Cyber Lack of Security and AI Governance
Zvi's AI Roundups · Zvi Mowshowitz · 2026-05-13
Zvi Mowshowitz surveys the regulatory and geopolitical fallout from Claude Mythos's demonstrated step-change in autonomous cybersecurity capabilities, covering the Trump administration's internal Commerce-versus-intelligence turf war over AI oversight and the inadequacy of treating Mythos as a purely cyber-specific event.
Appears in
Extraction
Topics: ai-governanceai-cybersecurityfrontier-ai-capabilitiesai-regulationmythos
Claims
- Claude Mythos Preview is the first AI model to solve both UK AISI end-to-end cyber ranges, including one no prior model had cleared, representing a genuine step-change in autonomous offensive cybersecurity capability.
- The Trump administration is embroiled in an internal turf war between Commerce and intelligence agencies over who controls mandatory AI evaluation and governance infrastructure.
- A de facto voluntary pre-deployment evaluation regime is effectively in place through CAISI even without formal mandates, as all major labs have agreed to testing.
- Mythos-level AI means attackers can probe newly deployed code faster than defenders can patch it, requiring a fundamental rethinking of security timelines and disclosure windows.
- The political response to Mythos is dangerously narrow, treating it as a cybersecurity-specific moment rather than a preview of broader AI capability jumps across all domains.
Key quotes
There should be zero skepticism that there has been an overall step change in cyber capabilities.
If any new code can be attacked by AI on the spot, your subsequent patching will be slower than the attackers. You'll need to test every deployment and patch for vulnerabilities, at the same level as it will be probed afterwards, prior to deployment.
The failure to generalize the 'Mythos moment' also continues. Everyone is forced to recognize the cyber threat, but they do so as if the thing looking them in the face is some sort of unique circumstance.