Anthropic’s latest AI model, Claude Mythos, carries what the company called ‘unprecedented cybersecurity risks’, so severe that Anthropic chose not to release it publicly. It first shared Mythos with a select group of major organisations (Amazon, Apple, Nvidia and recently ENISA), under an initiative called Project Glasswing, then released Fable 5, a guardrailed version, to the public… only for the US government to order both pulled offline worldwide three days later, citing a claimed jailbreak.
The UK’s AI Security Institute found Mythos Preview completes expert-level cybersecurity tasks over 70 % of the time. The story matters less over whether Anthropic made the right call and more for whether that restraint can become the norm – and whether the EU has any power to make it so.
Any restraint on commercialising a product only holds if no one else builds the same thing. The 2026 Stanford AI Index puts that compression into sharp focus: the top closed model now leads the top open model by just 3.3 % on the Arena Leaderboard. On Stanford University’s Cybench, AI agents’ success rates on cybersecurity tasks jumped from 5 % to 96 % (Mythos excluded) in about two years.
Proprietary restraint only holds until Open Source (OS) catches up – weights then become deployable without guardrails. Those models come overwhelmingly from US and Chinese labs and the platforms they flow through, GitHub and Hugging Face, are US-anchored infrastructure that European companies, public agencies and researchers already depend on.
In short, Europe consumes this ecosystem but has very little impact on it – and such an imbalance has never mattered more than it does today.
Running out of time
Chinese OS complicates this further. DeepSeek’s last 15 months showed that Chinese labs can produce frontier-adjacent OS models at a fraction of US compute costs – and that those models ship with weaker safety guardrails. Palo Alto Networks found DeepSeek R1 highly susceptible to jailbreaking and an earlier version was reportedly broken to provide instructions for synthesising methamphetamine.
As Chinese OS models close the capability gap, they’re doing so with a safety architecture that appears – at a minimum – less robust and more impervious to Western regulatory enforcement.
The AI Act’s role
The EU’s AI Act did anticipate part of all this. OS GPAI models get partial exemptions unless classified as a systemic risk, in which case the full set of obligations applies regardless of licensing. The framework is sensible, but enforcement depends on something the Act cannot guarantee – namely that the developer is subject to European regulatory jurisdiction.
DeepSeek, Qwen and whatever follows are not subject to European Enforcement investigations across 13 jurisdictions after DeepSeek’s January 2025 launch showed just how difficult extraterritorial enforcement is. Italy banned the app within 72 hours; the weights remained freely downloadable, including through Hugging Face – a platform operating with no regulatory mandate that’s now become de facto infrastructure for global model distribution.
The debate has fixated on a binary: should dangerous models be banned? But banning OS models from the EU market means enforcing a license restriction on a file that propagates freely across mirrors, torrents and repositories in multiple jurisdictions.
Europe has spent four years building the most comprehensive AI regulatory framework in the world… and still it has no answer to this.
Three scenarios
The pessimistic reading: capability convergence proceeds faster than regulators can classify and enforce – a Mythos-equivalent OS model appears within 18 months, and Europe finds itself stuck with a regulatory framework designed for a slower world.
Here, the resulting exposure wouldn’t risk a coordinated state-level attack but rather a dramatic lowering of Europe’s expertise threshold for withstanding serious cyberattacks. PwC noted that the time between a new model’s release and its weaponisation shrank dramatically across 2025.
The neutral reading: as capabilities converge, so do safety practices. OS developers, due to reputational and market-access pressure, gradually adopt (more or less) responsible release norms. Europe’s role would be to shape those norms through trade leverage and the gravitational pull of the world’s largest regulatory market.
The optimistic reading requires assumptions but not implausible ones. Anthropic’s decision to withhold Mythos, combined with Glasswing’s defensive stance, actually models a new kind of responsible disclosure norm for frontier AI, i.e. dangerous capabilities shared with defenders before they reach attackers.
If this spreads, if proprietary labs develop genuine pre-competitive cooperation on safety thresholds, and if European regulatory pressure helps crystallise those norms into something durable, then the six-month capability lag between proprietary and open models becomes a feature: a window for defenders to prepare before the capability is universally accessible.
The catch, though, is who counts as a defender. Glasswing’s early access went to Amazon, Apple and Nvidia – the players already large enough to be in the room. The window only helps if it reaches beyond those who could already afford it.
What Europe cannot afford is to treat the Mythos announcement as just a US story. The six-month window between a frontier capability and its OS equivalent is still open but closing it won’t come from writing a new law – the legal text mostly already covers this.
The AI Act’s systemic risk provisions already reach providers outside the EU, as a non-EU developer placing a model on the European market must appoint an authorised representative, and the OS exemption is already voided once a model crosses the high impact capability threshold.
The problem isn’t that the rules stop at Europe’s border; it’s that a downloadable file doesn’t. Enforcement against DeepSeek showed how little an authorised representative requirement means when the weights propagate through file copies with no representative controls.
The task is to build machinery to make existing provisions bite: an AI Office that can evaluate offensive cyber capabilities in-house and isn’t reliant on developer self-attestation. When ENISA wanted to access Mythos, it spent weeks petitioning a private American lab for a seat at Project Glasswing. If the EU must ask permission to view the threat aimed at its own infrastructure, then it’s not shaping the ecosystem but queuing for it (and the Fable 5 shutdown showed that even the queue can be closed down by the US overnight, with absolutely no European say at all).
The other piece of the puzzle is to treat distribution platforms in Europe – GitHub, Hugging Face etc. – as the chokepoint the file actually passes through and assigning them obligations accordingly.
In short, regulating the conduit is the one lever Europe hasn’t yet pulled. And it now really needs to consider doing so.
