Advanced artificial intelligence models have demonstrated cyber capabilities far exceeding expert predictions, triggering urgent questions about whether government and private sector defenses can keep pace with rapidly evolving threats—and whether regulatory frameworks will slow American innovation at a critical moment.
The United Kingdom's AI Security Institute found that Anthropic's Mythos can fully take over a corporate network in six out of 10 attempts, while OpenAI's GPT-5.5 succeeds in three out of 10 tries. British AI Minister Kanishka Narayan confirmed that cyber capabilities in leading AI systems are advancing much faster than expected, a conclusion echoed by nine of the nation's top cyber researchers and technology leaders who tested the models in controlled settings.
The Capability Gap
Lee Klarich, chief product and technology officer at cybersecurity company Palo Alto Networks, described testing Mythos as transformative. "It was very clear to me that this was going to be a game-changer," Klarich said, adding that the tool proved "more [powerful] than I thought it was going to be." Isaac Evans, CEO of cybersecurity company Semgrep, said Mythos "exceeded our expectations," demonstrating "an uncanny ability around exploit generation" in narrow but critical domains.
Evans drew a stark comparison to historical breaches, saying some researchers described Mythos as capable of generating "a SolarWinds every quarter"—referencing the Russian government's 2020 breach of U.S. federal agencies, which affected more than 18,000 organizations worldwide through compromised software and remains one of the worst hacks in history.
Jonathan Trull, chief information security officer of IT security company Qualys, assessed that GPT-5.5 "can basically do what your most advanced app security engineer can do." Cloudflare Chief Security Officer Grant Bourzikas noted that Mythos can both identify vulnerabilities and write code to exploit them, marking "a real step forward" for advanced AI technology. Broadcom, testing Mythos against its own software, described its findings as "jolting," reporting that the AI uncovered things "that appear unlikely to ever have been uncovered by human researchers alone."
Anthropic disclosed that Mythos had already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser, and warned that deploying the technology without safeguards could carry "severe" consequences for global economies, public safety, and national security.
The Regulatory Dilemma
Government agencies, congressional committees, banks, and regulators have intensified requests for access to these frontier AI models, seeking to secure critical networks before adversaries weaponize similar technology. Concerns are rising that China and other competitors could soon develop comparable tools, particularly through so-called distillation attacks aimed at copying American AI advances.
The Trump administration has acknowledged these dangers and begun coordinating with technology companies, government agencies, and critical infrastructure operators to determine how to deploy these tools quickly and safely. However, efforts to establish a formal testing framework have hit a significant obstacle.
President Donald Trump postponed signing an executive order earlier this week that would have created a voluntary process for tech companies to submit certain AI models to federal testing. Former AI czar David Sacks raised concerns that the executive order would stifle innovation, prompting Trump to reconsider. Trump told POLITICO on Friday that he had "many" concerns about the draft and worried it was "inhibiting the industry." The timing of the executive order remains unclear.
Competing Visions for Defense
Defense-focused applications could prove significant. Advanced AI tools might enable developers to identify bugs in software before release, rather than discovering and remedying vulnerabilities after exploitation. Klarich outlined a defensive scenario: "There's a future state where we will actually be producing more secure products, more secure code as opposed to having to remediate things that are already released."
Klarich suggested defenders could leverage the strengths of multiple AI models—including Mythos and GPT-5.5—to construct a "multi-model architecture" for network security. However, Isaac Evans offered a more cautious assessment, stating that "these model developments mainly are advantages for attackers rather than defenders."
Why This Matters:
The rapid advancement of AI-powered hacking capabilities presents a genuine national security challenge that demands swift, coordinated response without sacrificing the innovation that keeps American technology ahead of competitors. The Trump administration's hesitation over regulatory frameworks reflects a legitimate tension: overly restrictive government processes could delay defensive deployment and hand competitive advantage to rivals like China, while unmanaged access could accelerate weaponization. The fact that nine independent cybersecurity leaders confirmed capabilities exceeding expert expectations suggests the threat timeline is compressed. Government's role should be facilitating rapid, secure deployment among trusted defenders while maintaining strict controls on adversary access—not imposing bureaucratic delays that prevent American companies from leveraging their own technological advantages for national defense.