In the first week of May 2026, the Trump administration began moving toward AI oversight rules that its own officials had spent months dismissing. The trigger was not a change in ideology. It was a demonstration by Anthropic's Claude Mythos model that a single AI system could autonomously identify thousands of exploitable software vulnerabilities across the infrastructure that modern economies depend on, and produce working attack code in more than 80 percent of attempts.
A Reversal With a Specific Cause
From its earliest months, the Trump White House positioned itself against the AI safety frameworks associated with the Biden administration's 2023 executive order on AI. Senior tech policy advisors argued that mandatory evaluations and licensing requirements would slow American AI development without meaningfully reducing risk. That argument held steady until Anthropic published the Claude Mythos Preview in early April 2026, and federal security officials began to understand what the model could do at scale.
Mythos's ability to produce working software exploits, finding bugs across every major operating system, browser, and cloud platform autonomously, changed the terms of the debate. The concern was not that Anthropic would misuse the model. It was that the capability, once available more broadly, could be replicated by actors with no interest in coordinated disclosure. The White House's own cybersecurity advisors reportedly cited Mythos's 83 percent first-attempt exploit success rate as the number that moved internal discussions.
The Policy Shift by the Numbers
- Trigger modelAnthropic Claude Mythos Preview (April 2026)
- Exploit success rate83% on first attempt
- Zero-days identified1,000+
- New CAISI agreements3 (Google DeepMind, Microsoft, xAI)
- Draft EO pre-deployment window90 days before public release
- Critical infrastructure noticePre-release access proposed for banks and key providers
CAISI and the New Agreements
The policy shift materialized through the Center for AI Standards and Innovation, a unit of NIST that had previously focused on voluntary standards. In early May, CAISI announced agreements with Google DeepMind, Microsoft, and Elon Musk's xAI that will give the U.S. government the ability to evaluate AI models before they are publicly available. The agreements cover both pre-deployment evaluation and targeted research into frontier AI capabilities.
"We will conduct pre-deployment evaluations and targeted research to better assess frontier AI capabilities and advance the state of AI security." Center for AI Standards and Innovation, agreement announcement, May 2026
Anthropic was not listed in the initial CAISI announcement, but the company had already run its own coordinated disclosure process through Project Glasswing, the closed coalition it assembled to patch Mythos's findings before any broader release. The administration's emerging framework effectively formalizes what Anthropic did voluntarily. The irony is pointed: a company the White House has separately tried to label a supply chain risk in federal procurement disputes is also the one whose model capabilities appear to have driven the administration toward tighter AI regulation. The ongoing appellate case over that supply-chain designation is legally unrelated to the CAISI agreements, but both processes reflect the same underlying fact about a lab building at Mythos's capability level.
The Executive Order on the Horizon
The White House is expected to sign an executive order on AI and cybersecurity that would establish a voluntary framework requiring AI developers to submit frontier models to the government 90 days before public release. Critical infrastructure providers, including major banks, would receive pre-public access during that window.
The proposed order is narrower than the Biden administration's approach, which tried to address AI risk across a broad range of potential harms. This version draws the compliance burden tightly around cybersecurity and national security capability thresholds, the specific categories that Mythos made concrete. That narrowing may make it easier to advance without broad industry opposition, because it targets the handful of labs building models that can autonomously produce functional exploits rather than the entire AI industry.
For companies like Anthropic, the framework is less a new constraint than a federal codification of what they are already doing. Anthropic's own Responsible Scaling Policy commits it to capability evaluations before deployment. The EU AI Act takes a similar approach on the European side. A U.S. executive order aligned with that logic would give the voluntary framework enforceable weight, at least for models deployed on U.S. infrastructure.
Where This Leaves the Industry
The speed of the White House's reversal is worth noting. It took fewer than 60 days from Anthropic's April Mythos Preview to the emergence of formal CAISI agreements and a draft executive order. That pace suggests the policy community absorbed the significance of Mythos's capabilities faster than it absorbed most previous AI capability milestones, and it validates the argument Anthropic made when it chose not to release Mythos publicly: that autonomous exploit development at this scale is a qualitatively different kind of capability, not simply a faster version of what security researchers have always done.
The longer-term question is whether the CAISI agreements and the pending executive order will hold across a full administration or survive a change in political leadership. AI governance frameworks have a poor track record of stability across administrations. What is different this time is that the capabilities that drove the policy reversal are not going away. Any successor administration will face the same problem Mythos made visible, and the same pressure to respond.
