Collateral Damage: Claude Mythos and the Privacy Risks of AI

Since the emergence of generative AI, public debate has largely focused on misinformation, copyright and productivity. Far less attention has been paid to what increasingly capable AI systems may mean for privacy and data protection.

Enter: Anthropic’s Claude Mythos and its consumer-facing version, Fable model.

While the model has primarily been discussed through the lens of cybersecurity and public safety, the underlying issue is also about personal data, surveillance and the concentration of technical power.

The Mythos/Fable situation therefore raises an important question:

Who decides what happens to protect our privacy and security when AI systems become capable of discovering pathways into the infrastructure that stores and protects personal data?

Overview

Claude Mythos entered public discussion after Anthropic announced in early 2026 that it would not release the model broadly to the public.

According to the company in early 2026, Mythos demonstrated advanced capability in identifying software vulnerabilities and, more importantly, not only able to provide working proofs that the vulnerabilities were exploitable, but chaining together vulnerabilities to achieve it.

Anthropic instead restricted access to selected cybersecurity organisations and government-linked partners through a limited programme.

The company framed the decision as a responsible safety measure.

But, on June 9th, they released Fable 5 - a version considered to be safe to the public. Only three days later, the US government ordered them to prevent foreign nationals using the tool. Anthropic responded by removing access to Fable 5 and Mythos 5 for everyone.

The Privacy Implications

Privacy in the modern era depends on the assumption that digital systems, and the personal data they process, can be secured.

Personal communications, health records, financial data, location histories, intimate images and sensitive organisational information are all protected through layers of software and hardware security. When vulnerabilities are discovered in those systems, privacy protections often fail alongside them.

The concern surrounding Mythos is therefore not merely that AI can help discover software flaws. It is that AI may dramatically accelerate the ability to identify and exploit weaknesses in systems responsible for safeguarding personal data.

Historically, vulnerability discovery has required specialised expertise, significant resources and considerable time. Anthropic’s own claims suggest Mythos significantly lowers those barriers.

The significance of this capability is not simply that it may increase the number of people capable of finding vulnerabilities. It is also that generative AI systems are effectively indefatigable. Unlike human researchers, they can be tasked with analysing large and complex codebases continuously, dramatically increasing the scale and speed of vulnerability discovery.

This is particularly relevant as governments around the world continue to centralise large volumes of citizen data within digital identity systems, public service databases and other national-scale information infrastructures. At the same time Governments are centralising entire populations’ data behind increasingly mandatory publicly-accessible apps and websites, the barriers to malicious actors finding vulnerabilities in these services are being drastically lowered by the models.

It also means:

• more opportunities for mass and population-scale data breaches
• greater risk of surveillance and unauthorised access
• increased exposure of sensitive communications
• vulnerabilities for journalists, activists and marginalised communities.

The Human Consequence

Discussions about cybersecurity often abstract harm into technical language about systems, networks and infrastructure. But, framing the issue of Mythos around privacy centres people as the ones potentially harmed.

Data breaches expose intimate personal information. Compromised communications systems place journalists and activists at risk. Vulnerabilities in healthcare or public service systems can affect safety, dignity and access to essential services.

The Governance Problem

The Mythos system also exposes a broader governance challenge for privacy regulation.

Under GDPR, organisations processing personal data must implement appropriate technical and organisational measures to ensure security, conduct risk assessments and design systems that minimise the impact of successful attacks.

The challenge raised by systems such as Mythos is whether these measures remain sufficient when AI dramatically accelerates the speed of vulnerability discovery.

Existing practices may not yet be ready to address the sheer complexity and dynamic nature of these new systems. Feedback loops, continual adaptation and autonomous action across domains all present significant challenges.

One way of understanding the problem is that AI changes the speed of the moving target. Security has always involved a race between defenders and attackers. Frontier AI systems like Mythos may significantly increase the pace of that race.

It is worth noting, too, that open weight models have never been that far behind closed frontier models like this, and in this instance can probably already replicate the results.

Anthropic’s move to limit Mythos and Fable, as well as the US Government’s decision to restrict access is only a temporary measure with a limited effect. In essence, the proverbial cat is out of the bag when it comes to AI systems.