Summary
- Anthropic dispatched internal security researcher Nicholas Carlini — the “professional skeptic” whose vulnerability-finding demonstration helped justify the government’s intervention — to Washington to explain safeguards to the same officials who banned foreign use of the company’s Mythos and Fable models, positioning the most credible internal critic as its negotiating asset.
- The government’s intervention, triggered by Amazon CEO Andy Jassy’s report to Treasury Secretary Bessent and routed through Commerce Secretary Lutnick with a 90-minute ultimatum, occurred without a publicly disclosed technical basis and in a relational context already strained by Pentagon disputes, chip-export disagreements, and nonprofit-funding controversies.
- Carlini’s forecast that competing models will match Mythos’s vulnerability-finding capacity within months renders the Anthropic-specific intervention a structurally temporary measure whose leverage erodes as capabilities diffuse across the industry.
- Neither Anthropic’s internal safety assessment nor the government’s private security consultations included independent technical scrutiny, leaving the foreign-use ban’s proportionality unassessable by the public or the broader security-research community.
Nicholas Carlini, the Anthropic researcher whom Dan Guido — chief executive of cybersecurity firm Trail of Bits — characterized as the industry’s “professional skeptic” of AI cybersecurity claims, has been dispatched to Washington to explain the company’s safeguards to the very officials who days earlier banned foreign use of its AI models. The episode places the researcher whose March warnings about vulnerability-finding capabilities helped build the case for government intervention in the position of arguing that Anthropic’s response to those same warnings is adequate — a paradox that illuminates the structural dynamics of AI governance between a company valued at nearly $1 trillion and an administration that has accumulated months of friction with it across multiple policy fronts.
What Carlini demonstrated
Carlini’s demonstration of Mythos’s capabilities marked a departure from his established role as a critic of inflated AI security claims. After accessing the model, Carlini used it to find and exploit critical bugs in Linux and the web-publishing software Ghost — vulnerabilities he had never previously identified. According to his presentation, Mythos searched through Linux’s code several thousand times and found 479 bugs. “A competent security researcher could go their whole life without finding a Linux kernel vulnerability,” Carlini stated. Over a two-week period, the model uncovered approximately 500 bugs across multiple codebases including Ghost.
“The balance that existed between attackers and defenders over the past two decades seems like it’s probably coming to an end,” Carlini told a crowd of cybersecurity experts at a March presentation. “It’s pretty clear to me that these current models are better vulnerability researchers than I am.” His March memo characterized Mythos as “the first model that can find and exploit vulnerabilities at scale.”
These assessments carry particular weight because they originate from the party least inclined by professional disposition to overstate. Two days after his presentation, Carlini wrote to his colleagues: “I don’t think we should release Mythos yet.”
The Ghost vulnerability illustrates how discovery propagates independently of the tool that performed the discovery. Ghost’s developers patched the vulnerability — community sources including CybelAngel, CybersecurityNews, and TheCyberExpress converge on February 19, 2026 as the patch date, slightly later than the February 16 date the source article reports, which appears to conflate a DLL compilation timestamp with the patch release. Not all users applied the update. Cybersecurity firm Xlab reported, with confirmation from SecurityWeek, The Hacker News, and CybelAngel, that more than 700 sites were hacked within a month. Those sites were not attacked by Mythos users but by actors exploiting a known, already-patched vulnerability — a distinction that matters for assessing whether restricting access to vulnerability-finding tools addresses the demonstrated harm vector.
The causal link between Mythos and the specific Ghost CMS vulnerability (CVE-2026-26980) rests solely on the Wall Street Journal’s reporting; no independent source connects Mythos to this CVE. The 479 Linux bug figure similarly has no independent verification of the exact number, and community sources on forums including r/Anthropic and Hacker News have expressed skepticism about the exploitability and significance of the findings, distinguishing between finding bugs and developing working exploits.
The 90-minute ultimatum
The government’s intervention did not originate from Carlini’s warnings. It was triggered by an Amazon report finding that Fable — Anthropic’s safety-modified product variant — “could be coaxed into finding bugs.” Amazon CEO Andy Jassy called officials including Treasury Secretary Scott Bessent to share the findings, and administration officials grew more alarmed after conversations with government security experts.
After the calls, officials including National Cyber Director Sean Cairncross gave Anthropic CEO Dario Amodei and other company leaders what a source close to Anthropic described as an ultimatum: work with the government and take down the models that day or face a ban on foreign users. The company was reportedly given 90 minutes and was not provided details about the specific security risk. President Trump authorized Commerce Secretary Howard Lutnick to handle the situation and approved shutting off all foreign use of the models. Lutnick sent Amodei a letter notifying him the rules had been implemented shortly after 5 p.m. ET.
When Lutnick and Amodei spoke that evening, Amodei said, “This means we can’t have the model out,” according to people familiar with the call. “That’s the point,” Lutnick responded. Anthropic shut off all access to comply.
The article does not clarify the specific security risk that justified shutting off all access — including for domestic users — rather than imposing the foreign-user restriction alone. The 90-minute ultimatum and the reported absence of detail about the specific risk indicate a process in which the government’s margin of trust for Anthropic’s self-governance had already been drawn thin.
Two separate causal threads run through the episode without being clearly distinguished in the public record. The ban was triggered by Amazon’s report on Fable, not by Carlini’s findings about Mythos. Whether the Amazon report concerns the same class of vulnerability discovery demonstrated in Carlini’s March presentation or a distinct capability remains unclear, making it difficult to assess whether the shutdown addresses the demonstrated Mythos risks, a separate concern, or both.
The intervention was routed through Commerce Secretary Lutnick rather than a technical or cybersecurity-specific agency. Lutnick’s direct involvement — the letter, the evening call, the reported presidential authorization — signals the government treated the episode in trade-control and national-security terms rather than cybersecurity-coordination terms. National Cyber Director Cairncross delivered the ultimatum, but operational authority sat with Commerce, consistent with a regulatory posture rather than a technical-coordination posture.
Anthropic released Mythos 5 and Fable 5 despite Carlini’s March internal warning against doing so. The government’s response followed days later. Administration officials have reportedly said a resolution should include an acknowledgment from Anthropic that its rollout and communication could have been improved — framing the disclosure failure as the actionable deficiency rather than the model’s capabilities per se, a distinction that shapes what “resolution” means and what conditions must be met before access is restored.
A relationship already strained
The Mythos episode arrived in a relationship already strained across multiple axes. Defense Secretary Pete Hegseth and Amodei clashed earlier this year over Anthropic’s efforts to control military use of its products, with the Pentagon pushing back and triggering multiple lawsuits. The two sides have also differed over AI policy, chip exports to China, and Anthropic’s ties to nonprofits that are big donors to liberal causes.
This context conditions the plausibility of both the negotiating-posture interpretation and the genuine-security-concern interpretation of the ban. The article’s reporting supports both without resolving which predominated. The strongest defense Anthropic can claim — that it complied with the ultimatum and dispatched its most credible technical voice — is documented. But compliance after a 90-minute deadline differs from voluntary restraint before release, and the company proceeded with publishing despite having received its own researcher’s explicit recommendation against it.
Amazon’s dual role
Amazon occupies a structurally significant position in the episode that the article’s narrative does not fully examine. The company is simultaneously Anthropic’s cloud infrastructure provider and the entity whose CEO called Treasury Secretary Bessent and other officials to share findings that triggered the government’s alarm. The information pathway that produced the administration’s response ran through a corporate relationship that is both cooperative and competitive. Amazon functions as a gatekeeper node controlling the flow of information between Anthropic and the government, whose direct communication Michael Horowitz — a senior fellow for technology and innovation at the Council on Foreign Relations and a former Defense Department official — characterized as marked by “an inability to communicate effectively with each other.” Horowitz said “more technical exchanges should be helpful.”
Anthropic’s response — dispatching Carlini to Washington — represents a tactical deployment of its most credible internal voice. His credibility as the professional skeptic who tested the model directly gives his testimony particular weight in a way that a company safety officer’s would not. Anthropic can position the researcher whose assessment helped justify the government’s intervention as having subsequently assessed the model and prompted safety measures. The strength of this argument hinges on whether those measures are substantive.
Anthropic released Mythos 5 and Fable 5 with what the article describes as “a version with safety measures,” but the article does not specify whether those measures curtail exploit-generation capabilities or merely gate access. If exploit-generation persists and only access is restricted, the characterization of a “defanged” version is misleading; if exploit-generation was removed, no third party has independently verified that removal. The article does not report whether Carlini himself believes the released version mitigates the risks he identified in his March demonstration.
Carlini’s position is therefore paradoxical: the researcher whose warning helped justify the government’s intervention is now the expert sent to argue that the company’s response to those warnings is adequate. His direct-testing authority lets Anthropic argue the most credible skeptic assessed the model, but his presence simultaneously undercuts the administration’s justification if his own technical assessment does not align with the decision to restrict access. The article does not resolve which outcome obtained.
The technical basis no one has seen
The independent security-research community — the constituency best positioned to evaluate a defanged model’s residual capabilities — is absent from the episode’s account entirely. Both Anthropic and the government are operating on private assessments: Carlini’s internal work and Amazon’s report to Treasury. No public technical scrutiny has been applied to either the model’s demonstrated capabilities or the safety measures that supposedly constrain them.
This is not merely a reporting gap but a structural condition that keeps the ban’s proportionality unassessable. Neither the Amazon-triggered alarm nor Carlini’s documented findings has provided a public technical basis for the government’s decisions. The transparency deficit Horowitz identified — the need for “more technical exchanges” — affects assessment of every element of the episode: the severity of the demonstrated capabilities, the adequacy of the safety measures, the proportionality of the response, and the criteria for any future resolution. The need Horowitz identified points toward a transparency deficit that conditions what both parties can credibly claim.
Capability diffusion outpaces company-specific controls
Carlini believes “it is only a matter of months before other models catch up with Mythos.” If that forecast holds, the government’s Anthropic-specific intervention may prove a temporary holding action whose leverage erodes as competitors emerge with comparable capabilities that fall outside the scope of any bilateral arrangement with a single firm.
The Ghost episode illustrates how vulnerability-finding capability propagates independently of access controls. Once a vulnerability-finding technique exists, the vulnerability persists in unpatched systems regardless of who controls the tool that found it. The 700-plus compromised Ghost sites demonstrate this: the damage occurred through exploitation of a known vulnerability by actors who did not need access to Mythos, not through ongoing use of the model that originally found the bug. Restricting access to the finding tool does not remediate the vulnerabilities already found, and the structural incentives for patching lag are a separate problem from the question of who may access a model.
If other models achieve comparable vulnerability-finding capacity within the forecast horizon, the policy question shifts from access control to vulnerability remediation infrastructure and defensive AI deployment. Unilateral gatekeeping over a single company’s models cannot contain a capability that is diffusing across the industry. This structural reality makes cooperative frameworks not a policy preference but a recognition that company-specific interventions have a diminishing shelf life.
Three trajectories are structurally available from this position. A cooperative framework — sufficient technical exchanges producing pre-release security review protocols and government evaluation criteria — is contingent on repairable relational damage, which the documented history of Pentagon clashes, lawsuits, and political friction renders uncertain. Gatekeeping obsolescence — capability diffusion rendering company-specific interventions structurally ineffective within the forecast horizon — would shift policy toward remediation and defensive AI, requiring the government to build rather than restrict. Regulatory escalation — the accumulated friction across multiple axes compounding into a broader posture — is consistent with the documented 90-minute ultimatum, the routing of authority through Commerce rather than a cybersecurity agency, and the reported presidential authorization.
The documented pattern of escalating friction supplies conditions under which a shift from partner-management to systemic-risk-constraint is structurally available. The government’s demonstrated willingness to impose unilateral, time-pressured constraints indicates the institutional machinery for that shift already exists. Capability diffusion acts as a countervailing force: company-specific gatekeeping may prove structurally limited, creating pressure toward either cooperative frameworks or broader regulation rather than single-company interventions. The outcome depends on whether the relational damage from this episode is repairable — a question the dispatch of Carlini to Washington is designed to answer but which the episode’s own dynamics have made more difficult to resolve.
Analytical techniques used in this piece
This analysis applies the methods below. Each links to a short, plain-English explainer you can read and reuse.
- Red-Team Advocate
- Argues the adversary’s case in full to expose what a plan underrates.
- Relationship Mapping
- Extracts the network of ties among people, institutions, and entities.
- Wicked Futures
- Explores a long-horizon, deeply entangled future with no clean resolution.