In early May, the Administration convened the chief executives of Anthropic, OpenAI, Google, Microsoft, and SpaceX to discuss the policy response to Anthropic’s Mythos Preview model — a system that autonomously discovered thousands of high- and critical-severity software vulnerabilities, including previously unknown zero-days in production code dating back decades. The administration’s proposed response: a mandatory pre-release vetting regime modeled on the Food and Drug Administration’s pre-market approval process.
The instinct is understandable. Mythos represents a visible capability threshold crossing — the kind that demands a response. On the Firefox 147 benchmark, Mythos developed working exploits 181 times compared to just two for the previous generation model. That is not an incremental development. It is a threshold crossing, and threshold crossings demand a response. The problem is not the instinct. It is the targeting. The proposed vetting regime is aimed at the wrong chokepoint — and for the critical infrastructure operators I spent four years working to protect at CISA, that mismatch has direct operational consequences.