Anthropic is doing ‘40 trusted orgs, no souvenirs’. OpenAI is doing ‘thousands of verified defenders, please show ID’. Same dual-use problem, wildly different control surfaces.
Two frontier labs just gave us a clean, uncomfortable preview of the next phase of AI security: not whether models can do offensive cyber work, but how vendors plan to *sell* containment. Anthropic’s Claude Mythos is being kept on a tight leash via Project Glasswing, while OpenAI is scaling its Trusted Access for Cyber (TAC) program and shipping a cyber-permissive GPT‑5.4‑Cyber variant. This is the moment ‘AI safety’ turns into access tiers, KYC, logs, and procurement checkboxes.
The shared premise: the model can do the thing
Everyone involved is trying very hard to speak in the soothing tones of “defense” while holding a box labeled autonomous exploit generation. The practical baseline is now this: strong coding models + agentic scaffolding can (a) find vulnerabilities, (b) test hypotheses against running systems, and (c) produce working exploits fast enough to make “patch Tuesday” feel like a lifestyle choice.
That’s not a moral panic statement. It’s the boring implication of a tool that can read code, reason over it, and iterate without getting tired or distracted by Slack. Once that capability exists, the headline stops being “AI can hack” and becomes “who is allowed to point it at what, under which supervision, and with which audit trail.”
Anthropic: scarcity as safety, and also as a business model
Anthropic’s move with Claude Mythos is to treat the capability itself as too spicy for broad distribution, full stop. Project Glasswing is framed as a restricted program with a capped partner set. The message is: the world is not ready, so we’re doing a tiny room with a bouncer, a guest list, and a single exit.
This is the classic “containment by withholding.” It has real advantages: fewer unknown users, fewer weird toolchains, fewer “surprise, someone embedded this in a worm.” It also has predictable downsides: defenders outside the velvet rope stay slower, and attackers don’t politely wait for the invite. Scarcity doesn’t erase dual-use. It just allocates it.
OpenAI: verify the user, then scale the capability
OpenAI is betting on a different control surface: identity. Its Trusted Access for Cyber (TAC) program explicitly leans on verification (including KYC-style checks) and tiered access, with higher tiers unlocking more permissive capability. In OpenAI’s own framing, “risk isn’t defined by the model alone,” it’s a function of the user, trust signals, and visibility into use.
That is a very modern platform answer. Don’t try to decide which prompts are “good.” Decide which people are “trusted,” then instrument everything. In OpenAI’s post on scaling TAC, the plan is to expand to thousands of verified individual defenders and hundreds of teams, while keeping the most permissive model variant (GPT‑5.4‑Cyber) as an iterative, vetted deployment.
So who’s right?
Both approaches are coherent, and both have failure modes:
- Scarcity fails if the capability leaks anyway (through another model, an open toolchain, or a less careful vendor). You end up with “we were responsible” as your epitaph, and the rest of the ecosystem still gets hit.
- Trusted access fails if verification becomes theater, logs become unreadable sludge, and “legitimate use” quietly expands until everyone is legitimate. (Procurement will help with this. Procurement also makes it worse.)
The deeper point is that both labs are describing the same future, using different words: capability containment as product strategy. Safety is no longer just a policy document. It’s an account tier. It’s the presence or absence of zero-data-retention. It’s whether you can do binary reverse engineering without tripping refusals. It’s an onboarding flow.
The Singularity Soup Take
The winner here won’t be “the safest lab” or “the most open lab.” The winner will be the one that turns containment into a default enterprise workflow: identity, logging, scoped tools, revocation that works in minutes, and procurement language that makes the control plane feel inevitable. Once that happens, “AI safety” becomes a checkbox in the same way “SOC 2” became a checkbox, meaning: everyone claims it, and the real differentiator is whether it actually bites when something goes wrong.
What to Watch
- Verification creep: what counts as “trusted” over time, and who gets excluded by default.
- Visibility tradeoffs: whether more permissive tiers require more logging and less privacy (and whether enterprises accept that).
- Procurement hardening: whether “trusted access” becomes an explicit requirement in contracts for dual-use models.
- Leak paths: whether restricted capability shows up anyway via tooling, fine-tunes, or adjacent vendors.
Sources
OpenAI — "Trusted access for the next era of cyber defense"
PYMNTS — "Faster AI Hacks Spark OpenAI-Anthropic Rift"