European Regulators Sidelined on Anthropic Superhacking Model

Anthropic’s decision to confine Mythos—a model that can out‑perform most humans at spotting and exploiting software flaws—to a select group of U.S. partners has sent ripples through the global AI and cybersecurity landscape. By keeping the technology out of the hands of European regulators, the company effectively sidesteps the EU’s AI Act, which obliges providers to address cyber risks, and the Cyber Resilience Act, which governs digital products sold in the bloc. This move underscores a growing asymmetry: while the United States enjoys direct dialogue with Anthropic, European agencies are left scrambling for fragmented insights, weakening the region’s ability to pre‑empt potential threats.

The United Kingdom stands out as an exception. Its AI Security Institute secured early access, conducted a thorough assessment, and published mitigation steps, demonstrating how proactive national bodies can bridge the oversight gap. The UK’s approach illustrates a pragmatic model—leveraging specialized institutes to evaluate high‑risk AI—while the EU remains constrained by procedural delays and a lack of direct engagement with the developer. If Anthropic eventually commercialises Mythos, the EU’s regulatory framework could kick in, but until then the continent’s super‑regulator reputation is challenged.

Beyond immediate policy concerns, the Mythos episode reignites the debate over global AI safety governance. Experts from academia and civil society argue that private firms should not be the sole arbiters of technology that can destabilise critical infrastructure. The incident adds momentum to calls for binding international norms, such as the G7 Hiroshima Process or a United Nations AI oversight body, to ensure transparent testing, responsible disclosure, and equitable access for regulators worldwide. As AI models become increasingly weaponisable, coordinated oversight will be essential to safeguard both market stability and national security.