What Mythos-Class Capabilities Mean for the Boardroom 

The emergence of Mythos-class AI models has shifted the tempo of cybersecurity, requiring companies to embrace always-on, AI-driven defensive strategies.

For decades, cyber risk ran on a predictable human cadence: Software providers released patches and updates on “patch Tuesday,” and management conducted quarterly tabletop exercises and annual penetration tests. That ended on Apr. 7, 2026. Patch Tuesday is now “patch half-past-the-hour.”

Anthropic’s Mythos, a frontier artificial intelligence model, found more than 2,000 previously unknown, critical vulnerabilities across every major operating system and web browser in just seven weeks. This includes flaws that went undetected for decades.

While Anthropic declined to release the model publicly, it formed Project Glasswing, a collaborative cybersecurity initiative that provides cloud providers, semiconductor manufacturers, financial institutions, telecommunications operators, enterprise technology giants, and critical, open-source software foundations with early access to Anthropic’s unreleased AI model. This allows these firms to proactively discover and patch software vulnerabilities by directing Mythos’s capabilities toward defense.

Google, OpenAI, and other AI companies have similarly powerful models, and more are on the horizon. Boards should understand what will change for their companies as a result of this technology and ask questions that surface whether management has absorbed its implications. The assumptions behind an entire risk discipline have shifted in a single quarter, and the directors who recognize that early will protect their companies the best.

The Misunderstanding to Clear Up

Directors should first understand what Mythos-class models are—and what they are not.

Mythos is not a hacking tool; it is a vulnerability discovery system, an instrument that reads code and identifies flaws missed by even expert human reviewers. 

Vulnerability discovery is no longer limited by human researchers, and periodic patch cycles are no longer sufficient. Over time, the ability of these new models to find and suggest fixes for vulnerabilities promises companies a structural advantage: fewer latent flaws, faster remediation, and a shrinking attack surface. 

The main governance challenge for directors will be navigating the transition to widespread, guarded use of Mythos-class capabilities. As organizations adapt, adversaries may gain similar tools. Boards must position their companies to benefit from long-term defensive gains while managing short-term risks. 

Security Built In, Not Bolted On

If the board only hears about Mythos as a threat, it is hearing half the story. The other half is where the strategic opportunity lives.

The trajectory of every major security tool in the history of computing has followed the same pattern: Capabilities that initially favor attackers eventually move into the defender's stack and into the development process itself. Then, they become a structural advantage for either side, depending on which integrates them earliest.

Mythos-class capabilities will follow the same path, albeit faster. Directors should expect AI-driven vulnerability discovery to be embedded in the software development lifecycle of every serious technology company as rapidly as possible. It should act as an always-on capability, applied when software code is being written, that examines every risk consideration. 

The implications of that shift are significant and largely positive. Software code deployed in the future will be meaningfully more secure than code that ships today. Vulnerability classes that have plagued companies for decades, such as memory-unsafe language exploits (e.g., buffer overflow) and injection risks, will be substantially reduced at the source rather than accumulated as technical debt. The asymmetric advantage that has historically favored attackers, who only need to find one flaw while defenders need to find all of them, will narrow. 

This is the future that the cybersecurity industry has been promising for decades. Technology has finally caught up to the ambition, and the economics of pre-deployment vulnerability discovery are dramatically better than the economics of post-deployment incident response. Companies that achieve the former first will ship more secure software, carry less remediation backlog, face lower insurance premiums, expose their boards to less liability, and free their security teams to work on problems that genuinely require human judgment.

For directors, the strategic question is whether their company will arrive in this new world as a leader or a laggard. The board should ask management for a road map that treats AI-assisted secure development as a core capability in how the company builds and adopts software.

What Boards Should Address Now

In addition to standard cybersecurity treatment in audit, risk, or technology committees, Mythos-class capabilities merit discussion by the full board. This is due to the cross-functional implications for insurance, disclosure, capital allocation, and executive accountability. The optimal framing is to evaluate existing cybersecurity practices against a faster-paced threat environment and address any gaps; the wrong framing is emergency reinvention in the face of a cyber threat.

The board should also discuss the company's external posture. Does it participate in industry efforts comparable to Project Glasswing? Does it have visibility into which of its technology providers are being scanned by Mythos-class capabilities? Is the company prepared to respond publicly if Mythos-class attacks occur?

Below are the core questions boards should ask management to assess the organization’s readiness to withstand AI-accelerated vulnerability discovery:

1. What is the company’s exposure to legacy code, and how is the company systematically reevaluating it?
2. How quickly are critical vulnerabilities patched compared to the new AI-driven cyber-threat tempo?
3. How is the business managing the increased risk volume from Mythos-class discoveries?
4. Do the company and its vendors participate in industry coalitions, such as Project Glasswing?
5. How are the software supply chain and third-party risk being reevaluated in light of accelerated vulnerability discovery?
6. What is the plan to embed AI-assisted vulnerability discovery into the business’s software development lifecycle?
7. Where are there gaps in existing cybersecurity insurance coverage for AI-accelerated threats?
8. What is the firm’s directors and officers (D&O) liability exposure and disclosure plan for Mythos-class vulnerabilities that affect the organization?
9. Is there a communication plan in place for AI-driven incidents, including for both regulators and customers?
10. What capabilities, talent, and budget are needed to address these new cybersecurity priorities?

Boards should expect thoughtful, specific answers to these 10 questions, not vague reassurance. 

Implications for Insurance and Risk Management

Cybersecurity insurance will likely be impacted by Mythos-class capabilities as insurers seek additional protection. The more pressing concern here is not premiums but the coverage scope. Management should expect underwriters to require evidence of accelerated security patch tempo, AI-assisted defensive tooling, and documented vulnerability management maturity as conditions of coverage.

Companies that run on quarterly patch cycles and annual penetration tests should expect either coverage exclusions, sublimits, or nonrenewals as the underwriting cycle reflects the new reality. Management should analyze the organization’s existing policies to identify what they actually cover in AI-accelerated scenarios and surface gaps before renewal, rather than after a claim.

D&O insurance is affected, too. In future breaches, boards will be judged on whether they required management to use available AI capabilities, adapt patch timelines, and update disclosures to reflect the new threat landscape. Boards that document these discussions and demand specific answers from management strengthen their Caremark defense; those that don’t face increased liability.

Furthermore, enterprise risk management will require a review of the new operational risks posed by AI-driven vulnerability discovery. Risk metrics will need to account for different impacts, varying time-to-exploit dynamics, and different remediation economics. Risk managers must reconsider investment priorities across preventative, detective, and responsive controls.

Operational risk and business continuity planning demand reconsideration of what constitutes a credible worst-case scenario. The historical worst case—a sophisticated, targeted attack by a well-resourced adversary—is now joined by a new worst case: A vulnerability in widely deployed software that the company depends on is discovered and exploited at scale before any vendor in the supply chain has patched it. The company's business continuity plan should be explicitly tested against that scenario. 

Regulatory institutions are already beginning to consider additional oversight for Mythos-class capabilities, on top of existing cybersecurity regulations, such as the US Securities and Exchange Commission cybersecurity disclosure rules and the European Union’s Digital Operational Resilience Act. 

From Mitigation to Value Creation

Mythos-class capabilities are neither the dawn of the apocalypse nor simple vendor announcements. They are more evidence that AI’s exponential capabilities continue to evolve. As a result, the previous generation’s assumptions about technology, engineering, vulnerability management, cybersecurity insurance, board-level cyber-risk oversight, and the entire risk management architecture of the modern enterprise should be reexamined deliberately and quickly.

Software development is undergoing a historic revolution, with increased development speed, the democratization of capability, and now AI-assisted vulnerability discovery built into the development process. Development speeds and associated business benefits will accelerate and attack surfaces and remediation backlogs will shrink.

The companies that adopt these new software development and defensive capabilities first—and the boards that work with management to drive them there—will compound an advantage that touches every part of the enterprise. The question is not whether your company will arrive there; it is whether it will arrive there with its balance sheet and reputation intact.

The views expressed in this article are the authors’ own and do not represent the perspective of NACD.

Control Risks Group is a NACD partner, providing directors with critical and timely information, and perspectives. Control Risks Group is a financial supporter of the NACD.