Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Mythos AI access expansion and what it means for EU security teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Anthropic is expanding Project Glasswing access for Mythos AI to at least 150 organizations across 15 countries, including ENISA and new participants in Europe and South Korea, as testing moves toward broader use in vulnerability discovery and patching workflows. The real shift is that AI-assisted vulnerability finding is becoming a governance problem for patch speed, certification scope, and offensive safety rather than just a model capability.

NHIMG editorial — based on content published by Swarmnetics: Potential Game-Changer in EU as Mythos AI Access Opens Up

By the numbers:

Questions worth separating out

Q: How should security teams respond when AI discovers vulnerabilities faster than humans can patch them?

A: They should shift from point-in-time vulnerability handling to continuous exposure reduction.

Q: Why do service accounts and secrets matter in ransomware defence?

A: Service accounts and secrets matter because they can turn a one-time intrusion into repeatable authenticated access.

Q: What should teams measure to know whether exposure management is working?

A: Track time to containment, secret revocation latency, and the percentage of high-risk systems covered by explicit ownership.

Practitioner guidance

  • Tighten exposure-to-remediation workflows Map externally reachable assets, secrets, and service accounts into a single remediation queue so AI-discovered issues do not stall between teams.
  • Audit privileged secrets and tokens first Review service accounts, API keys, certificates, and long-lived tokens that could turn a discovered flaw into direct access.
  • Build AI-era validation into control evidence Capture repeatable proof that patching, revocation, and access restrictions work under adversarial testing.

What's in the full analysis

Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:

  • The article's discussion of how Project Glasswing access is being expanded across regions and organisations, including the EU and South Korea.
  • The uncertainty around Mythos AI release timing and why that matters for planning patch, validation, and regulatory cycles.
  • The questions raised about funding, token allocation, and how ENISA may apply the results to certification pipelines.
  • The broader implications for how offensive AI testing may reshape vulnerability discovery and defensive automation priorities.

👉 Read Swarmnetics' analysis of Mythos AI access expansion and EU security implications →

Mythos AI access expansion and what it means for EU security teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI-assisted vulnerability discovery is becoming a governance problem, not just a testing problem. Once model-driven analysis can surface weaknesses faster than human teams can triage them, security programmes must treat discovery speed as a control pressure. That changes the economics of patching, exposure reduction, and compensating controls across the stack. Practitioners should assume the window between weakness creation and weakness exploitation is shrinking.

A few things that frame the scale:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys, according to DeepSeek breach.

A question worth separating out:

Q: Why does AI-driven vulnerability discovery change NHI governance?

A: Because discovery can now outpace remediation, the security problem shifts from counting flaws to constraining what identities can do. If service accounts and AI agents have broad access, new vulnerabilities become easier to exploit. Governance must therefore focus on privilege scope, credential lifetime, and action-level authorisation.

👉 Read our full editorial: Mythos AI access expansion raises the bar for vulnerability testing



   
ReplyQuote
Share: