In April, the artificial-intelligence firm Anthropic announced it had developed an AI model too dangerous to be released to the public. The company, headquartered in San Francisco, California, said its Claude Mythos model was so advanced that it had exposed vulnerabilities in every major operating system and web browser in use today. “The fallout — for economies, public safety, and national security — could be devastating,” the company warned in a blog post about Project Glasswing, its name for the restricted release of the model to approximately 50 carefully screened organizations.
This decision signals a shift toward confidential, cutting-edge AI research that could become a growing trend, experts suggest. What Anthropic has done to rein in Mythos’s release is likely to be emulated by other AI laboratories, says Helen Toner, interim executive director at the Center for Security and Emerging Technology at Georgetown University in Washington DC. “I expect this to be the first in a series rather than an isolated case,” says Toner, who previously served on the board of Anthropic’s rival OpenAI, also based in San Francisco.
AI can design viruses, toxins and other bioweapons. How worried should we be?
“I expect other providers to take a similar approach,” agrees Vasilios Mavroudis, an AI-safety researcher at the Alan Turing Institute in London. Indeed, just a week after Mythos was unveiled, OpenAI followed suit with a limited release of GPT-5.4-Cyber, a cybersecurity-specific model, available only to approved researchers and organizations.
If this kind of restricted-access AI catches on, it will mark a pivotal moment in the ongoing debate over the benefits of ‘closed’ and ‘open’ AI software — with potential ripple effects for science. For years, researchers have argued that transparency around AI models advances both AI research and science overall, since researchers can study and build upon the underlying algorithms.
Now there is a real possibility that creators of cutting-edge AI models might not release them broadly at all. And if governments determine that powerful AI is a ‘dual-use’ technology — meaning it could be weaponized by the military and also applied in civilian society — then additional controls, similar to those used for defense-related technologies, could also take effect. This could restrict who has access to the most capable software, Toner notes.
Why restrict access?
Companies have previously tried limiting model releases. In February 2019, OpenAI released a watered-down version of its GPT-2 model, citing concerns about potential misuse, before granting full access that November. But by today’s standards, that model had very limited power — it could only complete basic sentences.
It’s difficult for researchers without access to Mythos to assess whether all of Anthropic’s concerns are well-founded. But Ciaran Martin, a management researcher at the University of Oxford, UK, and former chief executive of the UK National Cyber Security Centre in London, says Mythos appears to represent a “significant advancement” and “a rapid leap in AI capabilities.”
How to vibe code in science: early adopters share their tips
AI labs already implement ‘guard rails’ in their models to prevent abuse, typically through refusals to engage with or respond to queries that appear dangerous. However, those safeguards are often as straightforward as a set of hidden instructions telling the AI system how to respond. They can be bypassed (or ‘jailbroken’) if users choose to do so.
The risk in giving universal access to Mythos is that it could benefit attackers first, Mavroudis explains. “Defenders can use these tools to uncover security flaws in systems or software projects. Attackers can do the same,” he says. That is why Anthropic is giving defenders a head start. Some unauthorized access to Mythos has reportedly already occurred, however.
The company has said its “eventual goal” is to allow users “to safely deploy Mythos-class models at scale,” but did not respond to Nature‘s inquiry about whether this meant public access. OpenAI has also been vague, stating that it was “starting” with a limited release of GPT-5.4-Cyber and a quickly released follow-up model, GPT-5.5-Cyber; it has since launched a cybersecurity-focused product, called Daybreak, built on these tools. For now, the ‘Cyber’ models remain available only to authorized users.
When asked whether its models might eventually become publicly available, an OpenAI spokesperson pointed to language in a blog post announcing GPT-5.5-Cyber. It states that “expanding access … responsibly requires stronger confidence in who is using the model, what systems they are targeting, and whether the work is authorized,” but “we expect access to broaden over time.”
Where cyber goes, science follows?
Companies that restrict access to AI models aren’t solely concerned about cybersecurity risks. For example, firms launching models specialized for biology research have expressed worries about potential misuse related to developing bioweapons.
In April, OpenAI released GPT-Rosalind, designed for life scientists, which it announced would be available through a ‘trusted-access’ framework so that only approved users could use it. The company will also track how the model is being employed, YunYun Wang, OpenAI’s life-sciences product leader, told Nature. And last year, Google launched an ‘AI co-scientist’ system, which is likewise available only to researchers who apply for access.
If such restrictions continue, they could mean that only well-connected researchers gain access to the most powerful AI tools. Researchers already worry that rising costs for existing public AI systems are beginning to deepen inequality in the field, with some groups unable to afford premium subscriptions.
