Book a demo

Claude Mythos Doesn’t Care About Your Policies

Stay Ahead

Get insights, ideas, and updates straight to your inbox.

Subscribe

On this page

Share

Facebook
X (Twitter)
LinkedIn

In April 2026, the Canadian Centre for Cyber Security published its ITSAP.10.050 guidance on Frontier AI. For the first time, an official Canadian advisory named a specific AI model as an example of the new threat: Claude Mythos by Anthropic, called out for its capabilities in autonomous vulnerability discovery, zero-day exploit generation, and multi-step attack orchestration. 

Federal advisories rarely single out a vendor, let alone a specific model. When one does, the security community would be wise to treat it less as guidance and more as a forecast. 

Across critical infrastructure security teams are racing to patch, harden, and segment in response. The work is necessary, but incomplete. Because the conversation about Mythos has been almost entirely about prevention and fixing vulnerabilities, when the harder question is what happens after. 

It’s Not If, It’s When 

For two decades, the cybersecurity industry has sold one core promise: keep them out. Block the phishing email. Patch the CVE. Catch the malicious binary. The implicit assumption was that prevention was a line you could hold. 

Mythos breaks that assumption. With AI that automates reconnaissance, exploitation, and lateral movement, the gap between vulnerability disclosure and exploitation is collapsing from weeks to hours. Phishing emails will be indistinguishable from legitimate communication. Voice impersonation will be routine. Pretexts will be context-aware and produced at industrial scale. 

You will be compromised. The only question left is how much damage they can do once they are in. 

Your Perimeter Doesn’t Matter, Your Blast Radius Does 

The ITSAP.10.050 guidance suggests that critical infrastructure organizations should be able to operate disconnected from external networks for extended periods. Defensively, the logic is sound. Operationally, it creates a level of friction that most modern businesses cannot sustain. 

So if you cannot fully prevent the intrusion, and you cannot fully isolate from the network, what is left? 

The blast radius. The amount of damage a single compromised account, machine, or service can do once an attacker has it. This is the variable you actually control. And it is the variable that determines whether an incident is a contained event or a front-page breach. 

Reducing your blast radius is what the rest of the ITSAP.10.050 guidance is actually about: the “crown jewels” approach, segmentation, micro-segmentation, Zero Trust. They all point to the same operational truth: people should only have access to what they need to have access to. Nothing more. 

The Canada Life Breach Wasn’t Unique 

In April 2026, Canada Life confirmed a cyber incident involving unauthorized access to applications through an employee account. The incident was contained, but personal information of clients was exposed and credit monitoring was offered to those affected. 

One employee account. That was the entry point. A legitimate account, almost certainly compromised through a technique that has been around for years. 

The critical question is not “how did they get in?” It is “why did this account have access to that much?” 

That is the blast radius question. And it is a question every critical infrastructure organization should be asking, urgently, of every account in their environment. 

Your Employees Are the Control 

Here is the part that makes most security leaders uncomfortable: your employees are both the weakest link and the strongest control. The same person who will eventually click a Mythos-crafted phishing email is also the only person who actually knows whether the SharePoint site they own should still be shared with twelve external guests, or whether the OneDrive folder they created in 2022 still needs the entire finance team in it. 

Your IT team cannot answer those questions. They do not have the business context. They can see that an account has access to ten thousand files. They cannot tell you which of those access grants are still legitimate. 

Only the data owner can. While IT teams may run periodic cleanup campaigns, access reviews are often manual, inconsistent, and disconnected from the people who understand the data best. 

That gap, between the access that exists and the access that is still justified, is your blast radius. It grows every week. It is invisible until something goes wrong. And it is the single largest determinant of how an incident plays out when (not if) it happens. 

Mythos Is the Forecast, Not the Storm 

Mythos is a preview. Successor models will be more capable, more available, and more weaponized. The window between this advisory and the first wave of incidents that cite Mythos-class capabilities by name will not be long. 

Critical infrastructure operators will not disconnect from the internet for three months. They will not prevent every initial compromise. What they can do, starting today, is shrink their blast radius. The federal guidance is pointing in this direction. The recent breaches are illustrating it. The technology to do it at scale, inside the productivity environment your employees already work in, exists. 

One Thing You Can Do Now 

The business case to fix this problem takes longer to build than the fix itself. The real question is no longer whether your organization can afford to act, but what each month of inaction is adding to the remediation bill (and to the personal exposure of the person who will sign the next attestation). 

More on this topic“The Cost of Waiting” 

If you do only one thing this quarter, do this: pick a single SharePoint site, run an access review on it, and bring the resulting numbers to the board. Real exposure on a real site, in less time than the next steering committee will take to schedule. Then ask the board the only question that matters: how many other sites look like this one? that matters: how many other sites look like this one? 

The honest answer, for most operators we talk to, is that nobody in the building actually knows. That number is the work. Until it gets quantified, every other security investment is sized to the wrong problem. 

Your exposure isn’t paced to your budget cycle. The one thing you can do is start shrinking your blast radius now, at scale, before the next breach decides the timing for you.

Related posts

The Five Things CTOs Wish AI Vendors Would Admit

Artificial intelligence dominates enterprise conversations right now. Every platform promises acceleration, every demo showcases seamless productivity, and every roadmap points to transformation.  Yet inside IT organizations,...

Read the article

The Cost of Waiting

In every organization there is someone on the security team, often the CISO, who knows exactly how bad the data exposure situation is. They have been...

Read the article
L’image actuelle n’a pas de texte alternatif. Le nom du fichier est : 8a62d639-0d0b-421d-aa61-058eecb2c01e-scaled.jpg

AI Has Changed Where Risk Lives, Has Your Governance Changed Too?

As Gartner outlines in Cybersecurity Trend: AI Democratization Drives Collaborative Data Security Governance (published January 2026), widespread adoption of AI and the democratization of...

Read the article

Thank You for
Your Request!

We will reach out shortly to better understand your needs and customize your demo.

Looking forward to connecting soon!

— The WeActis Team