Revision #1

On Friday, April 17, Anthropic CEO Dario Amodei walked into the West Wing for a meeting with White House chief of staff Susie Wiles and Treasury Secretary Scott Bessent [1][12]. The encounter, described by both sides as "productive and constructive," marked an abrupt shift from months of legal warfare between the AI company and the Trump administration [2]. Barely six weeks earlier, a federal judge had called the Pentagon's treatment of Anthropic "Orwellian" [3]. Now the two parties were sitting across from each other, trying to figure out what to do about an AI model that, according to its own maker, can find exploitable flaws in virtually every major piece of software on Earth [4].

The model is called Claude Mythos. Its existence was first revealed through a data leak on March 26, when nearly 3,000 unpublished assets from Anthropic's content management system became publicly accessible due to a misconfiguration [4]. What those documents described — a system "currently far ahead of any other AI model in cyber capabilities" — set off a chain of events that has forced the U.S. government and one of the world's most valuable private companies into an uneasy, improvised negotiation with no clear precedent and no obvious legal framework [4].

What Mythos Can Do

Anthropic's own internal assessments describe Mythos as "by far the most powerful AI model we've ever developed," with "dramatically higher scores on tests of software coding, academic reasoning, and cybersecurity" compared to its predecessor, Claude Opus 4.6 [4]. The model scored 93.9% on SWE-bench Verified, a standard software engineering benchmark, and 94.6% on GPQA Diamond, a graduate-level reasoning test — numbers that place it at the top of publicly reported scores as of April 2026 [4].

But the feature that triggered federal concern is Mythos's cyber capability. During internal testing, Anthropic found that the model had independently developed the ability to discover zero-day vulnerabilities — previously unknown software flaws — and chain multiple exploits together to achieve full system takeover without human direction [6]. The company identified "thousands of zero-day vulnerabilities in every major operating system and every major web browser" [10]. Mythos successfully reproduced and created working exploits for those vulnerabilities on the first attempt in 83.1% of cases [6].

The United Kingdom's AI Safety Institute (AISI) conducted an independent evaluation and confirmed the model's capabilities. On a 32-step corporate network attack simulation designed to take a human professional approximately 20 hours, Mythos completed the full chain in 3 of 10 attempts and averaged 22 of 32 steps across all runs [5]. The next best model, Claude Opus 4.6, averaged 16 steps [5]. On expert-level capture-the-flag cybersecurity challenges, Mythos succeeded 73% of the time — a category where, two years prior, frontier models "could barely complete beginner-level tasks" [5].

Source: OpenAlex

Data as of Jan 1, 2026CSV

The AISI evaluation noted a key limitation: Mythos's demonstrated success came against systems with "weak security posture," and the evaluation ranges lacked active defenders, defensive tooling, and alert penalties [5]. Whether these capabilities translate to well-defended production environments remains an open question.

How the Fight Started

The White House meeting did not materialize from goodwill. It followed a sequence of escalations that began in January 2026, when Defense Secretary Pete Hegseth issued an AI strategy memorandum directing all Department of Defense AI contracts to incorporate "any lawful use" language within 180 days [9]. The demand was specific: Anthropic would need to remove two safeguards from its contract — a prohibition on using Claude for mass domestic surveillance of American citizens, and a restriction on fully autonomous lethal decision-making with no human in the targeting loop [9].

Anthropic refused. CEO Dario Amodei stated the company could not "in good conscience" grant the request, arguing that frontier AI models are not reliable enough for fully autonomous weapons and that mass domestic surveillance violates fundamental rights [9]. The Pentagon gave Anthropic a deadline of 5:01 p.m. on February 27 to comply [9].

When the deadline passed, the administration moved fast. President Trump directed all federal agencies to cease using Anthropic technology [7]. On March 5, the Pentagon formally designated Anthropic as a Supply-Chain Risk to National Security — the first time this authority, normally reserved for foreign adversaries, had been applied to a U.S. company [3][7].

The Legal Battle

Anthropic challenged the designation in two federal courts. In San Francisco, U.S. District Judge Rita Lin issued a ruling that blocked enforcement, finding that "nothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government" [3]. Lin found evidence that the Department of Defense's own records showed Anthropic was designated as a supply chain risk because of its "hostile manner through the press" — what the judge called "classic illegal First Amendment retaliation" [3]. She also found due process violations: Anthropic had no opportunity to respond before enforcement, and the president's order functioned as unlawful debarment without standard procedural protections [7].

In Washington, D.C., however, a federal appeals court denied Anthropic's request for a temporary block of the blacklisting while the case proceeded, though it placed the litigation on an expedited schedule [8]. The Congressional Research Service issued its own analysis of the dispute, flagging open legal and policy questions about the government's authority to compel changes to commercial AI safety restrictions [18].

The legal situation as of mid-April is in a kind of limbo: the San Francisco ruling protects Anthropic from the supply chain designation's enforcement, but the D.C. appeals court left the underlying blacklisting in place pending a fast-tracked review. It was against this backdrop that both sides agreed to meet [1].

Who Was in the Room and What Was Discussed

Three principals attended the Friday meeting: Wiles, Bessent, and Amodei [1][12]. The White House described the discussion as covering "opportunities for collaboration" and "the goal of balancing innovation and safety" [2]. Axios reported that the administration sought access to Mythos for Treasury and other government agencies, which want to join the list of organizations already authorized under Project Glasswing [1].

Project Glasswing is Anthropic's controlled-release program for Mythos, through which the company has extended access to over 40 organizations — including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks [10]. Anthropic committed up to $100 million in usage credits and $4 million in direct donations to open-source security organizations as part of the initiative [10]. The program's stated purpose is to give defenders a head start: allowing critical infrastructure operators to scan and patch their systems before models with comparable capabilities become widely available [10].

Whether the White House sought full model weights, restricted API access, a safety briefing, or some form of kill-switch arrangement has not been publicly disclosed. Anthropic co-founder Jack Clark, speaking at the Semafor World Economy summit, confirmed that the company had briefed senior government officials on Mythos capabilities even while simultaneously suing them, saying "the government has to know about this stuff" [13][19].

Before the limited release, Anthropic briefed officials at the Cybersecurity and Infrastructure Security Agency (CISA) and the Center for AI Standards and Innovation (CAISI) at NIST [1]. The scope of what was shared in those briefings — and whether it included technical architecture details beyond a capabilities demonstration — has not been confirmed.

The Money Behind the Model

Anthropic's financial trajectory adds another dimension to the negotiation. The company raised $30 billion in its Series G round in February 2026, valuing it at $380 billion post-money — the second-largest private tech funding round of all time [14]. By April, venture capital firms were offering to invest at valuations exceeding $800 billion, approaching rival OpenAI's $852 billion figure from its March round [15]. The company's annual revenue run rate now exceeds $30 billion, a more than threefold increase from approximately $9 billion at the close of 2025 [14].

Source: Anthropic / CNBC / TechCrunch

Data as of Apr 18, 2026CSV

The investor base creates potential conflicts of interest in any government access regime. Amazon has invested approximately $8 billion total in Anthropic, while Google has invested roughly $3 billion [14]. Both companies are also Project Glasswing partners — meaning they already have access to Mythos through Anthropic's private program [10]. Microsoft has invested up to $5 billion, and NVIDIA up to $10 billion [14]. Any government framework that privileges certain access pathways or imposes restrictions on Mythos distribution affects these investors' competitive positions directly. A requirement that government agencies access Mythos through Amazon's AWS infrastructure, for example, would benefit Amazon in ways that a direct-access arrangement would not.

How Mythos Compares to Other Frontier Models

A central question is whether Mythos's capabilities are truly singular or whether comparable systems already exist or will soon. As of April 2026, the top-performing publicly available models include Google's Gemini 3.1 Pro, OpenAI's GPT-5.4, Meta's Llama 4, and xAI's Grok 4.20 [4]. On general reasoning and coding benchmarks, the gap between Mythos and its closest competitors is narrow.

The gap in cyber capabilities is where the picture diverges. The UK AISI's evaluation showed a clear separation between Mythos and the next best model on offensive security tasks [5]. The Council on Foreign Relations reported that OpenAI was "about six months behind Anthropic in building its own advanced AI model with comparable power" [6]. OpenAI itself announced that its own unreleased model posed similar risks and would also not be made publicly available [11].

Security researcher Bruce Schneier offered a more measured view: "These models do demonstrate an increased sophistication in their cyberattack capabilities. They write effective exploits...without human involvement." But he cautioned that "finding for the purposes of fixing is easier for an AI than finding plus exploiting. This advantage is likely to shrink, as ever more powerful models become available to the general public" [11]. He was also skeptical of the framing, calling Anthropic's public messaging "very much a PR play" and noting that "lots of reporters are breathlessly repeating Anthropic's talking points, without engaging with them critically" [11].

If models with comparable cyber capabilities are indeed six months away — or closer — the marginal risk posed specifically by Anthropic's model diminishes relative to the systemic risk posed by the capability class itself.

The Case Against Government Intervention

Several arguments cut against the administration's approach. The strongest is that forcing government access to a private AI model's weights or architecture could itself increase risk. The 2026 International AI Safety Report identified "information asymmetries" and "institutional coordination challenges" as major barriers to effective AI governance, noting that AI developers possess proprietary information about their systems that is not shared with policymakers [20]. Centralizing knowledge of Mythos's most sensitive capabilities within government agencies — agencies that are themselves frequent targets of state-sponsored cyberattacks — could create a single point of failure.

The Center for Data Innovation argued in an April report that the government should partner with frontier labs rather than compel access, proposing "joint AI security-testing environments" and "shared AI threat-intelligence pipelines" [17]. This voluntary model would avoid the legal and security risks of forced disclosure while still giving agencies early insight into emerging threats. The report also proposed a $500 million matching credit program for federal efforts to use frontier AI models for cybersecurity defense [17].

There is also a chilling-effect argument. If companies that voluntarily restrict access to their most capable models face punitive government action — as Anthropic did when its safety guardrails led to a supply chain risk designation — the incentive for future developers is to release powerful models without restrictions rather than invite regulatory confrontation.

Schneier's observation about timeline is relevant here: if comparable capabilities will be widely available within months, a U.S.-only access regime applied to one company's model addresses a vanishingly small fraction of the actual threat surface [11].

The International Gap

The geographic distribution of Mythos access is uneven and, according to some analysts, creates its own risks. The UK's AISI published a full technical evaluation within a week of Mythos's announcement and has direct access to the model [5]. Canada's AI Minister Evan Solomon has been in discussions with Anthropic officials [6]. But the European Commission has been shut out: it is not among the 40 organizations in Project Glasswing [16].

The Council on Foreign Relations reported that 99% of the zero-day vulnerabilities Mythos discovered remained undefended at the time of announcement, and that non-U.S. infrastructure faces "significantly delayed protection" [6]. IMF Managing Director Kristalina Georgieva warned that the international financial system does not have the ability "to protect against massive cyber risks" of this kind [6].

A U.S.-only agreement between the White House and Anthropic does not address the fact that adversarial state actors may develop or obtain comparable capabilities independently. Without multilateral coordination — which does not currently exist for offensive cyber-capable AI models — any domestic arrangement is inherently incomplete.

What Happens If Talks Fail

The administration has several enforcement tools available, none of them fast or clean. The Export Administration Regulations (EAR), administered by the Bureau of Industry and Security, could theoretically restrict distribution of Mythos under national security grounds, though applying export controls to a domestically developed AI model distributed to domestic companies would require novel legal interpretation [18]. Executive Order 14320 established the American AI Exports Program, but its focus is on promoting exports, not restricting domestic access [18].

A CFIUS-style review — the kind used to block foreign acquisitions on national security grounds — does not directly apply here, since there is no foreign transaction to review. New legislation is possible: the Congressional Research Service has flagged the dispute as raising "potential issues for Congress" [18]. But passing AI-specific legislation in the current political environment would take months at minimum.

The most immediate tool the administration has already used: the supply chain risk designation and the executive order directing agencies to stop using Anthropic products. Both have been partially blocked by the courts [3][8]. The expedited appeals process in D.C. will likely produce a ruling within weeks, and that outcome will determine whether the administration has coercive leverage or must continue negotiating on a voluntary basis.

The Underlying Question

The Mythos episode has exposed a structural gap in how the United States governs advanced AI. There is no statute that clearly gives the executive branch authority to compel a private company to disclose its model's weights or architecture for national security review. There is no regulatory body with jurisdiction over frontier AI capabilities analogous to the FDA's authority over pharmaceuticals or the NRC's authority over nuclear materials. The government's attempt to improvise authority through the supply chain risk designation — a mechanism designed for foreign adversaries — was rejected by one federal court as unconstitutional [3].

What remains is negotiation. Anthropic has signaled willingness to brief the government and has already done so through CISA and CAISI [1][13]. The administration has signaled interest in access beyond briefings [1]. The legal dispute has been paused but not resolved. And models with comparable capabilities are, by most estimates, months rather than years away from other developers [6][11].

The question is not whether the government will eventually have a framework for overseeing AI systems with offensive cyber capabilities. The question is whether it will have one before those capabilities become widespread — and whether the Mythos negotiations produce a template worth replicating, or a cautionary tale about improvisation under pressure.