Anthropic says its Mythos preview can identify and exploit serious software vulnerabilities at machine speed. It has reportedly finding thousands of high-severity vulnerabilities across major operating systems and web browsers. Anthropic has partnered with US technology suppliers and cyber security service providers to identify and remediate these vulnerabilities under the newly announced Project Glasswing. Whether or not Mythos itself is broadly released, Australian organisations should treat this as a warning that the time between a weakness existing and causing a material problem may be shrinking sharply. That does not create a new Australian legal regime. It raises the practical standard expected under existing duties around governance, disclosure, privacy, resilience, contracting, transactions and insurance.
Why this matters now
For boards, the takeaway is simple: serious exploit development is becoming faster, cheaper and less dependent on rare individual talent. It is not simply that cyber risk is increasing, it is that decision-making and risk management timeframes may collapse and their organisations are not structured to respond in a timely manner. A vulnerability that might previously have sat unexploited for days or weeks may now turn into a live legal, operational and disclosure issue much faster and at greater volumes.
That changes the practical governance and risk management realities for Australian organisations. The immediate risks relate to the resources and activity systems needed to remediate the new vulnerabilities the Glasswing cohort will soon start disclosing. In the short- to mid-term, boards will need to assess cyber risk governance and risk management capabilities more generally to demonstrate reasonable and appropriate uplift to match the modified risk environment.
In this insight, ‘Mythos-class’ is shorthand for models with the capability profile publicly described for Anthropic’s Claude Mythos Preview and the near-term successors other labs are likely to build. Anthropic itself uses the phrase ‘Mythos-class models’ when describing the broader deployment challenge ahead.
Read our insight on Why Mythos-class AI models change the cyber security risk calculus for more background.
What boards and executives should do differently
Good governance does not require perfection. It is whether the organisation's governance is active, informed and fast enough for a changed threat environment.
Boards should ask management to revisit the assumptions built into cyber risk management and reporting. Traditional metrics such as annual maturity scores or broad patch-compliance rates may no longer tell the whole story. More useful measures may include patch latency for critical assets, proprietary code vulnerability scanning progress, time to detect, time to contain, time to recover, unresolved legacy exposures, open-source dependencies, and the organisation's ability to make emergency changes safely, particularly in Operational Technology (OT) environments.
Boards should also assess whether current risk management approaches that determine resourcing based on human-scale exploit timelines remain adequate. They should consider whether the IT and Info Sec team is adequately staffed to deal with the volume of vulnerability remediation across the IT estate that will likely emerge from Project Glasswing participants, and how to work with crown jewel asset suppliers that are outside the Glasswing cohort. Boards should consider whether teams that support cyber security governance activities (legal, security, procurement) are set up and aligned to respond to the risk at the required speed.
Boards should also revisit decision rights. If an incident unfolds in hours, who can take systems offline, halt a product release, instruct external counsel, notify insurers, approve an ASX announcement or escalate to regulators before the next scheduled board meeting? These decisions should not be improvised in the middle of a crisis. There is also the remote chance that a critical system vulnerability cannot be managed to within risk tolerance, requiring voluntary curtailment or shutdown even absent an active threat. How should such a scenario be treated, and should annual report disclosures be revisited where cyber risk is material to the business?
Questions boards should ask management now
- What are our crown-jewel systems, data sets, business processes and third-party services, and what would be the legal, operational, financial or safety impact if one were exploited at Mythos speed?
- Are any of our crown-jewels not supported by members of the Project Glasswing co-cohort and does this give rise to additional risk?
- When a critical vulnerability is announced, how quickly can we identify every affected asset, and what are our actual median times to patch, isolate or otherwise mitigate it? How would a dramatically increased volume of reported critical vulnerabilities affect resourcing and prioritisation?
- Where do legacy, unsupported, bespoke or OT environments make patching slow, risky or impossible, and what compensating controls and recovery options are in place?
- How exposed are we through key suppliers, software dependencies and open-source components, and do our contracts and operating practices give us timely visibility and coordinated remediation?
- What AI-assisted defensive tools are we using for code review, triage, hunting and patch support, what access do they have to code, logs or data, and what governance controls apply?
- If the exploit window shrank from weeks to hours, which decisions would need to be made immediately, who is authorised to make them, and have we rehearsed privilege, disclosure, customer and regulator communications, insurer notice and business continuity?
Mythos-class models do not create a new directors' duty. They do, however, sharpen expectations under existing duties of care, diligence and proper oversight. After a serious cyber event, the question is not whether the company had perfect security. It is more likely to be whether the board and senior management had a defensible governance framework, received the right information, challenged management appropriately, funded priority controls and acted with appropriate speed once the risk profile changed.
That makes board papers, minutes and escalation frameworks more important. Organisations should be able to show that cyber risk is being treated as an enterprise risk, not a technical sidebar, and that management has revisited risk appetite, resilience and response settings considering Mythos-class AI-enabled threat acceleration.
Understanding the impact of Mythos-class model risk on these two different technology environments is critical for boards. Ever increasing connectivity of OT across sectors, including infrastructure, energy, manufacturing and heavy industry, has expanded the attack surface for many companies dramatically. Many of these systems contain legacy components that are critical to operations and safety but have remained unpatched for years. Mythos-class model vulnerability scanning is likely to surface multiple previously unknown vulnerabilities within an environment that is difficult and complex to patch rapidly. Consideration of alternate risk management techniques will be required and assessing whether the company has the specialist capability required to do so is imperative for companies with risk exposure in OT. Boards should also review these risks considering Work Health and Safety obligations.
Financial Services
For Australian Prudential Regulation Authority-regulated entities, the practical impact is obvious. CPS 234 and CPS 230 (and CPS 220) already require governance, information security capability, operational resilience and prompt incident escalation. These standards require entities to assess the Mythos-class model risk and respond accordingly.
Critical Infrastructure
For critical infrastructure entities, Security of Critical Infrastructure CIRMP (Critical infrastructure risk management program) obligations make managing material risks in cyber security and supply chain and response readiness a board issue. This framework requires responsible entities to assess whether the Mythos-class model risk meets this standard and apply appropriate risk mitigation steps as required. For those that do not, we may see a Government response leveraging existing (and potentially soon to be expanded) directions powers to cause entities to act.
Australian Privacy Principle (APP)11.1 requires APP entities handling personal information to take reasonable steps to protect and secure that information. Recent changes to the law mean that “reasonable steps” include technical AND organizational measures. Combined with APP 1, this requires APP entities to have a functioning cyber security governance and risk management framework that is reasonable and commensurate with the risk. Where that risk changes, it is a likely expectation that an organization will assess the changed risk environment and determine whether its controls remain reasonable. The questions above, and follow on activities, are arguably required considering Mythos-class models.
Mythos-class models also change how organisations should think about software supply chain exposure, outsourced service models and AI tooling.
IT teams should assess whether outsourced system providers are part of the Project Glasswing cohort and plan accordingly for the coming wave of vulnerability disclosures. In addition, identifying critical IT and OT assets that are not part of Project Glasswing and working with suppliers to understand their response plans will be key. Identifying how to protect those crown jewel assets without the favoured help of Anthropic and Project Glasswing will be a key differentiator between those companies that manage the risk well, and those that don’t.
Legal teams should review whether key contracts deal adequately with security obligations, notification timing, cooperation, evidence preservation, audit rights, remediation support and patching expectations. That review should extend to cloud, managed services, outsourced development, critical software vendors and, where relevant, AI tools that may need access to source code, logs, configurations or other sensitive material.
Procurement processes may also need attention. In a faster-moving threat environment, the business may want to onboard defensive tooling quickly. The legal challenge is to enable speed without dropping baseline controls around confidentiality, data use, testing boundaries, liability and service levels. Looking forward, Procurement and Legal teams may want to review supplier diligence questionnaires to account for Mythos-class model risk in supplier tools and assets.
This is not just a governance and incident response issue. It is now a transaction issue.
In mergers and acquisitions, investment, financing and major commercial deals – cyber diligence should go beyond asking whether the target has suffered a prior breach. Buyers, investors and counterparties should test patch latency, vulnerability management discipline, containment architecture, incident history, unresolved audit findings, open-source exposure, software provenance, use of coding agents and the maturity of board and management oversight.
Deal documents may also need a harder look. Disclosure schedules, warranties, indemnities, material adverse change analysis, conditions precedent and post-completion integration planning may all need to reflect a world in which cyber deterioration can become operationally and financially material more quickly. It is likely that the cyber warranty and indemnity insurance may become harder to obtain, or more costly.
If the risk of a cyber-incident has materially increased, then the cost of cyber insurance may follow, along with baseline requirements to obtain and maintain insurance. Engaging with brokers early to understand how the market is responding to Mythos-class models and the risk management approaches underwriters are expecting will help set organizational priorities.
Insurance coverage should be reviewed. Boards and legal teams should check not only cyber cover, but also directors and officers, professional indemnity, crime, tech errors and omissions and, where relevant, warranty and indemnity insurance.
Bottom line
Mythos-class models do not mean every enterprise will be compromised tomorrow. They do mean that the economics and velocity of cyber offence have changed. A capability once limited by rare human expertise is moving toward automation, repetition and scale. For boards, that changes the question from “Are we generally cyber mature?” to “Are our governance systems fast enough, visible enough and resilient enough for a world in which vulnerability discovery and exploit development are being industrialised by frontier AI?” The prudent course is to reassess now, before broader capability diffusion forces that reassessment under incident conditions.
How Gilbert + Tobin can help
Gilbert + Tobin is advising clients on the governance and legal implications of AI-accelerated cyber risk, including board and governance uplift, incident response and regulator engagement, ASX and disclosure advice, APRA, privacy and critical infrastructure reporting, transaction diligence and drafting, and insurance review and claims strategy. If your organisation would benefit from a targeted review of its governance framework, incident response settings, disclosure protocols, transaction approach or insurance program in light of Mythos-class model risk, please get in touch with Gilbert + Tobin.