I. Introduction
The recent presentation of Claude Mythos by Anthropic represents one of the first visible examples of a new generation of artificial intelligence models specifically designed for autonomous vulnerability discovery and advanced cybersecurity analysis. According to publicly available information, Mythos is capable of identifying critical vulnerabilities and complex exploitation chains across widely deployed systems, including flaws that had remained undetected for years.
The truly disruptive element is not merely the improvement of cybersecurity analytics, but the possibility of automating processes historically reserved for highly specialized tools and human experts. Anthropic has also restricted access to certain Mythos capabilities through Project Glasswing, a limited collaboration framework involving selected organizations. This decision reflects the extent to which advanced AI capabilities are increasingly perceived not only as technological tools, but also as strategic assets with significant implications for digital security, operational resilience and technological governance.
The legal and regulatory implications of this scenario are considerable. Privacy, AI governance, operational resilience and digital sovereignty progressively converge into a single structural challenge: how to govern technologies capable of exponentially amplifying capabilities over critical infrastructures and complex digital ecosystems.
II. Privacy and Data Protection: GDPR Challenges
The emergence of systems capable of autonomously identifying vulnerabilities at scale directly affects the practical interpretation of obligations under the General Data Protection Regulation (GDPR).
Article 32 GDPR, concerning security of processing, has always been one of the most operationally complex provisions of the Regulation. The GDPR deliberately adopted a technologically neutral and risk-based approach, providing only high-level parameters while effectively delegating to organizations the responsibility for determining what “appropriate” technical and organizational measures should look like.
That flexible regulatory model now faces significant pressure. AI models capable of identifying complex vulnerabilities within minutes fundamentally alter the expected standard of technical diligence. The notion of “appropriate measures” can no longer be interpreted as static. Instead, it increasingly depends on constantly evolving offensive and defensive technological capabilities.
This evolution also affects Article 25 GDPR and the principle of privacy by design and by default. In practice, many organizations already struggled to maintain effective and updated privacy-by-design frameworks, particularly in highly dynamic technological environments. DPIAs have often operated as relatively static exercises constrained by limited resources, fragmented governance and difficulties integrating legal, technological and cybersecurity functions.
Technologies such as Mythos fundamentally change this balance. If offensive capabilities evolve continuously through automated learning, therefore risk assessments and privacy-by-design mechanisms can no longer rely exclusively on periodic or document-based reviews. The transition from static to dynamic and continuously updated compliance models will significantly increase operational costs, technical requirements and governance complexity.
Paradoxically, this development will likely accelerate the use of AI itself to support compliance functions, risk monitoring and automated supervision of security and privacy controls.
III. Mythos and the EU AI Act
Models such as Mythos illustrate some of the most significant regulatory tensions under the EU AI Act. While the Act was primarily designed around a risk-based framework focused on specific AI use cases, the evolution of advanced foundation models increasingly shifts the debate toward the structural capabilities of the models themselves.
The ability to automate vulnerability discovery places these systems within a clear dual-use logic. The same capabilities that may strengthen cybersecurity audits, red teaming or preventive vulnerability detection may also accelerate offensive operations and automated exploitation capabilities.
Advanced foundation models also raise systemic risk concerns. Unlike narrow AI systems designed for limited purposes, foundation models can be integrated, adapted and deployed across multiple sectors and infrastructures, amplifying both their benefits and their risks. In the context of cybersecurity-oriented models, systemic risk does not derive solely from a specific unlawful use, but from the structural capability of the model to industrialize offensive processes, dramatically reduce technical barriers and concentrate strategic cybersecurity capabilities.
Against this background, Anthropic’s decision to restrict access to certain Mythos functionalities through Project Glasswing becomes particularly relevant. The company appears to implicitly recognize that certain technological capabilities require exceptional governance and supervision mechanisms. In parallel, the AI Act and the associated guidance increasingly move toward enhanced obligations regarding governance, technical documentation, traceability and continuous risk assessment for general-purpose AI models and models with systemic risk.
IV. NIS2, DORA and Operational Resilience
From the perspective of NIS2 and DORA, advanced automation of vulnerability discovery requires a fundamental redesign of traditional operational resilience models.
For years, vulnerability management programs were built around relatively predictable cycles of identification, validation, remediation and patching. Models capable of dramatically reducing the time between discovery and potential exploitation fundamentally alter that temporal logic.
NIS2 and ENISA’s technical guidance already promoted more demanding approaches based on continuous monitoring, supply chain security, incident management and permanent risk assessment. However, technologies such as Mythos accelerate the transition toward fully dynamic security models.
Organizations will need to redesign vulnerability management processes, monitoring capabilities and incident response mechanisms in order to operate in environments where automated offensive capabilities continuously evolve. Within the financial sector, DORA further reinforces concerns regarding dependency on critical technology providers and concentration risks associated with advanced AI and cybersecurity capabilities.
V. Conclusion
Mythos represents a paradigm shift in the relationship between artificial intelligence, privacy and cybersecurity.
AI is no longer merely a tool for efficiency and automation, but increasingly a strategic infrastructure capable of transforming security, operational resilience and technological governance models. In this new environment, the GDPR, the EU AI Act, NIS2 and DORA progressively converge toward a shared regulatory logic based on continuous management of systemic technological risk.
Security can no longer rely on static controls or periodic reviews, but instead requires dynamic models of supervision, monitoring and constant adaptation. In this context, cybercompliance systems and AI-driven monitoring solutions will likely evolve from complementary tools into necessary governance mechanisms for managing increasingly complex and continuously evolving regulatory and technological environments.
Article provided by INPLP members: Esmeralda Saracíbar and Nikola Kovacic (ECIX, Spain)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
