Tom Hundley
Anthropic built a model that, by its own account, can out-find all but the most skilled human vulnerability hunters โ and then decided not to release it. Claude Mythos Preview, the frontier model at the center of Project Glasswing, has been deployed only to vetted partners for defensive security work. As of today, June 9, 2026, its successor, Claude Mythos 5, ships the same way: restricted, gated, and now described by Anthropic as a capability deployed "through Project Glasswing, in collaboration with the US government."
That last clause is the whole governance story in miniature. When a capability is too dangerous to put in everyone's hands but too valuable to keep from defenders, the question stops being what can the model do and becomes who decides who gets to use it. This is a governance problem, not a capability problem โ and Anthropic has been unusually candid that it does not yet have a settled answer.
This piece is an outside analysis of that design. Elegant Software Solutions is not a Glasswing participant; we read Anthropic's own published pages and reason about the access-control architecture they describe. Where Anthropic states something as a current fact, we treat it as one. Where Anthropic floats an idea as an aspiration, we are careful to keep it labeled that way โ because the single easiest mistake to make here is to describe a governance structure as real when it is, by Anthropic's own words, hypothetical.
The most important thing a reader can do is hold three ideas apart, because they sit at very different stages of maturity.
First, the independent third-party body. On the Glasswing page, Anthropic writes that "in the medium term, an independent, third-party body โ one that can bring together private- and public-sector organizations โ might be the ideal home for continued work on these large-scale cybersecurity projects." Read that sentence carefully. Medium term. Might be. Ideal home. This is an aspiration, not an institution. No such body exists today. No charter, no membership, no mandate, no name. It is a direction Anthropic gestures toward, explicitly hedged, and we will treat it as exactly that throughout โ a possibility under discussion, not a standing governance authority that anyone reports to.
Second, the Cyber Verification Program. This is more concrete but still forward-looking. Anthropic says security professionals "whose legitimate work is affected by these safeguards will be able to apply to an upcoming Cyber Verification Program," and in the June 2 expansion that it intends to "scale up our Cyber Verification Program, which would grant Mythos-class capabilities to many more organizations for specific cyberdefense tasks." The operative words are upcoming and would. This is a stated mechanism โ a named program with a described purpose โ but one Anthropic is building, not one you can join today.
Third, the trusted access program announced today. With Mythos 5, Anthropic says it plans to "steadily expand access" through "a trusted access program that allows cybersecurity organizations to apply in a more systematic manner," conducted "in consultation with the US government." There is a parallel track for biology, enrolling "a small number of researchers from a variety of life science organizations." This is the most concrete expression yet of the same idea โ but note again the tense: plans to, apply, a program taking shape rather than one fully open.
These three are best understood as one lineage at three stages of resolution: an aspirational home for governance someday (the third-party body), a named mechanism to widen the defender pool (the Cyber Verification Program), and a just-announced, US-government-coordinated instance of that mechanism (the Mythos 5 trusted access program). The escalator runs from hope to plan to shipping. We connect them deliberately; we do not claim they are one and the same named entity, nor that any of them is more operational than Anthropic says.
Strip away the aspiration and here is the reality on June 9, 2026. Access to Mythos-class capability runs through explicit, hand-managed channels. The original twelve launch partners get access for defensive work. More than forty additional organizations that build or maintain critical software infrastructure were brought in, and the June expansion added roughly 150 more across critical-infrastructure sectors. Open-source maintainers can apply through a separate "Claude for Open Source" path. Everyone who already had Mythos Preview access โ Anthropic names its Glasswing cybersecurity partners as the example โ can upgrade to Mythos 5.
The gating rule Anthropic states is blunt: organizations "will need to meet our security requirements before they gain access." That is the entire published eligibility criterion. There is no defender taxonomy, no scored intake, no public rubric. Access is granted by Anthropic, against Anthropic's requirements, now in consultation with the US government for the cybersecurity track. Which means that today, the governance of a cyber-superhuman model is not a third-party body and not even a formal program โ it is a company exercising discretion, with a government in the room.
That is not a criticism so much as an observation that explains everything downstream. Anthropic is, right now, its own gatekeeper. It vets, it sets the bar, it grants the keys. The reason it floats an external body for the medium term is precisely that being the sole gatekeeper of a capability this consequential is an uncomfortable seat to occupy indefinitely. "In consultation with the US government" adds a co-gatekeeper, which broadens the legitimacy but also raises its own questions about whose definition of "defender" ultimately governs.
Every gated-access scheme for dual-use capability collapses into a single question, and Anthropic's is no exception. Who is a defender? A vulnerability researcher and an attacker run the same tools, read the same code, and chase the same bugs. The only thing that distinguishes them is intent โ and intent is the one property you cannot read off a credential.
Here the most striking fact is what Anthropic does not say. Across its published pages, there is no definition of "defender." The closest thing to a boundary is the phrase "meet our security requirements," plus descriptions of partners as organizations that maintain critical infrastructure or codebases "relied upon by lots of other organizations." That is an organizational proxy, not an intent test. It tells you the kind of entity that qualifies; it tells you nothing about how you verify that the people inside that entity will use the capability as promised.
We raise the undefined boundary as an open question, not as a mechanism we attribute to Anthropic โ Anthropic has simply not published one. But the gap is real, and it forks into three distinct failure modes that any serious access-control design has to confront.
Verifying intent at scale. Vetting twelve partners is a series of conversations. Vetting hundreds of organizations โ and the "many more" the Cyber Verification Program envisions โ is a process, and processes are gameable. An organization can present an impeccable defensive posture and still house, or later hire, someone whose intent diverges. Intent is not a static attribute you certify once; it is a moving target across every individual who touches the credential. The larger the program grows, the weaker any one-time check becomes, and "meet our security requirements" does not obviously scale into a guarantee about behavior.
The vetted program as a soft spot. A trusted-access tier concentrates cyber-superhuman capability into a finite, enumerable set of credentials and organizations. That concentration is itself a target. An attacker no longer needs to build a Mythos-class model; they need to compromise an account, an employee, or a supply chain at one approved partner. The vetting that is supposed to be the safeguard becomes the prize โ the keys to the capability are now sitting behind a known, bounded set of doors, and the whole security of the scheme reduces to the security of its weakest member. Insider risk and single-point-of-compromise risk are not edge cases here; they are the structural cost of gating by allowlist.
Entrenching incumbents. A high security bar is, by construction, easier for large, well-resourced organizations to clear. The same requirements that keep bad actors out also keep small defenders, independent researchers, and under-funded teams out โ the very people who often find and fix the bugs that big vendors miss. Anthropic is visibly aware of this tension: the Cyber Verification Program is explicitly the pressure-valve, the channel for "security professionals whose legitimate work is affected by these safeguards" to apply for an exception. The program exists because the safeguards would otherwise refuse legitimate defenders. That is the live tension at the heart of the design โ every tightening of the gate to keep attackers out also raises the wall for the smaller defenders the system is meant to serve, and the verification program is the mechanism trying to hold both goals at once.
Seen against those three failure modes, the appeal of an independent third-party body is obvious. A single company deciding who counts as a defender carries an inherent conflict: it is regulating access to a product it built, monetizes, and benefits from controlling. An external body that "can bring together private- and public-sector organizations" would, in principle, distribute that judgment, add legitimacy, and outlast any one company's commercial incentives. It is a reasonable institutional answer to the gatekeeper problem.
But โ and this is the line we will not let blur โ it does not exist. Anthropic raised it as something that "might be the ideal home" in the "medium term." There is no such organization today, no published criteria for who would sit on it, no enforcement power, no accountability structure. Floating the idea is not the same as standing one up, and a reader should leave this article certain that the body is an aspiration Anthropic named, not a regulator that governs anything right now.
What does exist, today, is narrower and more concrete: an upgraded restricted model, a hand-managed partner roster, a stated intent to widen access through a verification program, and a newly announced trusted access program run in consultation with the US government. That is the real governance picture โ discretionary, evolving, and still owned primarily by the company that built the model. The grand institutional design remains a sentence on a web page. The actual machinery is a vetting queue.
The honest read for any reader, customer, or policymaker is this: Glasswing's governance is being built in public, one access tier at a time, and the hardest part โ a durable, legitimate answer to who decides who is a defender โ is the part Anthropic has most explicitly deferred. The Cyber Verification Program and today's trusted access program are the first concrete steps toward answering it. The independent body is the destination Anthropic has only pointed at. Watching whether that pointer ever becomes a real institution โ and who ends up holding the keys in the meantime โ is the governance story worth tracking.
Does the independent third-party governance body exist today?
No. It is an aspiration, not an institution. Anthropic writes that "in the medium term" such a body "might be the ideal home" for this work โ tentative, forward-looking language. As of June 9, 2026, no such body has been chartered, named, or given any authority. Anyone describing it as a current governance structure is reading more into the phrase than Anthropic put there.
What is the Cyber Verification Program?
It is a program Anthropic says is "upcoming" and that it intends to "scale up," meant to "grant Mythos-class capabilities to many more organizations for specific cyberdefense tasks." Its stated purpose is partly to unblock "security professionals whose legitimate work is affected by these safeguards" โ legitimate defenders who would otherwise be refused. It is a described mechanism that is still being built, not an open program you can join today.
How is the Cyber Verification Program related to the trusted access program announced with Mythos 5?
They appear to be one lineage at different stages. The Cyber Verification Program is the named mechanism; the June 9 trusted access program โ letting "cybersecurity organizations to apply in a more systematic manner," in consultation with the US government โ is the most concrete expression of that idea so far. We connect them as related steps toward the same goal, but Anthropic has not stated they are definitively the same named entity, so we do not assert that they are.
Who decides who counts as a "defender"?
Today, Anthropic does โ now in consultation with the US government for the cybersecurity track. Notably, Anthropic publishes no definition of "defender." The only stated gate is that organizations "will need to meet our security requirements before they gain access," plus descriptions of partners as critical-infrastructure operators or widely-relied-upon code maintainers. That is an organizational proxy, not a test of intent, and the undefined boundary is the central unsolved question of the whole design.
Why is a vetted-partner program risky if it is supposed to be a safeguard?
Because gating by allowlist concentrates a cyber-superhuman capability into a finite, known set of credentials and organizations. That makes the approved partners a target: an attacker can aim to compromise an account, an employee, or a supply chain at one vetted partner rather than build the capability themselves. The vetting becomes the prize, and the scheme is only as secure as its weakest approved member โ which is why insider risk and single points of compromise are structural concerns, not edge cases.
Is it true that Project Glasswing now involves the US government?
Yes, and Anthropic states it plainly. The Mythos 5 announcement describes the model as deployed "through Project Glasswing, in collaboration with the US government," and the trusted access expansion is to be run "in consultation with the US government." The June expansion likewise cites "close collaboration with... the US government." We surface this as a neutral, published fact about the governance arrangement, without reading any further claims into it.
Discover more content:
