Mythos Red-Team Finding and the NSA Access Loss: What the Full Picture Now Looks Like

AI Industry Watch

Greetings from the very tip of the Mitten! We had to take a small break from ongoing activities because of some very interesting news.

This is the third post in our ongoing coverage of the Anthropic Fable 5 / Mythos 5 suspension. While we were out last week, the story broke wide open. What began as a disputed export control action now has a much clearer — and more significant — origin story: an authorized NSA red-team exercise on June 11 in which Anthropic's Mythos model reportedly penetrated nearly every classified system it was pointed at, completing in hours what human operators would have taken weeks to accomplish. The New York Times confirmed on June 23 that parts of the NSA have now lost operational access to the model as a direct result of the government's export control action. This is the update.

For context on how we got here, see our June 13 initial post and our June 15 follow-up.

The Red-Team Finding That Started Everything

The missing piece of this story — why the export control directive arrived so suddenly and with such sweeping scope — appears to be a single authorized internal security exercise conducted on June 11, 2026, the day before the Commerce Department letter arrived at Anthropic's offices.

According to reporting from The Economist, citing a Senate Intelligence Committee hearing, Senator Mark Warner — vice chair of the committee — stated that General Joshua Rudd, who leads both the NSA and US Cyber Command, briefed him directly on what Mythos did during that exercise. Warner's characterization: Mythos "broke into almost all of our classified systems, not in weeks, but in hours."

To be precise about what that means: this was not an attack. It was an authorized red-team evaluation — a controlled exercise in which the NSA permitted Mythos to probe its own classified infrastructure to understand the model's offensive capabilities before wider government deployment. Red-team exercises of this kind are standard practice in intelligence and defense security programs. What was not standard was the result.

The NSA and Department of Defense have not formally corroborated Senator Warner's account. Anthropic disputes the characterization, describing the flagged behavior as asking the model to analyze a codebase and fix identified issues — surfacing a small number of previously known, minor vulnerabilities rather than constituting a genuine autonomous offensive intrusion. The company has said rival models including GPT-5.5 exhibit similar behavior without comparable restrictions.

Both characterizations can be read as accurate depending on the framing: the capability Anthropic describes as routine defensive code analysis is, from the NSA's perspective, exactly the capability that makes the model dangerous in the wrong hands. That tension is the core of the dispute.

What Project Glasswing Was

Mythos was never publicly released. Prior to the suspension, access was limited to approximately 200 selected partners under an initiative called Project Glasswing — a vetted partner program that included Amazon, Apple, Google, Microsoft, Nvidia, JPMorgan, and the Linux Foundation, among others. The NSA was operating Mythos on classified networks for cybersecurity tasks, with Anthropic engineers embedded on-site to support deployment and operational integration.

The scale of government reliance on the model matters for understanding why the export control action created operational disruption. This was not a pilot or a proof-of-concept. It was an active operational deployment with engineering support. The June 23 reporting from the New York Times, Defense One, and Nextgov/FCW confirmed that NSA analysts were notified on Friday, June 20, that they would lose access. The agency may retain access to earlier model versions under prior arrangements, but access to Mythos 5 specifically — the version whose capabilities prompted the red-team exercise — is gone.

Setting the Record Straight: What Did Not Happen

The Senator Warner quote spread virally across social media over the weekend of June 21-22, generating widespread claims that "the NSA was hacked by AI" or that "Anthropic's model breached classified government systems." The original Economist author, Shashank Joshi, publicly pushed back on that framing, clarifying that the narrative was false in a specific and important way: the exercise was authorized, controlled, and conducted by the NSA itself using Mythos as a defensive tool to probe its own systems. There was no hostile intrusion. There was no external attacker. The NSA ran a penetration test using an AI model it had access to and found the results alarming enough to brief the Senate Intelligence Committee.

The distinction matters for accurate understanding of the threat landscape. The finding is not that AI models are attacking government infrastructure. The finding is that AI models are now capable enough that if they were used to attack government infrastructure — or any sufficiently complex networked environment — the speed and breadth of access they could achieve would be qualitatively different from what human operators or earlier-generation tools could accomplish.

The Five Eyes Fallout

One dimension of the story that received less attention in initial coverage but has significant implications for international healthcare organizations: the export control action caught allied governments completely off guard. Australia, the United Kingdom, Canada, and New Zealand — the US's Five Eyes intelligence partners — had their access to Mythos revoked without advance notice. This included the UK's AI Security Institute, one of the world's leading bodies for testing and evaluating frontier AI models.

On Monday, June 23, the Five Eyes alliance issued a joint warning that frontier AI models could sharply change the cyber threat landscape within months, not years — accelerating both offensive attack timelines and defensive response capabilities. The timing of that warning, arriving the same day as the NSA access confirmation, is notable. The alliance's collective assessment appears to be that the Mythos red-team finding is a data point about the broader trajectory of frontier AI capability, not an isolated incident.

For healthcare organizations operating internationally or with cross-border data governance obligations — particularly those with UK, Canadian, or Australian operations — the Five Eyes warning is a more directly relevant signal than the bilateral US-Anthropic dispute. Allied intelligence agencies are now on record saying the threat landscape is changing faster than previously assessed.

What This Means for Healthcare

The Threat Timeline Compression Is the Headline Finding

The practical implication of the NSA red-team result — setting aside the political dispute entirely — is what it says about AI-accelerated attack timelines. A capability that previously required weeks of skilled human effort can now be compressed to hours by a sufficiently capable AI model. That compression applies to both offensive and defensive security work. For healthcare security teams, the relevance is direct: vulnerability identification, lateral movement through networked systems, and access to sensitive data stores can all be accomplished faster with AI assistance than your current detection and response timelines may assume. Your incident response playbooks, your mean-time-to-detect targets, and your segmentation assumptions were all calibrated against a pre-AI threat baseline. That baseline is shifting.

Vendor AI Security Assessments Now Have a New Benchmark

Healthcare organizations conducting AI vendor security assessments have typically evaluated models on data handling, privacy controls, and output safety. The Mythos red-team finding adds a new dimension: what are the offensive capabilities of the model itself, and what controls exist to prevent those capabilities from being accessed by unauthorized parties? For healthcare IT environments with complex, interconnected networked systems — EHR integrations, clinical device networks, administrative platforms — the question of what a sufficiently capable AI model could do if pointed at your infrastructure is no longer theoretical. It is a red-team scenario you should be running.

The Glasswing Access Pattern Is a Third-Party Risk Model

The Project Glasswing architecture — a vetted partner program providing access to a model with capabilities not available to the general public, with vendor engineers embedded on-site — is a pattern that will become more common as frontier AI deployment matures. Healthcare organizations should understand what it means when a vendor deploys AI at this level of integration: the AI system is not a tool the organization controls. It is a capability the vendor is providing access to, under terms the vendor can modify or revoke, with engineers on-site who have privileged access to the deployment environment. The governance, data handling, and access control questions that apply to any third-party technology deployment apply here with amplified stakes.

The 90-Minute Notice Window Remains the Planning Constraint

Our June 15 post identified the 90-minute notice Anthropic received as the key planning data point for healthcare organizations. The NSA's operational disruption confirms that even government agencies with embedded vendor engineers and active operational dependencies were not immune to that timeline. If a US intelligence agency could not preserve operational continuity with more notice or more leverage than a commercial customer, healthcare organizations should not assume they would fare better. The tabletop exercise question remains: what does your response look like if a model your organization depends on goes offline in 90 minutes?

The Bigger Picture

The story that has emerged over the past two weeks is more significant than a bilateral dispute between a technology company and an administration. It is the first documented public account of a frontier AI model demonstrating offensive cyber capabilities that materially exceeded the expectations of one of the world's most sophisticated signals intelligence agencies — during an authorized test, with the model being used defensively.

That finding will shape AI policy, procurement decisions, and security program design for years regardless of how the Anthropic-administration dispute resolves. The Five Eyes joint warning suggests allied governments have reached similar conclusions. The administration's stated position — that any future model crossing Mythos's capability threshold will require government review before release — reflects an assessment that this class of capability is now a national security variable that cannot be managed after the fact.

For healthcare security leaders, the implication is not that AI models are a threat to be avoided. It is that frontier AI capability has crossed a threshold where it belongs in your threat model — both as a tool available to attackers and as a capability your defensive program needs to understand, govern, and eventually deploy. The organizations that build that understanding now, before the threat landscape moves further, will be better positioned than those waiting for the regulatory and policy frameworks to fully catch up.

We will continue tracking this story as the Anthropic-White House negotiations develop and as the Five Eyes warning generates further policy response.

AI Industry Watch posts track developments in the AI landscape relevant to healthcare security practitioners. This is the third post in our Fable/Mythos coverage series. bregg.com takes no position on the underlying dispute between Anthropic and the administration. All capability claims referenced here are based on reported Senate testimony and have not been independently verified or formally confirmed by the NSA or DoD.