In February, the Pentagon designated Anthropic a "supply chain risk" and moved to restrict its use across the Department of Defense. Two months later, reporting by Axios has confirmed that the NSA is actively using Anthropic's most restricted model, Claude Mythos, and that the agency is not alone. The contradiction sits at the heart of how the US government is actually navigating AI: official policy in one direction, operational reality in another.
Mythos Preview is unlike anything Anthropic has released publicly. When Anthropic's safety teams tested it earlier this year, the model demonstrated the ability to autonomously find and exploit vulnerabilities in every major operating system and web browser. In one documented test, it wrote a browser exploit that chained four separate vulnerabilities together, completing a complex heap spray that escaped both the renderer and operating system sandboxes. In another, it found a 27-year-old bug in OpenBSD that would allow any unauthenticated attacker to remotely crash any machine running it. Over 99 percent of the vulnerabilities it identified had not yet been patched.
Not everyone accepts this characterisation at face value. Two independent studies published this week found that smaller, openly available models can reproduce most of the vulnerability findings Anthropic used to justify the lockdown. All eight models tested, including one with just 3.6 billion parameters costing eleven cents per million tokens, identified the FreeBSD memory bug Anthropic showcased as a signature Mythos capability. One open model, Kimi K2, identified something Anthropic had not highlighted: that the attack vector could spread automatically across machines. Marc Andreessen publicly questioned whether Anthropic is withholding Mythos due to genuine safety concerns or simply because it lacks the compute infrastructure to support a broad rollout. Financial Times reporting suggests the latter is at least part of the picture.
The independent evaluation from the UK's AI Security Institute complicates both narratives. AISI confirmed that Mythos does represent a genuine step up: it achieved 73 percent on expert-level capture-the-flag challenges and completed a 32-step corporate network attack simulation end-to-end in three of ten attempts, averaging 22 steps where the previous best model averaged 16. But AISI also noted that its test environments lacked active defenders and defensive tooling, meaning the real-world gap against well-secured systems remains unknown. The honest picture is that Mythos is meaningfully more capable than its predecessors on hard tasks, while the specific demonstrations Anthropic chose for its public announcement were ones that smaller models can also handle. The company selected its showcase examples with care.
Anthropic's response was to lock the model down sharply: access restricted to approximately 40 organisations, with only 12 publicly identified. The stated rationale was that offensive cyber capabilities of this scale, released broadly, would constitute a systemic risk. The Council on Foreign Relations called Mythos "an inflection point for AI and global security." Regulators in Australia joined counterparts globally in monitoring its deployment specifically for risks to banking infrastructure.
The NSA's use of the model fits a pattern that security agencies have followed with powerful tools before: the argument that you need to understand a weapon in order to defend against it. Most of the confirmed Mythos deployments involve organisations scanning their own environments for exploitable vulnerabilities, turning the model's capabilities inward rather than outward. The NSA's framing, if it has offered one, would presumably follow the same logic.
What makes the situation complicated is the simultaneous legal position. The Department of Defense, while the NSA operates under it, has been arguing in court that Anthropic's technology poses national security concerns. The two positions are not formally contradictory: a supply chain designation addresses procurement risk and vendor relationship concerns, while operational use is a separate decision pathway. But they point in incompatible directions, and the practical message they send is that the blacklist is more political than substantive.
Anthropic's CEO met with senior US officials last week to discuss "collaboration opportunities" and how to manage scalability challenges as access to Mythos potentially broadens. That meeting happening at all is its own signal: whatever the official procurement posture, the people responsible for US cybersecurity have concluded that not having access to the most capable offensive vulnerability scanner ever built is a worse risk than having it. Fortune reported separately that Mythos finds software flaws faster than companies can patch them, which creates an uncomfortable dynamic where the model's very existence changes the threat landscape for everyone who does not have access to it.
The UK's AI Security Institute has also confirmed access to the model. The pattern emerging is of a small circle of state intelligence and security agencies that have quietly concluded this tool is too operationally significant to leave unused, regardless of what any official policy document says. Whether that represents a reasonable security calculation or a case study in how AI governance breaks down the moment something genuinely useful arrives is, at minimum, a question worth asking.