EU in talks with Anthropic over risks of AI model Mythos

What Happened

The European Union entered into talks with Anthropic over the risks posed by its Mythos AI model — an advanced AI system capable of identifying and exploiting zero-day vulnerabilities in software at unprecedented scale.
EU concerns centred on Mythos's potential for misuse as an offensive cybersecurity tool, given its ability to autonomously find security vulnerabilities across major operating systems and web browsers.
Anthropic's announcement of Mythos drew mixed reactions globally — a combination of alarm from security experts and scepticism from those who noted Anthropic's commercial incentives to hype the model's capabilities.
The EU's engagement follows its landmark AI Act framework, which specifically classifies highly capable AI systems with potential for widespread harm as subjects of regulatory oversight.

Static Topic Bridges

The EU AI Act: The World's First Comprehensive AI Law

The EU Artificial Intelligence Act (AI Act) was formally adopted in 2024 and represents the world's first comprehensive legal framework for regulating AI systems. It applies a risk-based approach, with stricter requirements for higher-risk applications.

The AI Act classifies AI systems into four risk tiers: Unacceptable risk (banned), High-risk (strictly regulated), Limited risk (transparency obligations), and Minimal risk (light-touch regulation).
Banned outright: Social scoring by governments, real-time biometric surveillance in public spaces (with narrow exceptions), manipulation of vulnerable persons.
High-risk: AI in critical infrastructure, biometric identification, employment decisions, education, law enforcement, justice.
General Purpose AI (GPAI) models (foundation models like Mythos) face specific transparency and safety obligations under the Act.
GPAI models with "systemic risk" (estimated compute threshold: over 10^25 FLOPs for training) face additional requirements: adversarial testing, cybersecurity measures, reporting obligations.
The EU AI Act entered into force on August 1, 2024; different provisions apply at different timelines (unacceptable risk bans: 6 months; high-risk: 36 months).

Connection to this news: Mythos, as a highly capable General Purpose AI model with demonstrated cybersecurity offensive capabilities, falls directly within the EU AI Act's framework for systemic-risk GPAI — hence the EU's formal engagement with Anthropic.

AI Safety and the Dual-Use Problem

Advanced AI systems present a profound dual-use challenge: the same capabilities that make them useful for defensive cybersecurity (finding and patching vulnerabilities) make them dangerous as offensive tools. This is a core problem that no governance framework has fully resolved.

Zero-day vulnerabilities: Software flaws unknown to vendors; exploiting them before they can be patched is extremely valuable to both state-sponsored hackers and criminal groups.
Offensive vs. defensive AI: AI can be used defensively (automated patching, anomaly detection, threat intelligence) or offensively (automated exploit development, phishing, deepfakes, disinformation).
"Responsible disclosure" norms in cybersecurity: Researchers who find vulnerabilities notify vendors and give them time to patch before public disclosure — AI that finds thousands of vulnerabilities creates a new problem for this norm.
AI Safety Institutes: The US, UK, and EU have established AI Safety Institutes to assess frontier AI risks. India announced its own AI Safety Institute at GPAI Summit in 2024.
The alignment problem: Ensuring powerful AI systems pursue intended goals rather than dangerous side-effects remains an unsolved technical and governance challenge.

Connection to this news: The EU's engagement with Anthropic over Mythos demonstrates the EU AI Act's governance framework being put into practice — specifically its provisions for engaging with developers of systemically risky AI before deployment.

India's AI Governance Approach

Unlike the EU's prescriptive regulatory approach, India has adopted a more permissive, innovation-first stance to AI governance — though with increasing attention to safety frameworks as AI capabilities advance.

India's IndiaAI Mission (2024): INR 10,372 crore initiative to build AI infrastructure (computing, datasets, startup ecosystem) and develop "safe and trusted AI."
NITI Aayog published India's National Strategy for Artificial Intelligence (2018) and responsible AI guidelines (2021).
India's approach: "Regulation-light" — focus on guidelines, self-regulation, and sectoral oversight rather than comprehensive legislation like the EU AI Act.
India chairs the GPAI (Global Partnership on AI) — an international forum for AI governance that includes India, US, EU, Canada, Japan, and others.
India's concern: Overly prescriptive regulation could stifle innovation and disadvantage India's AI startup ecosystem relative to China and the US.

Connection to this news: The EU-Anthropic Mythos talks illustrate what proactive AI governance looks like in practice — a contrast to India's current approach, raising the question of whether India needs more structured AI safety oversight.

Key Facts & Data

The EU AI Act was formally adopted on March 13, 2024 and entered into force on August 1, 2024.
GPAI models with training compute exceeding 10^25 FLOPs are classified as "systemic risk" under the EU AI Act.
India's IndiaAI Mission was approved by the Cabinet in March 2024 with a budget of INR 10,372 crore (~USD 1.25 billion).
India chairs GPAI (Global Partnership on AI); the GPAI Summit was held in New Delhi in December 2023.
The US AI Safety Institute was established within NIST (National Institute of Standards and Technology) following the Biden AI Executive Order of October 2023.
Anthropic is a US-based AI safety company; its parent products are the Claude family of models.
Zero-day vulnerabilities can sell for USD 1–5 million on dark web markets depending on the target software and exploitability.