In April, the artificial-intelligence firm Anthropic announced it had made an AI model too dangerous to be released to the public. The company, based in San Francisco, California, said its Claude Mythos model was so powerful that it had found vulnerabilities in every major operating system and web browser currently in use. “The fallout — for economies, public safety, and national security — could be severe,” the company stated in a blogpost about Project Glasswing, its name for the limited release of the model to a group of 50 or so trusted organizations.
The decision marks a turn to secretive, cutting-edge AI research that could become a trend, experts say. What Anthropic has done to throttle Mythos’s release is likely to be adopted by other AI laboratories, reckons Helen Toner, interim executive director at the Center for Security and Emerging Technology at Georgetown University in Washington DC. “I would expect this to more be the first in a series rather than a one-off,” says Toner, who previously sat on the board of Anthropic’s competitor OpenAI, which is also based in San Francisco.
AI can design viruses, toxins and other bioweapons. How worried should we be?
“I expect other providers to adopt a similar strategy,” agrees Vasilios Mavroudis, an AI-safety researcher at the Alan Turing Institute in London. Indeed, OpenAI followed up just a week after Mythos was announced with a limited release of a cybersecurity-specific model, GPT-5.4-Cyber, to vetted researchers and organizations alone.
If this kind of restricted-access AI does take off, it will mark a turning point in the long-standing debate on the merits of ‘closed’ and ‘open’ AI software — with potential knock-on implications for science. For years, researchers have argued that transparency around AI models benefits both AI research and science in general, because researchers can study and build on the algorithms.
Now there’s a prospect that the makers of cutting-edge AI models might not release them widely at all. And if governments decide that powerful AI is a ‘dual-use’ technology — that is, one that could be weaponized by the military as well as used in civilian society — then extra controls, of the kind used for defence-relevant technologies, might also kick in. This could limit who gets to use the most powerful software, says Toner.
Why restrict access?
Firms have tried restricting models before. In February 2019, OpenAI released a cut-down version of its GPT-2 model, citing fears it could be misused, before allowing full access that November. But, viewed by today’s standards, that model had very little capability — it could complete rudimentary sentences.
It’s difficult for researchers who lack access to Mythos to know whether all of Anthropic’s fears are well-founded. But Ciaran Martin, a management researcher at the University of Oxford, UK, who is the former chief executive of the UK National Cyber Security Centre in London, says that Mythos seems to be a “big deal” and “a rapid acceleration of AI capabilities”.
How to vibe code in science: early adopters share their tips
AI labs already implement ‘guard rails’ in their models to prevent misuse, usually in the form of refusals to engage with or answer queries that seem dangerous. However, those are often as simple as a set of hidden instructions given to an AI system on how to respond. They can be unwound (or ‘jailbroken’) if users so choose.
The risk in giving everyone equal access to Mythos is that it could help attackers first, says Mavroudis. “Defenders can use these to find security issues in systems or software projects. Attackers can do the same,” he says. That is why Anthropic is giving defenders a head start. Some unauthorized access to Mythos has reportedly occurred already, however.
The firm has said that its “eventual goal” is to enable users “to safely deploy Mythos-class models at scale”, but didn’t respond to Nature’s query about whether this meant the public would have access. OpenAI has also been unclear, saying that it was “starting” with a limited release of GPT-5.4-Cyber, and a quickly released follow-up model, GPT-5.5-Cyber; it has since launched a cybersecurity-focused product, called Daybreak, which is built on these tools. However, for now, the ‘Cyber’ models are available only to authorized users.
When asked whether its models might become publicly available, an OpenAI spokesperson pointed to language in a blogpost announcing GPT-5.5-Cyber. It states that “expanding access […] responsibly requires stronger confidence in who is using the model, what systems they are targeting, and whether the work is authorized”, but “we expect access to broaden over time”.
Where cyber goes, science follows?
Firms that restrict access to AI models aren’t only concerned about cybersecurity risks. For example, companies launching models specialized for biology research have said that they’re worried about potential misuse related to creating bioweapons.
In April, OpenAI released GPT-Rosalind, aimed at life scientists, which it said it would launch through a ‘trusted-access’ structure so that only approved users could explore it. The company will also monitor how the model is being used, YunYun Wang, OpenAI’s life-sciences product leader, told Nature. And last year, Google launched an ‘AI co-scientist’ system which, again, is available only to researchers who apply for access.
If such restrictions persist, they could mean that only well-connected researchers have access to the most-powerful AI tools. Researchers already worry that price hikes to existing public AI systems are starting to entrench inequality in the field, with some groups not able to afford premium subscriptions.
