Over a month ago, the US-based company Anthropic launched its AI model, Mythos, to a limited circle of select large businesses. The announcement caused significant international repercussions, so much so that Ireland’s National Cyber Security Centre (NCSC) issued a statement on a specific product release for the first time in its history. This is because Mythos possesses advanced capabilities that make it suitable for offensive cybersecurity operations, raising the question: can the newly adopted EU AI Act even handle such global threats?
The Mythos Phenomenon: A New Era in Cybersecurity Risks
Mythos is not a tool intentionally developed as a cyberweapon. Anthropic claims its capabilities are merely a “downstream consequence of general improvements in code, reasoning and autonomy.” However, this explanation does little to change the fact that the model is capable of vulnerability discovery and exploitation. Speaking at the recent ZeroDayCon event in Dublin, Joseph Stephens, the NCSC’s director of resilience, highlighted the primary concern:
Do you have a question about AI security? You can reach us here:
“The major concern here right now is the stress that [Mythos] may place on organisations who are now going to have to patch all of their digital products and services.”
This pressure forces an acceleration of patch management cycles, as an AI with such capabilities can dramatically shorten the time between the publication of a vulnerability and its mass exploitation. The situation is further complicated by the fact that Anthropic’s European headquarters is based in Ireland, creating direct European involvement.
The EU AI Act’s Trial by Fire: Regulation vs. Reality
Earlier this month, the European Union adopted new provisional rules on the AI Act, a landmark piece of legislation for regulating artificial intelligence. According to Joseph Stephens, “The AI Act allows us to ensure that products that come onto our marketplace are done in a secure and a safe way.” The Act applies to businesses that sell into the EU, or if the AI output is used in the EU. In theory, this would provide a basis for regulating models like Mythos.
However, its practical applicability is far from clear. According to Dr. TJ McIntyre, an associate professor at the Sutherland School of Law at University College Dublin:
“It’s not clear that the AI Act would apply if Mythos is geo-restricted for use outside the EU.”
Although the law was designed to address “‘offensive cyber capabilities…’ as a type of systemic risk,” a significant legal grey area remains. If a US company makes a model available only to clients outside the EU, but its output (such as an exploit code) still finds its way into the Union, it pushes the boundaries of the regulation.
The AIQ Perspective: Implications for Corporate Audits and Compliance
From an AIQ standpoint, the Mythos case is a critical test for both the EU AI Act and GDPR. In a corporate context, this means that compliance and security strategies must be urgently re-evaluated.
- OWASP LLM Top 10 Context: Mythos directly impacts several points of the OWASP LLM Top 10. Particularly relevant is LLM10: Unsafe Code Generation, which in this case means not just generating vulnerable code, but actively creating exploits. It also increases the risk of LLM06: Sensitive Information Disclosure, as the model can be used to develop more effective attacks to obtain sensitive data.
- Red Teaming and Audits: Corporate red teaming services and security audits must prepare for AI-assisted, automated attacks. The effectiveness of existing manual or semi-automated vulnerability scanning methods may diminish against such fast and adaptive tools. LLM security audits must now extend beyond a company’s own models to include the threat posed by external, offensive AI models.
- EU AI Act and GDPR Compliance: It is not enough for companies to ensure the compliance of their own AI systems. They must assess the risks posed by external AI tools used in their supply chain or even in their market. Attacks generated by models like Mythos can cause data breaches, which fall under the scope of GDPR, regardless of the origin of the attacking tool.
A Global Challenge, A European Response: The Power and Limits of Coordination
The challenge posed by Mythos is not limited to Europe. The US, UK, Canada, and Japan have also invited Anthropic to discussions, highlighting the global nature of the problem. Joseph Stephens emphasized the importance of a coordinated approach: “We’re working through the European system because there’s more strength in having a coordinated approach.”
At the same time, he acknowledged the limitations of national-level regulation:
“We have to recognise what the Irish state can and cannot do. We can’t stop a company like Anthropic based in the US from releasing or not releasing a model.”
This duality shows that while Europe is leading the way in regulation with the AI Act, true effectiveness requires international cooperation and flexible enforcement that adapts to technological realities. As Stephens put it, Europe “can’t regulate our way out of it.” Mythos is a clear signal that the pace of technological advancement is constantly testing legal frameworks, and a proactive, risk-based security approach is essential in the modern corporate environment.