Notifications
Clear all
Topic starter
02/06/2026 8:48 pm
TL;DR: Anthropic's Claude Mythos autonomously found more than 10,000 high- and critical-severity vulnerabilities across 1,000 open-source projects, with a 72% exploit success rate, showing how AI accelerates entry but not attacker intent, according to Delinea. The practical shift is that identity control, not vulnerability discovery alone, becomes the limiting factor once compromise is possible.
NHIMG editorial — based on content published by Delinea: In the Mythos era, identity is the last line of defense
Questions worth separating out
Q: How should security teams govern AI agents that hold privileged access?
A: Treat them as high-risk non-human identities.
Q: Why do AI-assisted vulnerability discoveries increase identity risk?
A: Because faster discovery shortens the time between exposure and exploitation, but the breach still succeeds through credentials, privileges, and session misuse.
Q: What breaks when standing privilege exists for non-human identities?
A: A single compromised credential can be reused across systems, extended over time, and combined with lateral movement.
Practitioner guidance
- Implement continuous discovery for all privileged identities Build an inventory that includes human admins, service accounts, API keys, and AI agents.
- Broker and scope agent credentials Issue credentials at connection time, restrict them to task scope, and revoke them when the job completes.
- Move from door checks to runtime authorization Authorize each high-risk action against identity, resource, and live risk context rather than relying on login-time approval alone.
If a session can drift, branch, or escalate after authentication, security teams need policy enforcement that keeps pace with the action itself, not just the login event?
👉 Read Delinea's analysis of AI agents, Mythos, and identity security →
Explore further
02/06/2026 8:50 pm
Identity is becoming the decisive control plane for AI-era compromise. Vulnerability discovery may be accelerating, but the attacker still needs a credential, a session, and a route to impact. That shifts the security center of gravity from finding every flaw to limiting what any compromised or autonomous identity can do. Practitioners should treat identity blast radius as the primary risk variable.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why identity-led attack paths persist even when teams think they have coverage.
A question worth separating out:
Q: What should teams do in the first 24 to 72 hours after discovering agent misuse?
A: Contain the session, revoke the agent's credentials, inventory every reachable system, and review all actions taken during the period of misuse. Then determine whether the problem is limited to one identity, or whether the same privilege pattern exists elsewhere in the environment.
👉 Read our full editorial: Mythos-era AI agents raise the stakes for identity security
