TL;DR: Anthropic’s Project Glasswing showed that its Claude Mythos Preview model could chain multiple vulnerabilities into working exploit paths, scoring 83.1% on CyberGym and finding thousands of high-severity flaws, according to JupiterOne’s analysis of the announcement. The real shift is that security teams must now govern asset context and exploit chains, not just CVSS severity.
At a glance
What this is: Project Glasswing shows that AI can chain vulnerabilities into exploit paths fast enough to outpace patch-first vulnerability management.
Why it matters: Security and identity teams now need asset visibility, permission context, and blast-radius mapping to govern both AI-assisted attackers and AI-created attack surfaces.
By the numbers:
- 83.1%, berGym's vulnerability reproduction benchmark, Mythos scored 83.1%, compared to 66.6% for Claude Opus 4.6, Anthropic's previous best model.
- Project Glasswing is a $100 million cybersecurity initiative that uses an unreleased AI model called Claude Mythos Preview to find and fix critical software vulnerabilities before attackers can exploit them.
- Roughly 50 organizations in total have access to the program.
- Anthropic launched the initiative on April 7, 2026, backed by twelve major technology and finance companies.
👉 Read JupiterOne's analysis of Project Glasswing and vulnerability chaining
Context
Project Glasswing is a cybersecurity initiative built around an unreleased AI model that can chain vulnerabilities and exploit software faster than most human teams can respond. The practical issue is not only faster discovery of flaws, but a shift in how exploitation works: isolated weaknesses become attack paths when they are linked together across assets, permissions, and configurations.
That changes vulnerability management for AI agent attack surface and machine identity governance at the same time. Security teams can no longer treat CVSS as a complete prioritisation model when an attacker can use AI to assemble medium-severity flaws into a full compromise chain, especially where service accounts and other non-human identities extend reach across the environment.
Key questions
Q: What breaks when vulnerability management is based only on CVSS scores?
A: CVSS-only prioritisation breaks when several lower-scoring flaws can be combined into a complete exploit path. In that model, the real risk is not one critical CVE but the sequence of reachable weaknesses across connected assets. Teams need to rank exposure by exploit path and blast radius, not by a flat severity list alone.
Q: Why do AI-assisted attackers change vulnerability prioritisation?
A: AI-assisted attackers can test many combinations much faster than human teams can patch, which makes vulnerability chaining practical at scale. That means the question is no longer whether a flaw is individually severe. It is whether the flaw sits on a path that reaches production systems, privileged identities, or sensitive data.
Q: How do security teams know if contextual vulnerability management is working?
A: It is working when teams can answer three questions quickly: what can reach this asset, what identities does it trust, and what can an attacker reach from it if it is compromised. If those answers are still manual, slow, or incomplete, then the programme is still operating as a severity queue rather than a risk model.
Q: What should teams do when AI agents become part of the attack surface?
A: Treat AI agents as non-human identities with explicit ownership, permissions, and data paths. Then review whether any agent can access systems or secrets that would turn a compromise into broader exposure. If the answer is unclear, the agent is already part of your attack surface and needs governance immediately.
Technical breakdown
Why vulnerability chains matter more than single CVEs
A single vulnerability rarely tells the whole story. Chained exploitation combines several flaws, each potentially low or medium severity alone, into one path that yields privilege escalation, lateral movement, or data exposure. That is why AI-assisted discovery changes the defender’s problem: the adversary does not need the worst bug, only the easiest sequence that crosses your trust boundaries. Context becomes the control surface, because exploitability depends on adjacency, permissions, and reachable assets, not just scanner output.
Practical implication: prioritise combinations of vulnerabilities on connected systems, not isolated severity scores.
Contextual vulnerability management in graph-based environments
Graph-based security models map how assets, identities, permissions, and vulnerabilities relate to each other. That relationship layer is what exposes whether a vulnerable host can reach production data, whether a service account has unnecessary privileges, or whether a compromise can propagate across environments. Without that context, vulnerability management becomes a flat backlog. With it, teams can rank exposure by actual exploit path and blast radius rather than by the numerical score attached to each CVE.
Practical implication: model exploit paths from asset to asset before deciding what to patch first.
AI attack surface management for non-human identities
Every deployed AI agent becomes a non-human identity with its own credentials, API connections, and access relationships. That matters because a compromised or misused agent looks operationally normal while still acting with legitimate permissions. The security problem is therefore not only external attackers using AI, but also the new attack surface created by sanctioned agents, workflow automators, and shadow AI. NHI governance has to account for the identity, the permissions, and the data paths together.
Practical implication: inventory AI agents as first-class identities and tie each one to its permissions and data access.
NHI Mgmt Group analysis
Patch-only vulnerability management is no longer a sufficient operating model. The old model assumes risk can be reduced by ranking individual flaws and clearing the critical queue first. That assumption fails when AI can chain several non-critical issues into a single exploit path faster than human triage cycles can react. The implication is that vulnerability governance has to shift from item-level severity to path-level exposure.
Identity context now determines whether a vulnerability is exploitable at all. A flaw on an isolated test host is not the same as the same flaw on a production system with broad service-account reach. This is where NHI governance and vulnerability management converge: permissions, connectivity, and workload identity define whether a weakness stays local or becomes enterprise-wide. Practitioners need to treat access scope as part of exposure, not as a separate IAM problem.
AI-assisted exploitation makes the attack surface dynamic, not static. The article’s core warning is that adversaries will increasingly use machine speed to test combinations humans would never enumerate manually. That raises the value of graph-based asset intelligence, because only relationship context can show which chains matter in your environment. Practitioners should assume exploitability is now a function of connected state, not just patch status.
Identity blast radius: vulnerability chains become identity problems when service accounts and AI agents extend reach across multiple systems. The named concept matters because the real risk is not the CVE itself, but the distance a compromised component can travel through trusted identities. When a vulnerable asset can call production APIs, access shared storage, or inherit permissions from over-scoped accounts, the blast radius expands beyond the original host. Security teams should measure vulnerability impact in identity reach, not just in host count.
AI agent attack surface management and NHI governance are now the same conversation. The article shows both the offensive use of AI to discover chains and the defensive need to catalogue AI agents as assets with permissions. That duality matters because teams that separate vulnerability management from identity governance will miss the interaction effect. Practitioners should unify asset, vulnerability, and identity oversight under one operational model.
From our research:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
- That visibility gap is why OWASP NHI Top 10 remains a useful forward lens for agentic access control and runtime governance.
What this signals
Identity blast radius is becoming the organising concept for AI-assisted defence. As AI tools get better at chaining weaknesses, programme maturity will be judged less by how many vulnerabilities are tracked and more by how quickly teams can see the permissions and connections that make a chain viable.
With 98% of companies planning to deploy more AI agents within 12 months, the governance burden will rise even where the security stack stays unchanged. Teams should expect inventory pressure, ownership disputes, and more demands for runtime control over non-human identities that can reach production systems.
52 NHI Breaches Analysis remains relevant because the same pattern repeats across incidents: exposed credentials, excessive reach, and poor visibility create the conditions that both human attackers and AI-assisted tooling exploit.
For practitioners
- Map exploit paths across connected assets Build queries that start with internet-facing weaknesses and trace reachable systems, data stores, and privileged identities. Prioritise flaws that create a multi-step chain into production rather than those that only look severe in isolation.
- Treat service accounts as exposure amplifiers Review whether over-permissioned service accounts allow a vulnerable host to move laterally or reach sensitive data. Where an identity can extend compromise beyond the original asset, reduce its scope before the next patch cycle.
- Inventory AI agents as first-class assets Document every sanctioned and shadow AI agent, then tie each one to credentials, API connections, and reachable systems. That inventory should sit alongside other non-human identities so changes in access are visible during control reviews.
- Prioritise by blast radius, not CVSS alone Use contextual scoring that weighs asset criticality, identity reach, and adjacency to production data. A medium-severity issue on a deeply connected system can deserve faster action than a critical issue on an isolated host.
Key takeaways
- Project Glasswing shows that AI can convert separate flaws into working compromise chains faster than conventional patch workflows can absorb.
- The practical risk is not one critical CVE, but the combination of vulnerabilities, permissions, and relationships that expands blast radius.
- Security teams need asset graphs, identity context, and AI agent inventory if they want vulnerability management to reflect real exploitability.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on exposure created by unmanaged AI agent identities and permissions. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0004 , Privilege Escalation | The article focuses on chained exploitation, privilege gain, and movement through connected systems. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions are central to whether a vulnerable asset becomes broadly exploitable. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege governs the service accounts and identities that turn flaws into enterprise reach. |
| NIST AI RMF | MANAGE | AI-enabled attack discovery and AI agent governance both require ongoing risk management. |
Map vulnerability chains to ATT&CK tactics and prioritise controls that break credential access and lateral movement.
Key terms
- Vulnerability chaining: Vulnerability chaining is the practice of combining several weaknesses into one exploit path that achieves a more serious outcome than any single flaw would suggest. In modern environments, the chain often depends on identity reach, connectivity, and over-permissioned accounts as much as on the bugs themselves.
- Identity blast radius: Identity blast radius is the set of systems, data, and services that become reachable when an identity is compromised or misused. For AI agents and service accounts, it is the practical measure of how far a single access decision can propagate through an environment.
- Contextual vulnerability management: Contextual vulnerability management prioritises flaws using asset relationships, identity permissions, and data exposure instead of severity scores alone. It is a risk model for real environments, because exploitability depends on what the vulnerable system can reach and what can reach it.
- AI attack surface management: AI attack surface management is the discipline of discovering, inventorying, and governing the identities, credentials, data paths, and integrations introduced by AI systems. It treats sanctioned AI agents and shadow AI as assets whose access must be visible, reviewed, and constrained.
What's in the full article
JupiterOne's full article covers the operational detail this post intentionally leaves for the source:
- How the graph model maps vulnerabilities, identities, permissions, and asset relationships in practice
- Example J1QL queries for finding exploitable chains across production systems and service accounts
- What JupiterOne's AI Control Author and CCM workflows look like in a working environment
- How the MCP Server is positioned for secure AI-powered security workflows
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity security capability across users, workloads, and AI agents, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org