An AI just found a 27-year-old security flaw, and regulators are panicking
TL;DR
Anthropoc's Claude Mythos, a restricted AI model not available to the general public, found a 27-year-old security flaw in OpenBSD during testing, a vulnerability the world's best human security researchers had missed for nearly three decades. Global financial regulators in the UK, US, and Australia are now in emergency meetings. Meanwhile, a survey of 1,900 IT leaders by OutSystems reveals that 94% of businesses are already struggling with AI sprawl, uncontrolled AI deployment creating dangerous blind spots inside their own networks. The threat is real, it is now, and most businesses are completely unprepared.
What is Claude Mythos and why is it fundamentally different?
This is not a chatbot upgrade. Anthropic, the maker of Claude and one of the leading AI companies in the world, has launched a preview of their most capable model yet, codenamed Claude Mythos. Experts are calling it an "AI superhacker." It is not designed to write poetry or summarise documents. It is designed to understand, analyse, and modify existing software code at a level that was previously thought to be years away from being possible.
The model is so powerful, and the implications so serious, that Anthropic is refusing a general public release. Instead, they launched a highly restricted programme called Project Glasswing, granting access to over 45 select organisations, including Apple, Google, Amazon Web Services, Microsoft, and Nvidia, exclusively for defensive use: finding and fixing their own vulnerabilities before someone else finds them first.
What security flaw did Claude Mythos actually find?
AI has now surpassed human capability in finding deeply hidden, critical vulnerabilities in the software that runs the world.
During testing, Claude Mythos identified a 27-year-old security weakness in OpenBSD, an operating system specifically known for its obsessive focus on security. The best human security researchers on the planet had missed this flaw for nearly three decades. And it was not a one-off. Anthropic claims the model has uncovered vulnerabilities in every major operating system it has been tested against. Every single one.
We are no longer dealing with AI that helps coders work faster. We are dealing with AI that can autonomously detect flaws in the very foundation of our digital infrastructure, flaws that the best human experts in the world could not find in nearly thirty years of trying.
Why are global regulators treating this as an immediate emergency?
Regulators are usually years behind the curve. They wait for something to go wrong, form a committee, publish a consultation paper, and eventually produce guidelines that are already outdated. Not this time. The reaction to Claude Mythos has been swift, coordinated, and deeply concerning in its urgency.
The world's top financial and security regulators are treating this new generation of AI as an immediate, systemic threat to global infrastructure.
- UK: The Bank of England, the Financial Conduct Authority, HM Treasury, and the National Cyber Security Centre are in "urgent" talks via the Cross Market Operational Resilience Group (CMORG). This group includes eight of the UK's biggest banks, four major financial infrastructure providers, and two of the largest insurers. The Financial Times reported that representatives from major British banks, insurers, and exchanges are expected to be warned about vulnerabilities Mythos has already exposed.
- US: Treasury Secretary Scott Bessent has called a meeting with the largest American banks. The concern is not theoretical, an AI model now exists that could, in the wrong hands, systematically identify and exploit weaknesses in the financial infrastructure the global economy depends on.
- Australia: The Australian Government has signed a Memorandum of Understanding with Anthropic specifically focused on AI safety research, confirmed by the Department of Industry, Science and Resources as a commitment under the National AI Plan.
When the people responsible for the stability of the global financial system are calling emergency meetings about a piece of software, you need to pay attention. This is not science fiction. It is a clear and present danger to every business that relies on digital infrastructure, which, in 2026, means every business.
See where AI fits in your business. Free.
A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.
What is the AI sprawl problem, and is it already inside your business?
The external threat from tools like Mythos is only half the story. The other half is already inside your walls. As businesses rush to deploy AI agents, software that can autonomously execute tasks, make decisions, and interact with other systems, they are creating massive new attack surfaces within their own networks. Most of them have no idea how exposed they are.
A survey of 1,900 global IT leaders by OutSystems reveals the scale of the problem:
- 96% of organisations are already using AI agents in some capacity
- 97% are exploring system-wide agentic AI strategies
- 94% report deep concern that "AI sprawl" is actively increasing their complexity, technical debt, and security risk
- Only 12% have a centralised platform to manage this chaos
Businesses are mixing custom-built agents with pre-built ones from different vendors, deploying them across fragmented environments with no standardised security protocols. Different teams are using different tools with different access levels, and nobody has a complete picture of what is happening across the organisation.
Gartner predicts that 40% of enterprise applications will include task-specific AI agents by the end of 2026. The sprawl problem is about to get dramatically worse, not better. Every new agent deployed without proper governance is another potential entry point for an attacker, or another autonomous system making decisions you cannot see, audit, or control.
The call is coming from inside the house.
What is the defensive opportunity, and who is already taking it?
Before you start unplugging everything, there is a crucial flip side to this story. The same technology that creates these threats also creates an unprecedented defensive opportunity. The reason Anthropic launched Project Glasswing is precisely because Mythos can be used to find and fix vulnerabilities before they are exploited.
Traditional cybersecurity relies on annual penetration tests, periodic vulnerability scans, and reactive incident response. You test once, patch what you find, and hope nothing new emerges before the next test. That model is now obsolete. An AI like Mythos can scan an entire codebase continuously, identify new vulnerabilities as they emerge, flag configuration errors in real time, and suggest fixes.
The organisations participating in Project Glasswing, the Apples, the Googles, the Microsofts, are not just defending against Mythos. They are using it to harden their systems to a level that was previously impossible. They are getting ahead of the threat curve rather than perpetually chasing it.
The businesses that move fastest to adopt AI-driven security will have a massive advantage over those that continue to rely on outdated, manual approaches.
How does this change your security posture?
If you are a business owner in Australia, the UK, or Singapore, cybersecurity is no longer an IT problem that lives in the server room. It is your most urgent strategic priority. The barrier to entry for devastating cyberattacks has just plummeted, while the sophistication of those attacks has skyrocketed.
You need to assume that every piece of software your business relies on, from your CRM to your accounting software to your custom-built applications, has vulnerabilities that a sufficiently advanced AI can now find and exploit in seconds. That is not paranoia. That is the reality that regulators are scrambling to address right now.
Your defensive posture has to change completely:
- Stop relying on annual penetration tests. You need continuous, AI-driven security monitoring that works around the clock.
- Get full visibility over every AI agent in your network, what it can access, what decisions it can make, and who is accountable for it.
- Build strict governance frameworks that dictate exactly what your AI tools are permitted to do and what boundaries they cannot cross.
- Clean up AI sprawl. Shadow AI is the new shadow IT, and it is far more dangerous because these tools can act autonomously.
The 94% of businesses terrified of AI sprawl are right to be scared. If you do not have a centralised, secure way to manage the AI tools your employees are using, and the agents those tools are spawning, you are leaving the front door wide open.
What to do this week
- Map your AI agent footprint. List every AI tool, agent, and automation your organisation is currently running, including anything individual employees have adopted without IT sign-off. If you cannot list them all, that is your first and most urgent problem.
- Assign ownership. Every AI agent should have a named owner responsible for its behaviour, access levels, and outputs. Anonymous agents are unmanaged agents.
- Check your penetration testing schedule. If your last test was more than six months ago, treat your current security posture as unknown and plan an immediate assessment.
- Audit access permissions. AI agents should operate on the principle of least privilege, access only to what they strictly need. Most businesses have never done this audit.
- Draft a governance framework. Define which AI tools are permitted, what data they can touch, and what approval is required before any new agent is deployed. Even a one-page policy is infinitely better than nothing.
Where to from here
Book a free 60-minute AI audit, we'll explore exactly what workflows are worth augmenting with AI.
Live with passion & AI,
Brett
Need an AI operator inside your team?
Place a Chief AI Officer, an AI Officer, or embed an Anaboo Forward Deployed Engineer for 3–6 months.
Frequently asked questions
What is Claude Mythos?
+
Claude Mythos is Anthropic's most capable AI model to date, designed to understand, analyse, and modify existing software code at a level previously thought to be years away. Experts have called it an "AI superhacker" due to its ability to autonomously detect deeply hidden security vulnerabilities.
What security flaw did Claude Mythos actually find?
+
During testing, Claude Mythos identified a 27-year-old security weakness in OpenBSD, an operating system specifically known for its intense focus on security. The world's best human security researchers had missed this flaw for nearly three decades. Anthropic also claims the model has uncovered vulnerabilities in every major operating system it has been tested against.
What is Project Glasswing?
+
Project Glasswing is Anthropic's highly restricted rollout of Claude Mythos, granting access to over 45 select organisations, including Apple, Google, Amazon Web Services, Microsoft, and Nvidia, exclusively for defensive cybersecurity use, so they can find and fix their own vulnerabilities before someone else does.
Why are UK financial regulators holding emergency meetings about AI?
+
The Bank of England, the Financial Conduct Authority, HM Treasury, and the National Cyber Security Centre are in urgent talks via the Cross Market Operational Resilience Group (CMORG), which includes eight of the UK's biggest banks, four major financial infrastructure providers, and two of the largest insurers. The Financial Times reported that these institutions are being warned about vulnerabilities Claude Mythos has already exposed.
What is AI sprawl and why is it dangerous?
+
AI sprawl is the uncontrolled deployment of AI agents across an organisation, mixing custom-built and vendor-supplied tools across fragmented environments with no standardised security protocols or centralised oversight. An OutSystems survey of 1,900 global IT leaders found that 94% of organisations report AI sprawl is actively increasing their complexity, technical debt, and security risk.
What did the OutSystems survey reveal about AI agent adoption?
+
The survey of 1,900 global IT leaders found that 96% of organisations are already using AI agents, 97% are exploring system-wide agentic AI strategies, and 94% are deeply concerned about AI sprawl. Only 12% have a centralised platform to manage their AI, meaning 88% are effectively flying blind.
What is Gartner's prediction for AI agents in enterprise applications by 2026?
+
Gartner predicts that 40% of enterprise applications will include task-specific AI agents by the end of 2026, meaning the AI sprawl problem is set to get dramatically worse before it gets better.
Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.
