Lock down the strongest model first, AI companies start selling access control.

Thu, 16 Apr 2026 20:12:14 +0800

These past couple of days, I came across Anthropic’s Project Glasswing, which is scheduled for release on April 7, 2026. My first reaction was a bit stunned. It wasn’t because another model scored higher, but because it locked the top-tier capabilities into a small circle, initially reserved for defensive players like AWS, Apple, Google, Microsoft, and Linux Foundation.

My own judgment is very direct: This matter is more important than another benchmark record. What frontier AI companies are selling now is no longer just the model itself, but an entire set of access controls—“who gets the capability first, how much capability they get, and what kind of auditing and constraints they have to endure after receiving it.” Models are becoming increasingly like dangerous tools, and the release rhythm is becoming more like issuing licenses.

This is not hoarding, it’s giving equipment to the defending side first

Many news outlets like to write about these kinds of things as “the model is too dangerous so it won’t be made public.” While this isn’t entirely wrong, it’s not accurate enough. Anthropic wrote it more clearly: Claude Mythos Preview is a general frontier model, but because it suddenly became a bit wild in network security tasks, the company chose to first launch Project Glasswing, allowing a group of key infrastructure participants and open-source maintainers to use it for defense purposes first.

What is most critical here is not the “restriction,” but the “order.”

Anthropic has presented some very hard facts in its public materials. Mythos Preview has been found to have zero-day vulnerabilities in all major operating systems and mainstream browsers; it can chain multiple vulnerabilities into a complete exploit; and even engineers at Anthropic without formal security backgrounds, after working on the task overnight, were able to see a working exploit the next day. To be honest, my first reaction upon reading this was not “too strong,” but rather “the peaceful days of many old software are probably over.”

So it didn’t directly open up completely, but first deployed model capabilities to the defense side. The initial partners were not only security companies, but also cloud vendors, chip companies, banks, and infrastructure players like the Linux Foundation. This move speaks volumes: AI companies have already anticipated the security issues of the next stage; it’s no longer about a single team patching its own code, but rather who can patch the layer that the entire industry relies on first.

Model starts assigning access control, audit, and price lists

The more interesting part is later.

Anthropic is not just “internally testing,” but has turned this into a research preview with a budget, a list of partners, and subsequent pricing. The official statement is: first giving these participants up to $100 million in usage credits, and then continuing to open it to participants at a price of $25 per million input/output tokens, which can also be accessed through the Claude API, Amazon Bedrock, Google Vertex AI, and Microsoft Foundry.

This is no longer just research conducted in a lab; it already looks very much like a formal product, except that the first layer of the product is not self-service activation, but an access control system.

I think there’s a pretty clear signal here. In the past, when people understood model releases, it was usually two tiers: publicly available, or not released yet. Now, a third tier is emerging, which is also more realistic: capabilities come out first, but access is gated based on identity, scenario, visibility, and responsibility. Anthropic updated its Responsible Scaling Policy 3.0 on February 24, 2026, making the risk reporting and external review much more concrete; with Mythos’ limited release on April 7, 2026, it basically brought this governance framework into the actual product rhythm.

This is not the first time Anthropic has done this. OpenAI launched Trusted Access for Cyber on February 5, 2026, and then moved it forward again to April 14, 2026, starting to provide a more relaxed access level, or model layer, like GPT-5.4-Cyber, to defense parties with stronger certifications, specifically for cybersecurity use cases. Its statement is very direct: the capability in cybersecurity is dual-use; risk does not only depend on the model itself, but also on who the user is, what the verification signals are, and what level of permission is granted.

How should I put it? After going through this whole process, I’m increasingly feeling that what will truly be valuable next is not “whose model dares to write the exploit,” but rather who can make identity verification, logging/traceability, purpose stratification, platform integration, and external collaboration—these supporting infrastructures—the default configuration. Without this layer, the stronger the capability, the more awkward the release will be.

What does this mean for a regular developer?

If you are not in security, this news might look like something for big tech companies’ high-end players, and it probably doesn’t concern you much. However, I actually think the connection is quite significant.

First, when you see “the new model is not fully open,” don’t immediately assume the vendor is being deliberately obscure. Often, the more accurate situation is that the model is already functional, but the company hasn’t figured out the proper sequence for releasing the risk. Whether it can first be given to a small group of trusted users, whether logging can be implemented, or whether calls without visible tracking can be restricted—these issues now directly determine whether a model can go live.

Second, the default assumptions of software development might be changing. Previously, many teams thought that critical vulnerabilities required strong human experience, long auditing periods, and a bit of luck. Now, this threshold is being lowered by agentic coding and stronger reasoning capabilities. This is good for defenders, but it’s not such good news for teams still holding onto the “just launch it first, patch security later” mentality.

Third, the commercialization path for model capabilities will look more like a cloud permission system rather than just a pure SaaS subscription. Ordinary users buy chat and code generation, while enterprises might be buying finer permissions, auditing, deployment locations, data visibility, and a less error-prone refusal boundary. The model itself is certainly important, but what truly creates the price gap in the future may not just be the model score.

So, in this article, I didn’t elaborate on Mythos’s benchmark, nor did I discuss the details of vulnerabilities in OpenBSD, FFmpeg, or the Linux kernel. Those things are certainly exciting, but they are only superficial. What is more worth remembering is that starting from April 2026, the release of frontier models will no longer just be about “whether it can be built,” but rather about “whether it can be controlled upon release.”

To be honest, this change is a bit bittersweet. Because it means that what will be most scarce in the future is not just smart models, but trustworthy entry points. If you understand this, then looking at the recent wave of identity verification, layered access, and industry collaborations by AI companies, many actions no longer seem like official pronouncements; they are actually paving the way for the next generation of stronger models.

References

Anthropic, “Project Glasswing,” 2026-04-07: https://www.anthropic.com/glasswing
Anthropic Frontier Red Team, “Assessing Claude Mythos Preview’s cybersecurity capabilities,” 2026-04-07: https://red.anthropic.com/2026/mythos-preview/
Anthropic, “Anthropic’s Responsible Scaling Policy: Version 3.0,” 2026-02-24: https://www.anthropic.com/news/responsible-scaling-policy-v3
OpenAI, “Introducing Trusted Access for Cyber,” 2026-02-05: https://openai.com/index/trusted-access-for-cyber/
OpenAI, “Trusted access for the next era of cyber defense,” 2026-04-14: https://openai.com/index/scaling-trusted-access-for-cyber-defense/

Writing Notes

Original Prompt

$blog-writer I don’t know what to write, so search for hot news in the AI circle and just write something.

Writing Outline Summary

This article focuses on the line regarding Anthropic’s Project Glasswing release on April 7, 2026, because it is both a hot topic and allows for a clear judgment.
The main thread of the body is not to reiterate how powerful Mythos is, but to emphasize that AI companies are starting to sell access control, auditing, and trust layering as part of their products.
In the middle section, by contrasting Anthropic’s restricted release with OpenAI’s Trusted Access for Cyber, it shows that this is not an action by a single company, but rather a shift in industry rhythm.
This article deliberately avoids detailing specific exploit details and numerous benchmarks; correspondingly, it focuses on the order of release, commercialization methods, and risk boundaries.
The conclusion returns to the perspective of ordinary developers and enterprise purchasers, concluding with the judgment that “what will be scarcer in the future is trustworthy access points, not just stronger models.”

Cybersecurity on Uncle Xiang's Notebook