The line between a safety decision and a distribution strategy is getting hard to find.

Anthropic shipped Claude Mythos Preview in early April. It can find zero-days, write exploits, chain vulnerabilities together, and do it autonomously. The company said the model was too dangerous to release to the general public and gave access to Microsoft, Nvidia, Cisco, and about 50 other tech firms under something called Project Glasswing — over $100 million in usage credits.

OpenAI responded weeks later with GPT-Rosalind, a life sciences model, and GPT-5.4-Cyber. Both restricted. Both announced with press releases that read like safety notices.

The TIME article that surfaced on r/artificial this week called it "AI's New Normal." The phrase is accurate but the framing is too soft. This is not just a pattern of caution. It is a strategic shift in how the most capable AI systems reach the market. The implications are bigger than the safety debate that headlines the story.

What the models actually do

The capabilities are real. Katie Moussouris, CEO of Luta Security, told NBC News she is not being a "Chicken Little" about Mythos. "We are going to see some huge ramifications," she said.

Anthropic's system card for Mythos Preview describes a model that can autonomously find and exploit software vulnerabilities across most major operating systems and browsers. Some bugs had sat undiscovered for decades. Logan Graham, who leads offensive cyber research at Anthropic, described a model that can write exploit code, chain multiple vulnerabilities, and penetrate complex software without human guidance.

GPT-2 in 2019 was about the fear of generating deceptive text at scale. Mythos is about a system that can break into the infrastructure you rely on.

Bruce Schneier's take on the launch was blunt. He called it a "PR play" and noted the security firm Aisle replicated some findings with older, cheaper, public models. The distinction, he argued, is between finding a vulnerability and turning it into an attack. For now, the defender has a short-term edge. That edge will not last.

What "restricted" means in practice

Anthropic's restrictions are being tested in real time. Bloomberg reported on April 22 that unauthorized users gained access to Mythos through a third-party vendor environment. The group shared information about unreleased models through a Discord channel and had been using Mythos regularly once inside.

Anthropic confirmed it was investigating. The breach does not prove anything about internal security. It does prove something about the idea that a model stays safely restricted while deployed to a network of external contractors and corporate partners. The blast radius expands with every vendor added to the list.

OpenAI follows a similar model. GPT-Rosalind goes to organizations with "strong internal controls." Neither company has published a timeline for broader release.

Who gets to decide who counts

The access question matters. Steph Batalis, research fellow at the Center for Security and Emerging Technology, raised equity concerns: if American banks and defense contractors get early access to models that can spot vulnerabilities, and researchers in other countries do not, the safety frame looks like a competitive advantage frame.

This is where the pattern gets uncomfortable. The lab that withholds its most capable model gets to define who is a legitimate user. There is no independent mechanism for reviewing those decisions. No appeals process for researchers who are shut out.

Connor Leahy of ControlAI put it directly: "We don't allow companies to decide how much toxic pollutant they're allowed to put in my child's drinking water; this is the government's decision." The metaphor is overdone, but the point underneath is the right one. Voluntary restriction without oversight means the companies decide the boundaries. They also decide when the restriction ends. They get to frame both as safety decisions.

The PR works, and that is part of the problem

Schneier was right about the playbook. Reporters repeated Anthropic's talking points. The White House described a "productive and constructive" meeting after Mythos launched. The NSA reportedly started using the model. Treasury Secretary Bessent convened senior bankers to discuss deploying Mythos for vulnerability detection. Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley are all reportedly testing it.

A cynical read says AI labs figured out that calling a model "too dangerous to release" generates positive press and government contracts while keeping the model out of competitor hands and off evaluation benchmarks. That version flattens things too much. But the incentives are now aligned in ways worth noticing.

What is not settled

Heidy Khlaaf, chief AI scientist at the AI Now Institute, warned against buying Anthropic's claims wholesale without data on false positive rates and human review methodology. That caution applies. We have Anthropic's system card, positive assessments from several cybersecurity firms, and a stack of press coverage. We do not have independent verification of every vulnerability Mythos claims to have found.

The Rosalind announcement left gaps too. HN commenters noticed OpenAI compared the model to their default GPT-5.4, not the Pro tier, and left Anthropic models out of the comparison. Selective benchmark framing. Useful for marketing. Limited for judging capability gaps.

The bigger uncertainty is direction. If frontier labs decide their best models stay restricted, the public AI ecosystem is shaped entirely by whatever they choose to release. That is not a safety policy. It is a market structure decision wearing safety language.

Why this pattern matters now

GPT-2 started this conversation in 2019. What changed is the frequency, the capability level, and the incentives. Three restricted models in one month from two major labs is not an anomaly. It is the beginning of a norm.

The safety arguments carry weight. Mythos probably should be deployed carefully. But "carefully" and "exclusively for banks and defense contractors with government briefings" are distinct things. When access decisions and safety decisions ship bundled into the same announcement, it is worth asking which one actually drives the policy.

The r/artificial thread was light on discussion but the TIME piece spread widely. On HN, the Rosalind announcement pulled 102 points and a steady undercurrent of skepticism about benchmark selection. The pattern is visible. Noticing it is a start.

Sources