By Amit Kapoor and Sheen Zutshi
As artificial intelligence evolves, so do the anxieties around it. The discourse on AI ethics, slops and data centres, and AI’s implications on the labour market, warfare and national security are intensifying. Our dystopian sci-fi plots aren’t fictional anymore. Following years of AI advancements, the dynamics have finally changed in 2026, potentially shifting AI from an abstract concept to a force affecting the fundamental infrastructure of institutions. The challenge is to withstand the cybersecurity risks enabled by AI.
The discourse around AI safety can no longer be deemed mythological. Claude Mythos, Anthropic’s frontier model, not even built with security in mind, revealed that it surpassed the capabilities of any prior model and could discover vulnerabilities on its own. Recognising the risks this release could pose, Anthropic instead launched Project Glasswing, uniting major tech companies such as AWS, Apple, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks to protect critical software. Additionally, 40 more organisations involved in vital software infrastructure can access and use the model to scan and secure systems.
According to the project’s brief, “Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser”. This is accompanied by a brief explanation that they believed AI models have surpassed most skilled humans in coding proficiency for identifying and exploiting vulnerabilities. As AI capabilities continue to proliferate, the potential implications for economies, public safety, and national security could be severe. But what do we know about its implications so far?
The UK’s AI security institute, which has tracked AI cyber capabilities since 2023, found that in one of its capture-the-flag tests, AI models must find and exploit weaknesses to retrieve “hidden flags”. The Mythos preview outperformed all other AI models, succeeding on 73 per cent of expert-level tasks that no AI model had completed before April 2025. Their evaluation found Mythos could complete a 32-simulated corporate network attack, showing it can target weakly defended systems. However, the tests lacked active defenders and security tools, so real-world performance in well-defended environments remains unproven. There are further developments in this story. Mozilla said it identified 271 vulnerabilities in Firefox, while startup Cali said its preview version helped develop an exploit chain for M5 Mac chips.
As some may have cautioned, the Mythos preview is a marketing tactic, and Anthropic is dramatising the capabilities of the model it controls and positioning itself at the centre of AI safety and cybersecurity. The scepticism is welcome, but that doesn’t make their warnings meaningless. As AI systems advance, the institutions resilience will be tested more. Mythos’s preview of real capabilities may be revealed over time, but one thing is clear: no AI concern has become as entrenched as its cybersecurity aspect. AI’s ability to identify weaknesses in digital infrastructure, including banking, telecom, and public portals, has societal implications.
Before the AI era, a country’s ability to build and advance digital infrastructure implied success, but now it also carries implications for vulnerability. Think of the Irish elk, the extinct deer-like animal remembered for its enormous antlers, which were considered a symbol of evolutionary success, but became harder for them to carry as conditions around them changed. Digital payment systems, banking networks, cloud platforms, and public databases are the antlers of digital infrastructure, which are considered important for coordination, market sophistication, and for controlling the economies’ ecosystems. AI changes their conditions. What Mythos Preview claims, if true, is that AI can probe networks, reason over code to attack, and accelerate vulnerability discovery, whether on the most defended networks or the ones usually left unguarded, in a way that the same antlers become the attack surface. This is the AI cyber moment we should all be worried about. The Mythos moment has shown signs that civilisation’s digital intelligence is advancing more quickly than its ability to safeguard the very intelligence it relies on.
The world is responding differently to the Mythos moment. Europe is deploying the AI Act, which requires systemic risk models to undergo adversarial testing, mandates cybersecurity safeguards, and requires incident reporting to the AI Office, with enforcement starting in August 2026. China’s response focuses on controlling the AI ecosystem through amendments to the cybersecurity law and by imposing compute and embedding controls on frontier models. The US is moving faster by operationalising AI regulation. The US Department of Commerce’s CAISI has signed agreements with Google DeepMind, Microsoft, and xAI to vet their AI models before public release.
India has also responded through CERT-In, which issued an advisory warning about frontier AI models’ capabilities to support multi-stage cyberattacks. Finance Minister Nirmala Sitharaman has also signalled risks to India’s banking sector, prompting the RBI, SEBI, and critical infrastructure agencies to begin coordinating cyber defence mobilisation from late April. It is also speculated that India has reportedly requested access to Mythos for its domestic enterprises. For a country that has turned Digital public infrastructure into a success story inspiring others in the Global South, India’s mythos response is far from adequate. It is a reality check that, while we are world-class at deploying digital systems at scale and are the second-largest consumer of frontier AI models, we have yet to develop frontier model capabilities or a robust AI cyber response for our public infrastructure. India does not yet have a binding AI act, as the EU does, nor is it at the stage of building sovereign AI capabilities, as China or the United States. So, this response is adequate within that framework, but is it enough to safeguard its systems?
The next phase of AI will not reward frontier model developers; it is more about countries that can secure the systems in which these models operate globally. If India wants a sovereign AI ecosystem, then it must act faster and must not overlook this opportunity. With its robust STEM workforce, DPI, and cost-efficient talent, India’s key strategic advantage lies in developing its cybersecurity workforce, which will remain antifragile to mythos, and in treating cybersecurity as the foundation of AI-era sovereignty.
(Amit Kapoor is chair & Sheen Zutshi , Research Manager at Institute for Competitiveness. X: @kautiliya).
