“The Weaknesses of Legacy Security Architecture Laid Bare” Global Mithos Shock Reverses White House Move to Exclude Anthropic

U.S. government and Anthropic move to contain tensions and explore renewed cooperation
Anthropic’s Mithos, emerging as a security threat, under consideration for adoption by U.S. government agencies
Vulnerabilities in existing security systems and inadequate response frameworks brought to the surface

The administration of U.S. President Donald Trump is moving to pursue cooperation with artificial intelligence (AI) company Anthropic. With the emergence of Anthropic’s next-generation AI, Claude Mithos (hereafter, Mithos), casting a spotlight on security risks across the world, the administration has shifted course by reversing its decision to exclude Anthropic from the public contracting market. Among experts, the turmoil triggered by Mithos is increasingly being viewed as a stark demonstration of the flaws and inherent limitations embedded in existing IT security systems.

Conflict Between the U.S. Government and Anthropic

On April 18, political news outlet Politico reported that the Trump administration and Anthropic recently held a high-level meeting to discuss potential avenues for cooperation. Those in attendance reportedly included Anthropic CEO Dario Amodei, White House Chief of Staff Susie Wiles, Treasury Secretary Scott Bessent, and National Cyber Director Sean Cairncross. Following the meeting, the White House said the two sides had discussed both the risks arising from the spread of advanced technology and opportunities for cooperation, while Anthropic likewise underscored its willingness to work with the government on the responsible development of AI.

The two sides had previously been at odds since February, when Anthropic moved to restrict the scope of its AI’s use in defense-related fields. At the time, Anthropic publicly stated that it would not provide its technology for mass surveillance or fully autonomous weapons. That position placed the company on a direct collision course with the Trump administration’s policy line. In response, President Trump ordered federal agencies to halt use of Anthropic’s technology, denouncing the company as politically biased, while the Department of Defense intensified pressure by identifying Anthropic as a potential risk factor in the national security supply chain.

Anthropic then filed suit last month in federal court against the U.S. Department of Defense and the Trump administration. The company argued that the government’s designation of Anthropic as a national security supply chain risk, effectively shutting it out of public contracts, amounted to an unconstitutional and retaliatory measure. Court rulings that followed were mixed. On March 26, a federal court in California granted a preliminary injunction, finding possible legal violations in the government’s blacklist action, including potential infringement of free speech. By contrast, an appellate court earlier this month denied a separate emergency stay request, leaving the measure in force for the time being.

The Landscape Reversed After Mithos Emerged

What had been an intense dispute was turned on its head after Anthropic unveiled a preview version of Mithos on April 7. According to the company, the model surpasses all but the most highly skilled individuals in identifying software vulnerabilities. Mithos in fact uncovered a system flaw in OpenBSD, widely regarded as the world’s most secure operating system (OS), that had gone undetected for 27 years, and went on to design an intrusion pathway exploiting it. It also probed a design flaw in the aging Selective Acknowledgment (SACK) network protocol, inducing an overflow, and in the widely used video-processing software FFmpeg, identified an error in data representation that enabled arbitrary memory manipulation for the first time in 16 years.

Following Mithos’s debut, concern spread through the market that an AI developed to prevent hacking could, in practice, become a potent hacking instrument in its own right. Governments and financial authorities in the United States and elsewhere moved into emergency response discussions. The European Central Bank (ECB) began preparing inquiries to banks regarding Mithos-related risk, while the British government on April 15 issued an open letter warning major companies about the threat posed by Mithos. Treasury Secretary Bessent and Federal Reserve Chair Jerome Powell also urgently convened senior executives from major Wall Street banks, which could rank among the foremost targets of cyberattacks.

After internal deliberations, the Trump administration then reversed its position and signaled an intention to make use of Mithos at the government level. On April 16, Bloomberg and other foreign media outlets reported that the White House Office of Management and Budget (OMB) was reviewing a plan to provide Mithos to government agencies. According to the report, OMB Chief Information Officer Gregory Barbaccia recently sent an email to federal departments stating, “We will work closely with Anthropic, industry partners, and the intelligence community to establish appropriate security rules and safeguards before providing a modified version of Mithos to government agencies.” The email, however, did not explicitly state that agencies would definitively be granted access to Mithos, nor did it set out a concrete timetable, deployment method, or implementation schedule.

U.S. digital outlet Axios also reported on April 19 that the National Security Agency (NSA), an intelligence agency under the Department of Defense, is already using Mithos. Anthropic had previously said that, given the possibility of misuse by hackers and other malicious actors, it would provide the service only selectively to a limited number of institutions and companies. The NSA is said to be among the 40 organizations currently authorized to access Mithos. One person familiar with the matter said the model is being used more broadly across agencies rather than being confined to a single department.

A Wake-Up Call for Complacent Security Systems

Experts say the turmoil triggered by Mithos lays bare the dangerously complacent state of IT security systems worldwide. Reuters, citing financial-sector and cybersecurity experts, reported that “major industries, including banking, operate both modern systems and decades-old legacy technologies side by side, leaving vulnerabilities spread across a wide surface area.” Weaknesses once treated as manageable variables, in other words, have been recast by Mithos’s arrival as risks that can no longer be left unattended. The AI Security Institute (AISI), a research body under the U.K. Department for Science, Innovation and Technology, likewise warned that Mithos’s offensive capabilities could pose a realistic threat to poorly defended corporate networks.

Another problem lies in the inherent limitations of existing security systems, which are failing to keep pace with AI’s speed in discovering vulnerabilities. Cybersecurity outlet The Hacker News pointed out that “the moment a vulnerability is disclosed, automated tools begin analyzing and exploiting it, while enterprises are delayed by inspection and approval procedures,” adding that “the gap in time itself becomes the attack opportunity.” U.S. public policy outlet Federal News Network echoed that concern, warning that “AI generates exploit code before we can even apply patches.”

IT publication ITPro, citing researchers at security firm Forescout, reported that while AI has sharply enhanced vulnerability detection capabilities, existing vulnerability management frameworks can lag by months. David Lindner, chief information security officer (CISO) at cybersecurity company Contrast Security, also said in an interview with Fortune, “Actually patching vulnerabilities is a far more consequential problem than finding them,” adding that “countless vulnerabilities are already being discovered every day, yet an effectively limitless backlog of unremediated flaws continues to pile up because of constraints in manpower and resources.” Anthropic’s own published materials in fact confirmed that more than 99% of the vulnerabilities identified by Mithos remain unpatched.