Anthropic is investigating a claim that a small group of people gained unauthorized access to its Claude Mythos model — the cyber-security tool which the AI firm says is too powerful to release to the public, according to a report from the BBC.

Concerns Over Security of Advanced AI Models

“We’re investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments,” the company said in a statement. There is currently no suggestion that malicious actors have managed to get hold of the model, and Anthropic says it does not have evidence its systems are affected.

But the report of access by unauthorized users raises questions about the ability of large AI companies to stop their advanced AI models from getting into the wrong hands. This was “most likely through misuse of access rather than a classic hack,” according to Raluca Saceanu, chief executive of cyber-security company SmartTech.

Use of AI Models for Cyber-Security

Anthropic has released the Mythos model to some tech and financial companies in order to help them secure their systems against its reported ability to exploit vulnerabilities. But that relies on those companies making sure their own access is tightly controlled.

The person already had permission to view Anthropic’s AI models through work they had done for a third-party contractor, according to Bloomberg. The outlet also reported the group has been using the model since it gained access, although not for hacking, because they do not want to be detected.

“When powerful AI tools are accessed or used outside their intended controls, the risk is not just a security incident but the spread of capabilities that could be used for fraud, cyber abuse, or other malicious activity,” Saceanu said.

Broader Implications for AI Security

In a speech to a large cyber-security conference on Wednesday, the head of the UK’s National Cyber Security Centre (NCSC) made a more positive case arguing AI tools can make things safer and more secure. Richard Horne urged the CyberUK delegates not to fear new AI attacks, but to make sure they are doing the basics of cyber-security right.

“As we have seen in the media in recent days, frontier AI is rapidly enabling discovery and exploitation of existing vulnerabilities at scale, illustrating how quickly it will expose where fundamentals of cyber-security are still to be addressed,” he said. Horne’s warnings echo similar messages from recent years, for example the urgency for people to ensure they update the software on their systems and upgrade legacy IT.

At the same event. Security Minister Dan Jarvis implored AI firms to work with the government on the “generational endeavour” to make sure AI is used to protect critical networks from attackers. All the most powerful and advanced AI models, known as frontier AI — are developed outside of the UK, with the top-tier companies based in the US or China. That means the UK relies on companies like Anthropic to give it access to Mythos and has no control over how it is built, trained or released.

OpenAI also has a cyber-security model it says is very capable called GPT 5.4 Cyber, and the speeches at CyberUK also pressed home the ongoing threat of nation state and hacktivist attacks, particularly from Russia and China. The NCSC warns that cyber is now “the home front” of defence in the UK with recent events such as the Iran attacks showing that cyber plays an increasingly important role in all modern conflicts.

Additional reporting by Imran Rahman-Jones.

Anthropic has confirmed it is investigating a report that unauthorized users have gained access to its Mythos model, which it has warned poses risks to cybersecurity, according to an additional source. The US startup made the statement after Bloomberg reported on Wednesday that a small group of people had accessed the model, which has not been released to the public because of its ability to enable cyber-attacks.

“We’re investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments,” said Anthropic. Bloomberg said a “handful” of users in a private online forum gained access to Mythos on the same day Anthropic said it was being released to a small number of companies including Apple and Goldman Sachs for testing purposes.

It reported that the unnamed users got to Mythos through access that one of them had as a worker at a third-party contractor for Anthropic and by deploying methods used by cybersecurity researchers. The group has not run cybersecurity prompts on the model and is more interested in “playing around” with the technology than causing trouble, according to Bloomberg, which corroborated the claims via screenshots and a live demonstration of the model.

Nonetheless, news of the potential breach will alarm authorities who have raised concerns about Mythos’s potential to wreak havoc and will raise questions about how potentially damaging technology can be kept out of the wrong hands. Kanishka Narayan. The UK’s AI minister. Has said UK businesses “should be worried” about the model’s ability to spot flaws in IT systems — which hackers could then act upon.

The model has been vetted by the world’s leading safety authority for the technology, the UK’s AI Security Institute (AISI), which warned last week that Mythos was a “step up” from previous models in terms of the cyber-threat it posed. AISI said Mythos could carry out attacks that required multiple actions and discover weaknesses in IT systems without human intervention; it said these tasks would normally take human professionals days to carry out. Mythos was the first AI model to successfully complete a 32-step simulation of a cyber-attack created by AISI, solving the challenge in three out of its 10 attempts.