TL;DR: Government use of Anthropic’s Mythos for code repository scanning suggests preemptive AI-assisted vulnerability discovery is moving from experiment to operational norm, with anonymous sources reporting a large number of issues uncovered across federal code according to Swarmnetics. The shift matters because vulnerability discovery, validation, and remediation are converging into a faster control loop that security teams cannot manage with manual triage alone.
NHIMG editorial — based on content published by Swarmnetics: CISA Uses Anthropic’s Mythos to Scan Federal Code for Security Vulnerabilities
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: What breaks when AI scanners find secrets but no one owns the credentials?
A: Discovery without ownership leaves organisations with a list of exposed secrets but no reliable way to revoke, rotate, or trace them.
Q: Why do repository scans quickly become an NHI governance issue?
A: Because code repositories often contain the credentials and trust relationships that non-human identities depend on.
Q: How do security teams know whether vulnerability assessment is actually working?
A: Teams should look for short triage cycles, high-confidence findings, and a clear link between scan results and remediation action.
Practitioner guidance
- Connect repository findings to secret revocation Route any discovered token, API key, or certificate from scanning into the same incident queue as code fixes, and require proof of revocation before closure.
- Map scan results to NHI ownership Maintain an inventory that ties every CI/CD credential, service account, and deployment token to a human owner, a system owner, and a retirement date.
- Shorten the credential remediation window Set a target to rotate or revoke exposed secrets before the next scheduled deployment cycle, then test that target with a live exercise.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- Anonymous-source reporting on how CISA is using Mythos in federal code repository scanning
- The specific security vulnerability patterns the model is uncovering across codebases
- Context on the policy reversal around Anthropic tools and the federal response to AI-assisted scanning
- Why public Fable access and preview tooling matter for wider defensive adoption
👉 Read Swarmnetics' analysis of CISA's use of Mythos for vulnerability scanning →
AI vulnerability scanning is becoming a baseline security practice?
Explore further
AI vulnerability scanning is becoming an identity governance problem, not just a security engineering task. The article describes repository scanning for weaknesses, but in practice the most consequential findings are often secrets, service accounts, and trust relationships. That means code review, IAM, PAM, and NHI governance are converging around the same evidence stream. Practitioners should treat AI-assisted scanning as a control input for identity governance, not as a standalone AppSec function.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when AI-assisted scanning exposes a shared service account?
A: Accountability should sit with the repository owner, the service owner, and the security function that governs the credential lifecycle. Shared credentials fail when responsibility is unclear, so organisations need a pre-agreed owner for rotation, replacement, and decommissioning. Governance should make it impossible for exposed secrets to sit in a shared no-man’s-land.
👉 Read our full editorial: AI vulnerability scanning is becoming a baseline security practice