AI identity security and Mythos Preview: are controls keeping up?

TL;DR: Anthropic’s Claude Mythos Preview showed autonomous exploit discovery and chaining in testing, including 181 benchmark successes versus two for its predecessor, underscoring how quickly AI can compress the gap between discovery and weaponisation, according to Ping Identity. The security problem is not the model itself but the identity control plane around it: verification, least privilege, and continuous trust now have to hold at runtime, not just at login.

NHIMG editorial — based on content published by Ping Identity: AI Identity Security, Claude Mythos Preview, and what leaders need to know

By the numbers:

• On a Firefox security benchmark used to evaluate autonomous exploit development, Anthropic's Mythos model recorded 181 successes, dwarfing the performance of its predecessor, Opus 4.6, which succeeded only twice in several hundred attempts.
• Only 5.7% of organisations have full visibility into their service accounts, according to our Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to our Ultimate Guide to NHIs.

Questions worth separating out

Q: How should security teams govern AI agents that can act without human approval?

A: Treat them as non-human identities with explicit ownership, scoped delegation, continuous monitoring, and a clear offboarding path.

Q: Why do static login controls fail against AI-assisted attacks?

A: Static login controls assume risk is mostly known at authentication time.

Q: What breaks when NHI credentials are over-privileged?

A: Over-privileged NHIs let attackers move faster and farther once a token, key, or service account is exposed.

Practitioner guidance

• Move trust decisions into the session Trigger step-up checks when device posture, behaviour, or request risk changes instead of relying on login-time authentication alone.
• Classify AI agents as governed NHIs Assign each agent an explicit owner, scoped delegation, audit trail, and offboarding path so it is managed like any other non-human identity.
• Reduce blast radius with least privilege by design Review tokens, service accounts, and delegated access for over-broad permissions that would let a fast-moving attacker chain actions across systems.

What's in the full article

Ping Identity's full article covers the operational detail this post intentionally leaves for the source:

• How Ping Identity frames verified identity, least privilege, and continuous trust across human, machine, and AI agent identities.
• The article's practical response model for JIT access, revocation, and micro-segmentation in faster exploit environments.
• The full FAQ section on preparing for Mythos, identity-first security, and AI usage governance across the enterprise.

👉 Read Ping Identity's analysis of Claude Mythos Preview and AI identity security →

AI identity security and Mythos Preview: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →