Project Glasswing: Who Gets to Hold Mythos, and Why It Matters

Anthropic announced Project Glasswing on April 7, 2026, gating Mythos to only 12 launch partners and an extended-access tier of 40 other companies. The reasoning: Mythos is powerful enough to benefit defenders more than attackers, but only if it stays in trusted hands.¹

Most of the launch list was unsurprising, but CrowdStrike and Palo Alto making it made me raise an eyebrow. The answer turned into something bigger: what kind of behavior gating actually represents, and what it tells us about how AI is being treated.

The Past: How Acquisitions Anticipated the Gating Era

We have seen companies accelerate their acquisition of agentic AI companies in the past two years. Fortinet started early by acquiring Lacework in June 2024, adding CNAPP to the Fortinet Security Fabric. CrowdStrike and CheckPoint announced their acquisitions of AI security players Pangea and Lakera on the same day, September 16, 2025.²

​​

Two patterns emerge from these acquisitions:

• Detection corpus is a durable moat: the library of attack examples (prompt injections, jailbreaks, behavioral patterns) that teaches an AI security tool what threats look like. It takes years of data collection, expert labeling, and real-world testing to build.
• Companies are buying “time”: any competitor or large enterprise could build an equivalent corpus, but it would take years. These AI companies started early, and acquiring them lets the big platforms skip the wait on something that takes time to create.

Lakera’s Gandalf game has logged over 80 million prompts and more than 30 years of cumulative play time from over 1 million players, feeding the training corpus behind the company’s prompt-injection defenses. Pangea ships AI prompt-injection detection at up to 99% efficacy with sub-30ms latency, the kind of performance that requires substantial labeled data underneath. Both took years to build, but a check to buy.³

On the surface, it looks like asset accumulation. Watch the pattern repeat, and you see something else: companies preparing for a world where powerful AI models get treated like weapons-class capability, not because anyone calls them weapons, but because the protective behavior shifts to gating, making “Gating Models” AI’s new normal.

Mythos: Asset vs weapon, and the behavior it gets

By normal definition, an asset is something that has value when held, can be stolen and sold, and has a market. In cybersecurity, assets are never static. They keep expanding as new technologies are introduced, and AI is no exception. PII remains an asset. Powerful AI models, by that definition, are also assets. Mythos fits all three properties.

The definition of ‘weapon’ is harder. Merriam-Webster defined it as (1) something (such as a club, knife, or gun) used to injure, defeat, or destroy; (2) a means of contending against another. AI doesn’t fit clause 1 directly: Mythos by itself doesn’t physically harm anyone. But it fits transitively, embedded in autonomous weapons, AI-designed pathogens, and cyber attacks on physical infrastructure. In cyberattacks specifically, Mythos autonomously discovers vulnerabilities and demonstrates exploitation paths. It fits clause 2 and produces capability gaps between those with access and those without.

However, assets are defended, not gated. When the protective action is defense (preventing theft, securing weights), the behavior treats the model as an asset. When the protective action is gating things that grant tactical advantage over adversaries (controlled distribution, restricted access, vetted partners), the behavior treats the model as something we historically reserve for kinetic weapons. Glasswing is the second kind of behavior.

Existing frameworks operate along a spectrum, not in exclusive buckets. Pure software gets EULAs and antitrust. Full weapons get treaties and inspectorates (the Chemical Weapons Convention and the OPCW). Dual-use materials like uranium get both layers at once: defended as assets and gated as weapons. Mythos’s partial fit to the weapon definition puts it in the same dual-use territory. It’s the first AI model there and the layered governance is being improvised, so Anthropic ended up doing it themselves.⁴

That improvisation is happening because cybersecurity has never had a formal weapons-class governance regime (no binding treaty, no inspectorate, no verification regime). The closest existing instrument is the Wassenaar Arrangement’s voluntary export controls on intrusion software, which is a regulatory overlay, not weapons governance.⁵

Mythos is being met with something different: gating to twelve partners, regulators convening internationally, central banks building new frameworks. That’s kinetic-weapons-class governance arriving for cyber’s “weapons.” The mismatch is what the rest of this post documents.

What AI Actually Changes About Offensive Security

In cybersecurity, we’ve been calling tools ‘weapons’ for years. Nmap, Metasploit, Mimikatz, Rubeus, and Cobalt Strike are colloquially the ‘cyber arsenal’ of offensive security. They cause harm through code rather than force, with damage that ranges from data loss to financial impact to physical infrastructure compromise.

Mythos isn’t an extension of the cyber arsenal. It uses the arsenal. It chains techniques, brainstorms attack paths, then decides which tool to deploy when. These tools still require a human to direct them. Mythos doesn’t change that. What it changes is the orchestration work between tools.

In red teaming and pentest engagements, running open source exploit tools used to mean manually configuring constants based on the target, reading scripts line by line, and debugging when they broke. It’s a friction security practitioners commonly encounter, and AI reduces it dramatically. The script does not change, the tools stay the same. Mythos extends this further: it can chain those steps autonomously. The operator’s role shifts from directing each step to overseeing the chain, and they cover far more ground in the same time.

The operator stays for a specific reason. AI capabilities that can chain exploits autonomously can also do destructive work to critical environments. Human-in-the-loop is a safety mechanism that prevents AI from operating without judgment, intent, or accountability. That’s how AI and humans work together in offensive security: humans direct, AI executes. The dangerous capability stays attached to the operator’s judgment. Human in control, not AI controlling what the human does.

The Present: Gating As Weapons-Class Governance Behavior

The Selection Logic: Political Cleanliness First

Most people saw the Glasswing partner list as a combination of big tech, financial, and security. Look closer, and the unifying thread becomes visible: every launch-tier partner is an organization with the institutional structures (governance, security teams, regulatory oversight) to maintain human-in-the-loop discipline over AI capability. The six selection factors I’ll describe aren’t separate criteria but a collective proxy for “who can be trusted to keep humans in control.” The first is political cleanliness.

The criterion plays out in Anthropic’s ongoing dispute with the U.S. Department of Defense (DoD), which began after Anthropic refused to allow Claude to be used for fully autonomous weapons or mass surveillance. DoD designated Anthropic a ‘supply chain risk’ on March 4, 2026, excluding the company from DoD contracts while litigation plays out.⁶

The same logic excludes defense primes (Lockheed, Boeing, Northrop) from the launch list. Their security capabilities don’t matter when their largest customer is DoD.

The 12 launch list partners, in contrast, all have clean U.S. government relationships. AWS, Google, Microsoft, and NVIDIA hold FedRAMP High and DoD Impact Level 5 clearances. JPMorgan Chase tops FSB’s G-SIB list, the only bank in its highest tier. CrowdStrike, Palo Alto, and Cisco are FedRAMP-cleared security vendors with established government customer bases.⁷

Most US agencies outside the Pentagon are operationally engaged with Anthropic: using Mythos on classified networks (NSA), evaluating capability (CAISI), assessing systemic risk (Treasury, Fed), coordinating release timing (NEC, with Hassett publicly confirming Anthropic was “agreeing to hold back the public release of the model until our officials have figured everything out”), or pursuing diplomatic engagement (White House).⁸

Political cleanliness is the gating filter. The other five factors are shared traits of the chosen partners: all are US-HQ, all are dominant-scale leaders, most have direct AI-lab usage of Anthropic’s models, all had operationalized agentic AI capability by the time of selection, and their defensive surfaces overlap with where Mythos’s vulnerability discoveries (OS, browsers, kernels, hypervisors) actually translate to action.

Glasswing’s anticompetitive trade-off

JPMorgan Chase is the only one of the 6 major banks that gets access to Mythos. Treasury’s Bessent and Fed’s Powell had to summon the other 5 CEOs (BofA, Citi, Goldman, Morgan Stanley, Wells Fargo) for an emergency, closed-door meeting to brief them on a model they had no access to. JPMorgan’s Jamie Dimon was unable to attend.⁹

This gives JPMorgan three competitive advantages:

• Time Advantage: JPMorgan is up to 4-6 months ahead on cyber posture. Anthropic specifically mentioned that the coordinated vulnerability disclosure timeline is 90 days. This grants JPMorgan a defensive head start.¹⁰
• Capital Reserves Advantage: Regulators require banks to hold capital to defend against potential cyber-attacks. If Mythos-class threats are part of that calculation and Mythos is credited as a defense, banks with Mythos will potentially have lower reserves. At the SIFI scale, a small reserve ratio could equate to billions of dollars that could be deployed elsewhere, reflecting a balance-sheet competitive advantage.¹¹
• Policy Capture and Rule-Shaping: While Treasury negotiates to expand bank access, JPMorgan is already at the table, being the standard-setter. It is now participating in discussions on Mythos use cases for banking, threat-sharing protocols, and rollout structure. As the other 5 banks onboard, they’ll enter a system designed around JPMorgan’s needs and preferences.

Beyond JPMorgan’s advantages, the market is already pricing the exclusion. Cloudflare didn’t make the launch list, and its shares declined approximately 14% on April 10, 2026, following the announcement of Project Glasswing. Even though Oppenheimer pushed back saying the concerns were overblown, the market signals don’t lie.¹²

Project Glasswing is what it looks like when an industry self-organizes kinetic-weapons-class governance behavior in the absence of the cyber capability framework that should be doing it instead. Beyond the political-cleanliness pattern, Glasswing also opens an antitrust question: whether Glasswing violates the Sherman Act.

Sherman Act Section 1, where Glasswing falls outside policies

Madhavi Singh, the Deputy Director of the Thurman Arnold Project and a Resident Fellow at the Information Society Project at Yale, states that the coalition of “AI Avengers” risks violating Section 1 of the Sherman Antitrust Act.

“Every contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce among the several States, or with foreign nations, is declared to be illegal.”¹³

Singh’s argument: the Sherman Act prohibits agreements that restrain trade, and information sharing among competitors has historically attracted antitrust scrutiny. Glasswing is a consortium among firms, it restrains trade, and therefore it’s potentially anticompetitive.

The DOJ historically approved cybersecurity information sharing among competitors, most clearly in its October 2000 letter to the Electric Power Research Institute. That letter permitted such exchange on three conditions: open to all industry firms, limited to technical security topics, and excluding competitively sensitive topics like prices, capacity, and future plans. The April 2014 DOJ-FTC joint policy statement reaffirmed this framework, holding “properly designed cyber threat information sharing is not likely to raise antitrust concerns.”¹⁴

By that “properly designed” standard, Glasswing fails all three conditions: gated to twelve selected partners, granting coordinated frontier AI access rather than narrow threat data, and creating documented capability gaps between insiders and outsiders. Cloudflare’s 14% drop on April 10, 2026, is the market reading exactly that harm.

Beyond Singh: Huang, Schneier, and where the skeptics converge

Glasswing has also drawn skepticism on its effectiveness. In an April 2026 interview with Dwarkesh Patel, Jensen Huang argued that Mythos was trained on “fairly mundane capacity”. He argued that the compute it was trained on is widely available, including in China. Huang has commercial interests against export controls. Even bracketing those, the structural argument is real: gating may slow proliferation, not prevent it. The competitive gap between insiders and outsiders remains.

Bruce Schneier raised a third concern from a political angle, calling Glasswing a PR play by Anthropic. The framing might be sharp, but the underlying observation is real.

Singh and Schneier converge on a shared diagnosis: there is no neutral body to govern whether the safety trade-offs are worth it. So the industry self-organized one, and the structure benefits the industry. Huang’s concern compounds: even if a neutral body did exist, the underlying compute is widely enough available that gating may not do the work the framework requires.

That self-organization is what Glasswing actually is. Nobody appointed Anthropic and twelve incumbents to be the responsibility-judges for cyber weapons of this scale. This structure happens to benefit incumbents while also having a legitimate operational logic: vetting takes time, mass rollout requires structure, and tighter circles allow faster coordination.

The Future: Governance Behavior Without Governance Frameworks

Two patterns from history: each generation gets its conflict, and governance always lags

Once you notice the gating behavior is kinetic weapons-class governance, the historical pattern becomes visible: each generation of dual-use technology has triggered a defining conflict eventually.

We’ve seen nuclear and missile capability drive the Cold War. The Chip War (Chris Miller’s framing) names what semiconductor concentration triggered. The cyber AI conflict (Mythos finding zero-days at scale, Glasswing-style gating, regulators worldwide responding separately) is the current generation. What matters less is whether it gets a name; what matters more is whether the governance catches up.

The technology we observed shifted from direct physical destruction to economic and strategic control. Formal governance gets weaker as the perceived threat profile shifts away from kinetic harm. The definition of “good governance” varies, but it could be condensed to two pillars for simplicity: If a resource has a legally binding treaty and a dedicated enforcement body, the governance ranks higher.

By that test, nuclear ranks highest (NPT + IAEA), missiles weaker (MTCR is voluntary, no inspectorate), semiconductors and AI lowest (neither pillar in place).¹⁵

Strength is one axis. Timing is the other. Governance always lags capability, and the lag takes longer with each generation:

Strength versus timing — capability emergence to governance arrival, 1940 to 2026

The same is expected with AI, and we are just at the beginning.

Where Glasswing Fits: AI’s Multi-Layer Chokepoint Stack

Two things matter for cyber AI specifically. First, the proliferation pattern. AI capability replicates faster than any prior dual-use technology. Open-weight model releases happen in days. DeepSeek-R1 demonstrated that frontier-equivalent capability can be released openly. The pressure that pushed Anthropic to gate Mythos was explicitly stated by Amodei: “More powerful models are going to come from us and from others, and so we do need a plan to respond to this.”

Second, AI has multiple chokepoints across its five layers. Chip export is gated by the US via BIS rules since 2022. Infrastructure in the middle is concentrated in hyperscalers (AWS, Azure, GCP). Models are a mix of closed-weight models that can be gated and open-weight models that cannot. Anthropic gating Mythos isn’t the only chokepoint. It’s the model-layer chokepoint added on top of the chip-layer chokepoint that BIS already established.¹⁶

From Jensen Huang's AI 5-Layer Cake — NVIDIA CES 2026 keynote.

AI now has at least two layers under unilateral control, and no coordination between them.

Why No Formal Framework: Industrial Unilateralism and the Two-Pillar Gap

Cyber capability of this scale has neither a global treaty defining the rules nor an inspectorate to verify compliance. NIST AI RMF is voluntary guidance. The EU AI Act applies binding rules to AI systems and models within EU jurisdiction, but it is regional and doesn’t reach the chip layer that BIS controls separately.¹⁷

The two-pillar standard was built for capabilities whose destructive payload is physically inspectable. Nuclear materials and chemical agents qualify. Meanwhile, AI agents like Mythos don’t fit cleanly. That’s part of why no formal framework has formed.

In the absence of formal frameworks, informal governance has emerged unevenly across layers:

• Chip layer has BIS export controls (US unilateral, legally binding within US jurisdiction, extraterritorial via FDPR).
• The infrastructure layer has hyperscaler concentration regulated only at the use-and-resilience level (FedRAMP, EU DORA, NIS2) without frameworks addressing the concentration itself.¹⁸
• The model layer has Glasswing (industry self-organization, no legal force).

None of it is coordinated or treaty-backed.

Multilateral for nuclear non-proliferation. Bilateral for US-USSR strategic arms. Unilateral for chips. Industrial unilateral for AI. Fewer voices in the room and more people affected in each step. Each era’s ‘governance’ has been less internationally legitimate, less binding, and more concentrated in US hands.

Each successive regime has involved fewer actors than the one before. AI governance now sits with a single industry coalition. Bar lengths reflect the breadth of governance authority, not actor count.

Glasswing fits this pattern cleanly. It’s an industry self-organization filling the model-layer gap that no formal framework covers. The vacuum isn’t ‘no governance’, it’s ‘no formal coordinated framework’ across the layers being separately governed.

Calls to Action: For builders and attackers operating in the gated era

The past, present, and future tell us a lot about what actions to take. Here’s what I could conclude from what we observed, and what it means for us:

Asymmetric proliferation: Defensive frontier capability is gated. Attacker capability proliferates via open weights.

For builders of defensive AI products serving smaller defenders, the market is open. Glasswing left these defenders without products, facing attackers running open-weight DeepSeek, Qwen, and Mistral. Your product should defend that gap: detection of AI-augmented attack behaviors, deployment that fits your customer’s security stack, and audit-ready evidence that they can hand to regulators. Lakera (Check Point) and Pangea (CrowdStrike) have already absorbed the runtime-guardrail and platform layers. The audit-evidence layer is still open; Mindgard ($8M, independent) is the visible player so far. Pick the unclaimed layer and build.¹⁹

For security researchers and offensive security firms with research arms, use open-weight AI agents to simulate Mythos-class attacks. That means running the models locally via inference frameworks like Ollama, wired into your existing toolchain with agent frameworks like LangChain or AutoGen. Your MVP then becomes which models for which engagement types, how the orchestration wires together, where human judgment intervenes, and how decisions get documented. Glasswing created your market, and the early responses are already visible: XBOW raised $273M and became the #1 ranked hacker on HackerOne, the first time an autonomous system has outperformed every human on a major bug bounty platform; Armadin launched in March 2026 to build “specialized AI agents operating as an agentic attacker swarm.” Smaller defenders Glasswing excluded are your clients: same threat profile as Glasswing partners with no defensive head start.²⁰

Governance may not arrive the way it did historically

For builders of defensive AI security products serving regulated enterprises, design to industry-led standards, not government regulations that may never arrive. The frameworks emerging in the governance vacuum are industry-built and already in use: map your detection to ATLAS techniques, input/output protections to OWASP, governance documentation to NIST RMF profiles. Customers already use these in RFPs. Lakera published explicit MITRE ATLAS and OWASP LLM Top 10 alignment guides, then was acquired by Check Point in September 2025. Standards alignment is public positioning acquirers can see.²¹

For attackers, meaning offensive security firms providing AI red-team, pentest, or adversary emulation services, contribute methodology to the industry standards now. The accessible paths include submitting case studies to MITRE ATLAS (Zenity did this with AML.CS0042: the SesameOp backdoor), participating in OWASP LLM Top 10 and Agentic working groups, submitting comments to NIST RMF Profile drafts, or releasing open-source tooling implementing the standards. Benefits compound over 12-24 months: your firm name appears in frameworks that RFPs reference, you get inbound from working groups and regulator consultations, and acquirers see contributor status as a hard-to-fake quality signal. The window is now, while contributors are scarce. Once the contributor pool fills out, contribution stops being a differentiator.²²

Geographic fragmentation: regional rules, regional rooms

For builders whose product secures AI inside regulated enterprises, treat the regulator as a customer. The regulator never signs your contract but decides what your customer can buy. Regulators across regions are each writing AI vendor expectations into their financial supervisory frameworks with no coordination mechanism in place. Meanwhile, on the cyber side, the enforcement precedent is already set: Australia’s Federal Court fined FIIG Securities $2.5 million in February 2026 for inadequate documentation, risk management, and resourcing under the Corporations Act. Mindgard, a Lancaster University spinout, ships governance-aligned documentation that helps customers meet audit expectations. The credential opens the procurement door, the evidence format keeps it open. What opens UK doors won’t open Singapore’s.²³

For attackers operating in offensive security firms, pick your sub-niche within AI red teaming (LLM, agentic, AI infrastructure, AI-augmented traditional, etc.) Once your niche is locked, compound your credibility by showing up at conferences and online communities, sharing public research, and helping people genuinely. Different regions read different lineups: Black Hat (Asia, Europe, US), DEF CON, 44CON London, and VXCON Hong Kong. That’s where recognition accretes, and where acquirers find you. Pangea and Koi are the defensive-side proof: both named a sub-niche and got acquired.²⁴

---

This piece started as a curiosity about acquisition trends in agentic AI, but ended up as a deep dive on Project Glasswing and where it might take us.

The biggest shift in my own thinking: Glasswing isn’t really about Mythos. It’s about what happens when kinetic-weapons-class gating behavior (controlled distribution, vetted partners, restricted access) gets applied to a capability nobody has formally placed in that category. The behavior is the signal. The discourse hasn’t caught up to it.

What I’m curious to see next: whether anything formal eventually takes the industry’s place in deciding who holds Mythos-class capability, or whether industrial unilateralism becomes the new normal. Until then, the default is industry self-organization in the empty space.

Further Reading

Sources consulted during research that did not become direct citations in the body.

Mythos, Glasswing, and AI Cybersecurity Coverage

• NBC News, Anthropic Project Glasswing: Mythos Preview gets limited release
• Euronews, Why Anthropic’s most powerful AI model Mythos Preview is too dangerous for public release
• Bloomberg, Your Questions About Anthropic’s Mythos AI Model, Answered

Cloudflare and Sector-Wide Market Reaction

• TradingKey, Anthropic Claude Mythos Preview Sparks Wall Street Panic: Bessent, Powell Summon CEOs; Cloudflare Tumbles 8%
• FutunNN, Cloudflare Sell-Off Offers Buying Opportunity as Project Glasswing Concerns ‘Overblown,’ Oppenheimer Says
• StocksToTrade, NET Stock Slides As AI Deals And Analyst Support Pile Up

Offensive AI Security Funding and Acquisitions

• Penligent, Top AI Penetration Testing Companies in 2026
• Horizon3.ai, Horizon3.ai Raises $100M to Cement Leadership in Autonomous Security
• Pentera Acquires EVA Information Security (ChannelE2E)
• Pentera Acquires DevOcean (BankInfoSecurity)
• SecurityWeek, Kevin Mandia’s Armadin Launches With $189.9 Million in Funding
• TechRepublic, AI Bug Hunter Sets Milestone By Claiming Top Spot on HackerOne’s Leaderboard
• Menlo Ventures, Agents for Security: The Tipping Point for Offensive AI

Attacker Use of Open-Weight Models (LLMjacking)

• Sysdig, LLMjacking targets DeepSeek
• BleepingComputer, Hackers target misconfigured proxies to access paid LLM services
• Rescana, LLMjacking: How Hackers Exploit Misconfigured Proxies

Mid-Market AI Security Gap and Governance Demand

• Security Info Watch, Mid-Market AI Gets Serious: Why 2026 Is the Year of Practical Deployment
• AGAT Software, AI Agent Security in 2026: What Enterprises Are Getting Wrong
• Cranium AI, AI Security in 2026: Enterprise Governance, Risks, and Best Practices
• Digital Nemko, AI Security Auditing for Enterprise: 2025 Risk & Compliance
• Kiteworks, Top 9 AI-Powered Data Governance Tools for 2026

Regional Regulatory Frameworks (Singapore, Hong Kong, UK)

• CSA Singapore, Cyber Trust mark certification
• Baker McKenzie, Singapore: Cybersecurity Licensing Framework Updates (March 2026)
• HKMA, Fintech Promotion Blueprint (3 February 2026)
• HKMA, Regulators launch GenA.I. Sandbox++ (5 March 2026)
• Bank of England, SS1/23 — Model risk management principles for banks (PDF)

Reference Definitions

• Cambridge Dictionary, Asset

Footnotes

1. Anthropic, Project Glasswing: Securing critical software for the AI era, April 7, 2026; Anthropic Red Team, Claude Mythos Preview cybersecurity capabilities. ↩

2. Fortinet, Fortinet to Acquire Lacework, June 2024; CrowdStrike, To Acquire Pangea to Secure Every Layer of Enterprise AI, September 16, 2025; Check Point, Acquires Lakera to Deliver End-to-End AI Security for Enterprises, September 16, 2025. ↩

3. Lakera, Lakera AI (Gandalf game; 80M+ adversarial-pattern training corpus from 1M+ players, 30+ years of cumulative play time). Pangea efficacy details from acquisition press release — see ². ↩

4. EULAs + antitrust: Duke Law on EULAs; Apple Licensed Application EULA; U.S. v. Microsoft, 253 F.3d 34 (D.C. Cir. 2001). Pure weapons (treaties + inspectorates): Organisation for the Prohibition of Chemical Weapons (OPCW), Chemical Weapons Convention. Uranium dual-use — traded as commodity: World Nuclear Association, Uranium Markets; defended via trade policy: DOE, Biden-Harris Administration Enacts Law Banning Importation of Russian Uranium; gated as proliferation-sensitive material: Arms Control Association, IAEA Safeguards Agreements at a Glance; NRC, 10 CFR Part 110 — Export and Import of Nuclear Equipment and Material. ↩

5. Cybersecurity governance gap: Arms Control Association, Multilateral Agreements to Constrain Cyberconflict; Lawfare, The UN GGE Failed. Is International Law in Cyberspace Doomed As Well?; Cambridge American Journal of International Law, An Inspection Regime for Cyber Weapons: A Challenge Too Far?. Wassenaar Arrangement: U.S. Federal Register, Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items; Wassenaar Arrangement, List of Dual-Use Goods and Technologies and Munitions List (current control list — “intrusion software” defined under Category 4 (Computers)). ↩

6. CNBC, Anthropic loses appeals court bid to temporarily block Pentagon blacklisting, April 8, 2026; Anthropic, Where things stand with the Department of War ↩

7. Amazon Bedrock, FedRAMP High and DoD IL-4/5 approval in AWS GovCloud; Google Cloud, FedRAMP and DoD compliance scope; FSB, 2025 List of Global Systemically Important Banks (G-SIBs); Yahoo Finance, JPMorgan Again Tops FSB’s G-SIB List. ↩

8. Axios, Scoop: NSA using Anthropic’s Mythos despite Defense Department blacklist, April 19, 2026; Yahoo, NSA Is Using Anthropic’s Powerful Claude Mythos AI as CEO Meets With White House: Report; CAISI–Anthropic capability evaluation: Anthropic, Strengthening our safeguards through collaboration with US CAISI and UK AISI; NIST, Center for AI Standards and Innovation (CAISI); UK AI Security Institute, Our evaluation of Claude Mythos Preview’s cyber capabilities (parallel UK evaluation under the joint US/UK framework); Resultsense, US agencies sidestep Trump’s Anthropic ban for Mythos tests, April 16, 2026; CNBC, Powell, Bessent met with U.S. Bank CEOs over Anthropic’s Mythos threat, April 10, 2026; Axios, Bessent and Wiles met Anthropic’s Amodei in sign of thaw, April 17, 2026; CNBC, Trump says he had ‘no idea’ Anthropic’s Amodei met with White House about Mythos. ↩

9. Bloomberg, Bessent, Powell Summon Bank CEOs to Urgent Meeting Over Anthropic’s New AI Model, April 10, 2026; Sullivan & Cromwell, Treasury Secretary and Federal Reserve Chair Warn Bank CEOs About Cybersecurity Risks Posed by Anthropic’s New AI Model; Fortune, Bessent and Powell convened Wall Street CEOs to address Anthropic’s Mythos model, April 10, 2026; CBS News, Fed Chair Jerome Powell, Treasury’s Bessent and top bank CEOs met over Anthropic’s Mythos model. CNBC coverage of the same meeting also referenced in ⁸. ↩

10. Anthropic, Coordinated vulnerability disclosure for Claude-discovered vulnerabilities (90-day disclosure deadline + 45-day post-patch). ↩

11. Bank capital and cyber risk: BIS, Operational and cyber risks in the financial sector (Working Paper 840); BIS FSI Insights 50, Banks’ cyber security: a second generation of regulatory approaches; Federal Reserve, Stress Tests and Capital Planning; Federal Reserve, Large Bank Capital Requirements. ↩

12. FinancialContent, Cybersecurity’s Reckoning: Valuations Vaporize as Cloudflare, Palo Alto, and CrowdStrike Lead Sector-Wide Rout, April 10, 2026; 24/7 Wall St., The ‘SaaS-Pocalypse’ Continues: Cloudflare, ServiceNow, CrowdStrike Under Fire as Anthropic Rewrites the Rules, April 10, 2026; The Globe and Mail (Reuters), US software stocks fall as Anthropic’s new AI model revives disruption fears; TradingKey, Cloudflare Inc Stock (NET) Moved Down by 12.46% on Apr 10; MarketScreener, Cloudflare Sell-Off Offers Buying Opportunity as Project Glasswing Concerns ‘Overblown,’ Oppenheimer Says. ↩

13. Cornell Law School Legal Information Institute, 15 U.S. Code § 1 — Trusts, etc., in restraint of trade illegal; penalty. ↩

14. U.S. Department of Justice, Justice Department Approves Information Exchange Proposed by the Electric Power Research Institute, October 2, 2000; Federal Trade Commission and U.S. Department of Justice, Antitrust Policy Statement on Sharing of Cybersecurity Information, April 10, 2014. ↩

15. Treaty on the Non-Proliferation of Nuclear Weapons (NPT), UN Office for Disarmament Affairs; IAEA safeguards system; Missile Technology Control Regime (MTCR) (voluntary, no inspectorate); Missile Technology Control Regime (MTCR) Questions and Answers. ↩

16. U.S. Bureau of Industry and Security, Advanced Computing and Semiconductor Manufacturing Equipment Rules (BIS export controls in place since 2022); ITI: Unilateral Approach to Semiconductor Export Controls Will Weaken U.S. Competitiveness, Not Achieve National Security Objectives; NVIDIA, The AI 5-Layer Cake (five-layer framing for AI infrastructure). ↩

17. NIST, AI Risk Management Framework (AI RMF 1.0); European Union, Regulation (EU) 2024/1689 — Artificial Intelligence Act. ↩

18. Hyperscaler concentration and governance gap: Synergy Research Group, Cloud Market Share Trends — Big Three Together Hold 63%; UK CMA, Cloud Services Market Investigation Final Decision (July 2025); EBA, ESAs designate critical ICT third-party providers under DORA (November 2025); EU Commission, Data Act; US GSA, FedRAMP. ↩

19. Lancaster University, Lancaster spinout Mindgard raises $8M to revolutionise AI security. ↩

20. XBOW, The road to Top 1: How XBOW did it (first autonomous system to outrank every human on a major bug bounty platform); XBOW, XBOW Raises $120M to Scale its Autonomous Hacker (Series C bringing cumulative funding to $273M); Armadin, Armadin Secures Record-Breaking $189.9M in Seed and Series A Funding to Combat the Era of AI-Driven Hyperattacks; TechCrunch, Mandiant’s founder just raised $190M for his autonomous AI agent security startup, March 10, 2026. ↩

21. MITRE, ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems; OWASP Gen AI Security Project, OWASP Top 10 for Large Language Model Applications; NIST AI RMF — see ¹⁵. Lakera, AI Security by Design: Lakera’s Alignment with MITRE ATLAS; Lakera, Aligning with the OWASP Top 10 for LLMs (2025): How Lakera Secures GenAI Applications. ↩

22. Zenity, Zenity’s contributions to MITRE ATLAS’s first 2026 release (documents Zenity’s contribution of AML.CS0042, the SesameOp backdoor case study). ↩

23. Cyber Daily, FIIG Fined: Federal Court orders $2.5M penalty for cyber security failures; Bird & Bird, ASIC cyber enforcement outcome against FIIG — what the February 2026 penalty means in practice; Mindgard, AI Discovery Assessment (“Report AI Risk with Confidence” section, source of the “governance-aligned documentation” / “meet audit expectations” verbatim language). ↩

24. Black Hat (Asia, Europe, US); DEF CON; 44CON London; VXCON Hong Kong. ↩