Business Insight

Frontier cyber AI: Be alert, but no need to panic... if you take action now

By John Macpherson, Rachael Falk, Nicholas Mavrakis, Phillip Aquilina and Emma Butler

15 April 2026

Share Share
Print
Computer grid
Share
Print

    What you need to know

    • Anthropic has developed Mythos, a powerful new AI model with exceptional cyber security capabilities. Due to the significant risks it would pose in the hands of threat actors, Anthropic has restricted access to selected security vendors and organisations, withholding it from public release.
    • According to Anthropic, Mythos is "capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser." This means Mythos can find and potentially exploit, at speed and scale, previously unknown vulnerabilities in software.
    • It is only a matter of time until this kind of capability is in the hands of criminal and state-based threat actors.
    • Regulators in the US and Canada are already discussing how the financial services sector is responding, calling in leading banks to explain how they intend to maintain resilience in the sector. It is only a matter of time before regulators in other jurisdictions also send "please explain” requests.

    What you need to do

    • Be ready for regulator questions. This is not (just) an IT issue, and regulators will want to know organisations are on top of things. Boards, legal and risk teams each play a key role in not only responding to the rapidly evolving threat environment, but demonstrating robust governance over that response. Read more about the key questions and actions for boards, legal and risk teams below.
    • Patch, Patch, Patch! The time between a vulnerability being identified and threat actors being able to exploit it has been consistently shrinking for years. We are rapidly reaching a state where that defensive time gap will be negligible. However, it simply will not be feasible for organisations to patch every system every day. Decisions about vulnerability management need to be risk-based, and supported by robust governance to mitigate downstream regulatory and litigation risk, limit hindsight bias, and demonstrate a defensible framework.
    • Reduce your attack surface: Consolidate your system assets, particularly those exposed to external networks. Risk teams and boards will need to ensure complete and accurate architecture mapping is in place, understand what obsolete systems exist that can be retired, and have a fully inventory of high-value data that has a risk-based control taxonomy in place. Reducing your attack surface will need sustained action.
    • Don't forget about your supply chain: In our hyper connected world, the systems you rely on from third and fourth parties (and the data they carry on your behalf) need to be managed and governed essentially as your own. Contractual defences will not be enough to protect reputation and address regulatory expectations in the case of a major attack or breach.
    • Evaluate your procurement function: Are you security focused when selecting vendors for your supply chain, and there is appropriate ongoing due diligence (not set and forget)?
    • Assume compromise – and be ready: While Mythos has been released as a defensive tool, most experts agree – we are at a time when offensive capabilities of threat actors outstrips defensive capabilities. Leaders should anticipate further, high impact disruption, which requires an ongoing commitment to next level readiness, response and recovery.

     

    “Anthropic’s Mythos is no reason to panic but demands urgent action from the Board down. It is reasonably foreseeable that advanced AI in the hands of threat actors will heighten cyber risk.

    This is not a just a technical issue – boards must demonstrate reasonable steps to address this known risk, with clear visibility and oversight of decision-making, priorities, and resourcing.”

     

    Top 5 actions for boards, legal and risk teams

    1. Review your vulnerability risk assessment program and ensure it is fit-for-purpose given this material change in landscape
    2. Improve Board reporting to focus on key metrics where risk tolerance remains, with a vigilant focus on compensating controls and closing known gaps: boards must clearly understand the cyber posture of their organisation
    3. Urgently re-assess third and fourth party risks – chances are they are less ready than you
    4. Assume compromise - formally assess "whole of organisation" maturity to respond to a high impact cyber incident, and uplift capability and plans aligned to your risk appetite.
    5. Connect legal, risk, compliance, and security teams to ensure effective coordination, alignment and consistent application of risk appetite and reporting.

    Is the cyber sky really falling?

    Claude Mythos is a new general-purpose language model developed by Anthropic that demonstrates exceptionally strong capabilities in cybersecurity tasks. The model can autonomously identify zero-day vulnerabilities (previously unknown security flaws) in critical software systems including major operating systems, web browsers, and cryptographic libraries, and then develop sophisticated exploits to leverage these vulnerabilities. During testing, Mythos Preview found exploitable bugs that had evaded detection for decades.

    These cyber capabilities emerged as a consequence of general improvements in code, reasoning, and autonomy.

    Due to the significant cybersecurity implications, Anthropic is not making Mythos Preview generally available. Instead, they have launched "Project Glasswing" to work with critical industry partners and open-source developers to secure important systems before similar capabilities become broadly accessible.

    The release has caused widespread alarm amongst cyber experts, predicting that this kind of advanced AI is a game changer in offensive technology once it gets into the hands of threat actors. Wall Street has responded with a sharp decline in cyber security stocks, anticipating more disruption across the security sector.

    But what does this all mean?

    • More vulnerabilities identified: Previously unidentifiable software vulnerabilities are now being found with astonishing speed. Even if just a few of these vulnerabilities were to eventuate, it would mean that critical services that we all rely upon day to day (for example, payments, electricity, telecommunications, water, travel, food supply) could be significantly disrupted with impacts felt across the entire economy.
    • Faster exploitation: Some of these vulnerabilities can also be exploited with astonishing speed, including chaining multiple vulnerabilities together to create more sophisticated compromises. Presumably the advanced exploitation capability can also be used for currently known vulnerabilities.
    • Challenges for defensive cyber: The ability to contain attacks (without advanced AI defensive models) will increasingly come under more and more pressure as agentic AI automates complexity and speed.
    • Layered defence to diverse threats: Zero-day vulnerabilities are only one form of cyber compromise (stolen credentials and phishing/malware attacks remain the most common). Layered controls, alerts, detection, and containment systems help mitigate all forms of compromise.
    • A tool for the good guys – but for how long? The cyber capabilities of advanced AI like Mythos are not yet (as far as we know) in the hands of threat actors. But that is a matter of when, not if. The pressure is clearly on the entire security control environment to be working at its best.
    • More pressure to demonstrate excellence: Critical infrastructure owners and operators in particular need to ensure that their cyber security program (importantly patching, technical stack and hygiene) is best of breed and there is constant focus on threat management.

    What regulators might want to know – and what actions you need to take

    Regulators in the US and Canada urgently met with leading banks to discuss their response.

    It is only a matter of time before regulators around the world follow suit and start asking organisations to demonstrate how they are responding to the prospects of a potentially drastic shift in the threat landscape.

    It is important to take action now, and not wait until you get the knock on the door – either from a regulator, or from a threat actor.

    Here are our top questions and actions to get you ready:

    • Is your vulnerability management where it needs to be? Vulnerability management (the process of identifying, prioritising, and implementing software updates to known vulnerabilities) has long been a staple of Board reporting – but is too often just a set of indistinguishable traffic lights and metrics, disconnected from the risk profile and threat environment. Risk teams will need to assess what their current state of vulnerability management means for the strategic security posture of the organisation. Management teams need to turn this into sensible metrics that enable the Board to ask questions (and get reliable answers) about vulnerability management and exposure.
    • ... and are you across the detail? Boards will need to demonstrate appropriate attention and governance over these details. For example, do you have the right level of resources and budget in place? Is patching prioritised based on protecting parts of the system that are higher risk and/or highly connected? Is your organisation ensuring that known vulnerabilities are patched as soon as a patch is available? For software that cannot be patched, are there compensating controls in place, and are they adequate? Do you need to re-examine the speed and prioritisation of technology uplift and remediation programs?
    • Is your attack surface bigger than it needs to be? We see, time and time again, the root cause of cyber attacks is the initial compromise of a digital asset that an organisation did not know they had, thought was obsolete, or had not been secured because "no -one used it". The bigger your asset base (commonly known as attack surface), the more you need to secure your perimeter. However, decommissioning and consolidating assets is easier said than done.
    • ... and are you across the detail? Boards need to ask what assets the organisation has, and is this knowledge complete? Is the correct prioritisation of consolidation in place and being implemented at the appropriate speed? While consolidation happens, are interim compensating controls sufficient? This is where technology transformation governance meets cyber security best practise.
    • How secure is your supply chain? There is limited use in getting your own house in order when the vendor of your critical software or hardware has not; or when your fourth party in the supply chain has your data stolen because their security was inadequate. A persistent question we get from boards is how much should they ‘know’ and be aware of when it comes to supply chain security. At a bare minimum, organisations will need to re-assess critical vendors for how they manage vulnerability management, segmentation in networks, autonomous detection and containment, who has what access to your systems and data, where they are located and whether business continuity arrangements are effective. It is always open to the Board to direct that risks such as supply chain risks are the subject of third party assurance or audit, with the findings going directly to the Board. Regulators are rightly obsessive about supply chain risks, and supply chain cyber risk assessments are not something to skimp on.
    • ...and is your procurement policy security focused? Procurement is a sleeper issue for many organisations – and how vendors are selected in critical supply chains. Cost should not be the key driver. Organisations must consider a range of other risks such as jurisdiction and access (both to data and the systems themselves). Organisations carry risk for their data and access to their systems irrespective of who manages them, so ensuring that your whole end to end process is sound is simply good business.
    • The likelihood of compromise just increased. Are we really ready? Assessing "whole of organisation" maturity to respond to and recover from a high-impact cyber attack is the least well governed and assessed aspect of any cyber security program. It requires an organisation to have not only a clear assessment of their technical capability to detect, contain, and respond to high-impact incidents, but also a clear understanding of the maturity of data governance and business continuity programs, stakeholder engagement and communication, government liaison, and actions to minimise customer risk of harm. Organisations should ask: have we conducted a recent simulation involving stakeholders from the Board down to technical teams at the coalface? Does our legal team and Board have their own dedicated playbooks? Do we know how our supply chain will respond? Do we have a good understanding of where our data is (both inside our organisation or with third parties)? Can we assess the confidence we have in our organisational response to a worst-case scenario on a measurable maturity scale?

    These are issues that courts and regulators are likely to consider as relevant to whether an organisation has taken appropriate steps to ensure that the right governance and operational controls were in place to protect the organisation, its data, systems and ultimately customers. The risk highlighted by Claude Mythos heightens the importance of getting this right.

    Advanced AI like Mythos changes the “reasonable steps” expected of you

    Being the target of a cyber attack is not an offence. Regulators do not expect organisations to be immune from cyber attack, but they expect organisations to be well informed of the risk and to take reasonable steps to respond to a dynamic risk environment – to invest in the thorough and comprehensive planning that enables cyber readiness, response, and recovery.

    The “reasonable steps” expected under various regulatory regimes are not static checklists of technical cyber security measures. Instead, legal and regulatory cyber obligations are dynamic, requiring organisations to have the governance frameworks in place to respond not only to changes in the law, but changes in the threat environment and risk profile.

    Good security posture can’t be achieved with a “set and forget” approach but must be supported by a robust governance framework to test, revisit, and revise measures on a continual basis, prioritising the risks that matter most.

    More advanced AI models rebalance what is reasonable for an organisation – in the hands of defenders they can reduce the risk of undiscovered vulnerabilities, but in the wrong hands they can enable threat actors to not only identity vulnerabilities but exploit them at rapidly, and at scale.

    The steps previously considered reasonable will need to be revisited to make sure they keep pace with rapidly evolving capabilities.

    Keeping the Board informed of heightened risk

    Heightened cyber risk is a well-recognised form of non-financial risk for any organisation.

    Directors must understand the non-financial risks their organisations face, effectively engage in the substance of these risks, and govern them with the same rigour as non-financial risks.

    This responsibility flows down through the organisation – executives play an essential role in bringing areas of heightened or additional risk to the Board.

    An example of the need integrated governance around non-financial risk is the recent Australian decision of ASIC v Bekier [2026] FCA 196, which emphasised that directors cannot passively receive reports from management but should apply an inquiring mind and actively press management with difficult questions on emerging risks.

    Executives play an important role in bringing the heightened risks highlighted by Claude Mythos to their boards, and directors need to actively engage on how their organisation monitors and responds to the evolving threat environment on an informed basis.

    Now is the time to act

    There is no doubt that Anthropic’s Mythos is a significant step-change in the cyber threat landscape. Should just one of the many vulnerabilities it has already identified be exploited, we could have potentially seen considerable and widespread disruption.

    It is a wake-up call for all organisations managing cyber security risk, particularly providers of critical infrastructure and vendors, to get your cyber house in order now.

    Regulators do not expect perfection, but they will expect a governance and a risk management strategy that reflects reasonable steps through controls and measures that are fit for purpose. Cyber risk is not new, and so we do not anticipate a grace period.

    For boards and management, this cannot merely be regarded as an IT issue. The consequences, from boards down, could be significant if you do not take reasonable steps to ensure that you have appropriate oversight of robust patching programs and management of supply chains, and ensure that your organisation has sufficient focus on resilience so that it is well prepared to respond to and recover from a high-impact cyber incident.

    Other Authors: Andrew Hilton, Expertise Counsel and Philip Hardy, Partner, Ashurst Risk Advisory. 

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.

    Ashurst Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 15 April 2026 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts