Anthropic just gave the public a much better picture of where the real AI concern may be headed, and it is not "AI drew a decent picture" or "AI wrote some passable code." The company's new Claude Mythos Preview is being kept out of general public release because Anthropic says it has become unusually strong at finding and exploiting software vulnerabilities, including flaws that survived decades of human review and millions of automated tests. Instead of a broad launch, Anthropic put it behind a restricted program called Project Glasswing for selected defenders and critical-software organizations.
That should reframe the entire conversation.
The loud public debate around AI is still stuck on jobs, art, and whether the machine can fake its way through creative work convincingly enough to annoy people on the internet. Those debates matter, but they are not the sharpest edge of this technology anymore. The sharper edge is that frontier AI models are getting very good at identifying the cracks in digital systems, and once that capability spreads beyond controlled environments, it will not be used only by the good guys.
There is a big difference between finding vulnerabilities and exploiting vulnerabilities, and readers need that distinction early. A vulnerability is a weakness in software or hardware that could be abused. Exploitation is the act of actually using that weakness to gain access, crash systems, steal data, or take control. Anthropic is not saying merely that Mythos can spot suspicious code. It is saying the model is strong enough across the vulnerability lifecycle that it forced a restricted release strategy instead of a normal public product launch. That is a very different category of signal than "our chatbot got better at autocomplete."
And yes, there is a clear upside here. If a model can identify serious flaws faster than humans or older tools, that could improve software security quickly. Anthropic's stated goal with Project Glasswing is exactly that, helping defenders patch critical software before attackers get there first. NIST, the National Institute of Standards and Technology, is already treating this as a two-sided reality: organizations need to secure AI, use AI to improve cybersecurity, and defend against adversarial uses of AI all at once.
But this is also where the real danger begins.
The concern is not mainly that commercial AI products from major vendors will be casually used by average people to knock over power grids from a laptop at Starbucks. The more credible concern is capability leakage and proliferation. Once advanced techniques, model behaviors, fine-tuning methods, or strong cyber-focused models reach the wider public ecosystem, they can be self-hosted, modified, stripped of safeguards, and reused by people with very different goals. Reuters reported in January that researchers found internet-accessible open-source large language models, or LLMs, being used in ways that could enable phishing, spam, fraud, disinformation, and data theft, with many deployments modified to remove protections.
That is where readers need some background on terms, because this topic gets sloppy fast. An LLM, or large language model, is the broad class of AI system behind tools that generate text, code, and increasingly reason across technical tasks. A guardrailed commercial model is usually accessed through a company's hosted service, where the provider can set policies, throttle abuse, log activity, and update safety systems. A self-hosted model is run by the user or organization on their own infrastructure. Once that happens, guardrails can be weakened, rewritten, or removed entirely. That does not mean open models are automatically evil. It means control shifts, and with that shift comes a wider attack surface for misuse.
That distinction matters because a lot of the public conversation still sounds like this: "Well, Company X would never allow that." Fine. Maybe Company X would not. But the internet is not a gated community with one landlord and a clipboard. Even if major labs slow-roll access, restrict APIs, and work with trusted partners, capability has a way of spreading. The more powerful these systems become, the harder containment gets. That is one reason Anthropic's restricted release is notable. It is an admission, whether intentional or not, that the company believes raw public access would materially raise cyber risk.
This is why I think we are in the early stages of an AI arms race, especially in cybersecurity.
That phrase can sound dramatic, but in this case it is fairly literal. Defenders are racing to use AI to harden systems faster. Attackers are racing to use AI to discover weak points faster. Microsoft's 2025 Digital Defense Report says the growth and adoption of AI in cybersecurity benefits both defenders and threat actors. OpenAI's June 2025 threat report documented China-linked actors using AI to support phases of cyber operations. NIST's new AI-cyber work is built around the idea that organizations now have to think about AI as both shield and sword. None of that is science fiction. It is already administrative paperwork, which is how you know the future has arrived wearing ugly shoes.
Where this gets especially uncomfortable is U.S. critical infrastructure.
A lot of the systems that keep water flowing, electricity moving, and services functioning were not designed with this level of AI-assisted adversarial pressure in mind. Government guidance is already waving the flag. CISA, the Cybersecurity and Infrastructure Security Agency, along with the FBI and the NSA warned in late 2025 that integrating AI into operational technology environments introduces significant risks. Operational technology, or OT, means the hardware and software that directly monitors or controls industrial equipment and physical processes, the stuff that actually turns valves, manages treatment systems, or runs equipment in the real world.
Water systems are a particularly sobering example. The EPA warned in 2024 that drinking water systems needed to address cybersecurity vulnerabilities, and this week the EPA joined the FBI, CISA, NSA, the Department of Energy, and U.S. Cyber Command in a fresh advisory saying cyberattacks on drinking water and wastewater systems directly threaten public health and community resilience. The agency's language was blunt: a single breach can disrupt treatment, damage equipment, introduce contaminants, and erode public trust. That is not a hypothetical movie plot. That is a federal press release trying very hard not to sound alarmist while still sounding alarmed.
It is also important to say this plainly: a lot of real-world infrastructure is not held together by elegant modern architecture and flawless segmentation. Much of it survives because people working inside those systems know where the weak spots are and keep the whole machine limping forward through experience, patches, workarounds, and institutional memory. The GAO, the Government Accountability Office, said in 2025 that of 10 critical federal legacy IT modernizations it flagged years earlier, only three had been completed as of February 2025, with some remaining projects still years away or lacking a completion date entirely. That slow pace matters because attackers do not pause politely while modernization committees finish their slide decks.
This is why I do not think the main AI story is about whether a junior designer loses a job to a prompt tool.
That is a real labor issue, and it deserves serious discussion. But the bigger strategic concern may be that AI is moving from "can imitate work" to "can uncover weaknesses." Once models become very good at that, the stakes change. If a frontier system can find bugs in software that has already been reviewed for years, then the question is not whether that capability is useful. Of course it is useful. The question is how long it takes before similar capability becomes broadly available outside controlled channels, through open weights, derivative models, leaked methods, stripped-down self-hosted versions, or future public releases by labs that make different decisions.
That does not mean every open model is a digital crowbar.
We should be careful here. "Open" is not the same thing as "criminal," and open-weight or open-source ecosystems can support research, transparency, competition, and defensive innovation. But openness plus high cyber capability plus weak or removable safeguards is a different policy problem than a hosted consumer chatbot that says no when asked to do something reckless. Reuters' reporting matters because it points to what happens after deployment, when models are put on public servers, run by third parties, or modified beyond the original provider's control. In other words, the issue is not simply what a lab intends. It is what the broader ecosystem enables.
I also do not think this is a panic moment.
It is a realism moment.
There is no credible path where AI development simply stops and everyone goes home. Even if the U.S. government got dramatically more aggressive tomorrow, too much capability, too much research, and too much model infrastructure already exists in the public domain for progress to freeze cleanly. NIST's current work, Microsoft's threat reporting, and the very existence of restricted programs like Glasswing all point in the same direction: the practical problem now is adaptation, not fantasy shutdown. The next normal is arriving whether people are emotionally prepared for it or not.
So what does moving forward look like?
First, it means taking legacy infrastructure seriously before attackers do it for us. That includes segmentation, patching, strong authentication, offline recovery plans, and ruthless auditing of exposed systems. EPA's own enforcement messaging has focused on basics like access control, passwords, and cyber hygiene because the boring failures are still very much alive. Second, it means understanding that AI for defense is no longer optional theater. Organizations will need AI-assisted code review, anomaly detection, red-teaming, and vulnerability management because the attacking side will not politely agree to stay analog. Third, it means policymakers and operators need to think beyond one vendor's guardrails and plan for a world in which powerful cyber-capable models exist outside neat commercial containers.
And finally, it means being honest with readers.
The real AI concern is not that it can make a decent image, mimic a writing style, or crank out code that passes a superficial glance. The real concern is that AI is getting very good at finding the weak seams in the digital world, and the digital world runs a lot more than our email and social feeds. It runs pieces of our water, power, transport, communications, and public systems too. If those systems modernized at the speed of the threat, I would sleep better. They do not. They modernize like a county office waiting for toner approval.
That is why I think the biggest AI story may end up being cybersecurity, not art and not labor.
AI will help defenders. It will also help attackers. The balance may not stay on the defenders' side for very long. That is not a reason to panic. It is a reason to prepare, modernize, harden what we can, and stop wasting time arguing only about the parts of AI that are easiest to turn into social media food fights. The machine drawing a picture is not the headline. The machine finding the door you forgot to lock is.
