When Kevin Roos of the New York Times described Project Glasswing as a frontier AI model “more powerful than Anthropic has released to the public,” he wasn’t sensationalizing. That’s the correct reading. Anthropic built something so capable that they decided the responsible thing to do was to gate it behind a coalition of 50 organizations and $100 million in access control credits before anyone else could touch it.
The results justify the caution. Claude Mythos discovered a 27-year-old vulnerability in OpenBSD and a 16-year-old flaw in FFmpeg that caused automated tests to fail 5 million times. The window between discovery and exploitation has collapsed. What once took months now takes minutes.
Alex Albert, head of developer relations at Anthropic, called this “probably the most significant event in the AI industry I’ve seen up close since I joined Anthropic nearly three years ago.” That belief is justified.
That may be half the problem.
AI in action by employees
Glasswing is built around specific threats. Attackers use AI to find and exploit vulnerabilities in software infrastructure before defenders can patch them. This is a real and serious problem worth investing in.
However, this is not where most enterprise security teams face AI risks on a daily basis.
The AI that most employees interact with is not the underlying model that the company deploys or manages. This is a feature within a SaaS subscription. CoPilot in Microsoft 365. Einstein within Salesforce. Gemini in Google Workspace. They did not arrive through a separate procurement process or security review. At the pace of software updates, these were built into the tools employees were already using and permissions had already been granted.
This is AI delivered as a layer on top of SaaS and accounts for the majority of enterprise AI activity. Cyera’s team did a great job of explaining the visibility issue. AI visibility without identity context is just a list. Knowing about the existence of AI agents tells us very little. Knowing what they have access to, what they’re doing, and whether that behavior makes sense given who authorized it are real questions that security teams need to answer.
Most can’t.
Threats that don’t require finding bugs
Glasswing targets attack paths that require an adversary to identify a vulnerability and exploit it from outside the system. There is a gap to be overcome. Time, skill, and opportunity all place constraints on how quickly you can make it happen.
There is no such gap for AI agents operating within a SaaS environment using valid OAuth tokens. It’s already in. It’s provisioned, connected, and up and running. In many organizations, this has occurred without formal security reviews, defined scope of access, or monitoring of behavior after the fact.
A security team recently discovered they had 150 different Copilot agents running in their environment. All deployed in one week. There is no security screening.
An attacker who compromises one of these agents through prompt injection, supply chain attacks on the underlying model, or misconfigured privilege scopes doesn’t need to find vulnerabilities from 10 years ago. They inherit everything the agent is granted, such as read access to sensitive files, write access to shared drives, and the ability to query CRM records or trigger downstream automation.
Models that lack most security tools
Most security tools are built to monitor humans. These track logins, file access, and configuration changes. All of these are associated with human accounts. If an AI agent accesses 400 files in 15 minutes, these tools will either attribute the action to the person who authorized it or miss it entirely.
That’s the wrong model. An AI agent acting on your behalf is not the same as a user acting on your behalf. The baseline of behavior is different. The risk profile is different. The question that really needs to be answered is whether this agent’s behavior makes sense given what it is being empowered to do and the normal behavior of the person giving it the authority. To answer that, you need to keep identity, behavior, and SaaS context together in the same view.
Most organizations don’t have that. Most tools aren’t built to provide that. The security community is already asking questions about what Glasswing doesn’t cover. They are right to ask.
Note to Anthropic
Project Glasswing is a real contribution. Using frontier AI to discover vulnerabilities before attackers do is exactly the type of asymmetric defense the industry needs, and the commitment from our launch partners reflects true organizational intent.
But it’s important to note that Claude is one of the AI agents already operating within enterprise SaaS environments today. So is GPT. So is Gemini. The same class of models that are directed at software infrastructure to find vulnerabilities are also agents that enterprise security teams need to govern. How these models are accessed, how they work, and what the impact is if something goes wrong.
Mythos is too powerful to be released to the public. It’s a responsible call. Claude versions already running within enterprise SaaS are a completely different matter. they are there. they have access. And in most organizations, no one is monitoring them.
Glasswing protects the infrastructure on which your models run. That’s necessary. The other half, managing the agents already running within the application layer, is equally urgent. And it remains largely unresolved.
Source link
