On 26 May the slow-burning question of the year flared up again. Anthropic moved to widen access to Claude Mythos — the cybersecurity model it had declared too dangerous to release to the public — by expanding Project Glasswing, the invitation-only programme through which a curated set of roughly fifty organisations, among them Cisco, Oracle and Microsoft, are allowed to use it. The same week, Nature ran a feature asking the question now hanging over the whole industry: is Mythos the start of a “restricted-AI era?”
Mythos is not a chatbot. According to its maker it found exploitable vulnerabilities in every major operating system and web browser in current use — a capability the company argued was too consequential to hand to everyone at once. It is not alone. In April, a model aimed at the life sciences and another tuned for cyber operations were also withheld from general release, reserved for “qualified” customers through trusted-access schemes. The pattern is now clear enough that policy researchers have a name for the worry: frontier labs are starting to treat their most capable systems as too powerful to be public.
The case for the locked door
The argument for restriction is not stupid, and it deserves to be stated at its strongest. Some capabilities are offence-dominant: a tool that finds software flaws helps an attacker more cheaply than it helps the thousands of defenders who must patch them. Release such a system openly and you arm everyone simultaneously; release it to defenders first and you buy time to harden the systems the rest of us depend on. There is precedent — OpenAI famously held back a text model in 2019 on misuse grounds — and there is a respectable principle underneath it: capability and access are different dials, and it is reasonable to turn one up while keeping the other down.
“Safety” and “moat” can describe the same locked door. That is precisely what makes the era hard to govern.
The case against — or at least, the case for unease
And yet. Every premise in that argument hides a question of power. Who is “qualified”? A club of fifty, weighted toward large American technology firms, is not a neutral safety mechanism; it is an allocation of advantage. Researchers outside the United States — and the smaller companies, universities and governments that cannot get a seat — inherit the risk of these capabilities without the access to defend against them. “Trusted” is doing enormous, unexamined work in that sentence.
Then there is the awkward commercial geometry. These announcements arrive as the labs themselves approach enormous valuations and possible public offerings, and “we built something too dangerous to sell” is, among other things, the finest brand campaign money cannot buy. Safety and scarcity can be the same gesture. The unsettling part is not that the labs are necessarily acting in bad faith — it is that, from the outside, virtuous caution and competitive moat-building are indistinguishable. Several cybersecurity experts have also declined to take the most alarming capability claims at face value, which raises the opposite problem: the public is asked to accept both the danger and the remedy on the word of the party that benefits from being believed.
The long view
For three decades the prevailing instinct of computing was to publish: open papers, open source, open weights, the conviction that distributing capability widely made the whole system safer and fairer. The restricted-AI era, if that is what this is, inverts the default. The most powerful tools become structurally unavailable, their distribution governed not by markets or regulators but by the private discretion of the firms that build them. That may even be the prudent path. But prudence exercised in private, by interested parties, without a public mechanism to audit the claim or widen the door, is not safety — it is governance by press release. The question worth holding, long after this particular model is forgotten, is the one Mythos merely made concrete: when a handful of companies can decide which capabilities humanity is mature enough to possess, who, exactly, decides that they are mature enough to decide?
