ENISA negotiates Mythos AI access amid US export controls

The Model and the Access Program

Mythos is an AI model designed to find and exploit software vulnerabilities, making it valuable for defensive cybersecurity work but also potentially useful for offensive purposes. Anthropic gates access through a controlled initiative called Project Glasswing, which is designed specifically for cybersecurity vulnerability research.

The EU has been pursuing this access for months. ENISA and Anthropic had engaged in at least four to five discussions since April 2026 prior to the June 18 meeting. Commission spokesperson Thomas Regnier confirmed that there had been "several productive meetings" with Anthropic leading up to the June 18 session.

Yet progress has stalled. As of early June 2026, ENISA had not yet secured active access to Mythos, with negotiations over terms and safeguards still ongoing.

Timing and Export Controls Complicate the Picture

The timing creates a genuine dilemma. New US export controls were imposed in mid-June 2026 that limit foreign access to some of Anthropic's most advanced AI models, including Mythos. The EU has been working for months to gain access to a model that the US government has now decided should be harder for foreign entities to access.

This collision between EU regulatory ambitions and US export policy illustrates a broader tension. Cybersecurity agencies need tools to identify vulnerabilities before attackers do. But those same tools can be weaponized. Mythos has both defensive and offensive applications in cybersecurity. The US restrictions reflect concern about proliferation; the EU's push reflects its own security imperatives. Both are rational. Neither is easily reconciled.