveals the necessity for organisations to actively adopt AI, not only to safeguard against emerging threats, but also to secure a strong competitive edge.

How BDO can help

BDO’s cyber security, AI and risk specialists help organisations prepare for AI‑enabled threats through enforced AI governance, non‑human identity management, data discovery and control frameworks.

Get in touch for support to implement defensible, technology level controls that align cyber resilience with responsible AI adoption.

Key takeaways

AI‑enabled tools are creating a new cyber risk asymmetry
  • Advanced AI capabilities, such as those demonstrated by Anthropic’s Mythos Preview, significantly reduce the gap between vulnerability discovery and exploitation. This shifts advantage toward attackers, increasing pressure on organisations to reassess whether defensive programs can keep pace.
AI governance and operational controls are now critical to risk management
  • As AI capabilities expand, organisations must move beyond policy intent to implement structured governance, accountability and continuous assurance. This includes managing non‑human identities, strengthening data governance and embedding controls at the technology level.
Responsible AI adoption is becoming a source of competitive advantage
  • Organisations that can govern AI effectively, including data and access controls, will be better positioned to leverage innovation and improve resilience. Those without robust governance frameworks may face increased risk exposure and be unable to adopt advanced AI capabilities safely.

Authors

Subscribe to receive the latest insights.

Filter by: