Anthropic’s Mythos/Fable model ban showed Washington acting on a lab signal it could measure while flying blind on the one it can’t.
On June 12, the Commerce Department ordered Anthropic to cut off foreign-national access to its two most capable models, Fable 5 and Mythos 5. The reason, according to reporting, was a jailbreak that could unlock the model’s highly capable offensive cyber capabilities, though that account remains contested. In response, the company disabled the models for every customer on earth in order to comply and noted, after complying, that comparable capabilities exist in rival models, and those models were not affected by this order. Over the next eighteen days the government reversed itself in stages, first restoring Mythos to a set of approved partners, then lifting the controls entirely, a walk-back as unstandardized as the original ban. By July 1, Fable was back online worldwide. Whether any step along the way was justified is difficult to know, because none of it could be checked against a systematic public record of what AI actually does in real cyber intrusions. Building that record is the focus of this article. The fix is small, four questions added to a reporting rule the government is already finalizing, and the benefit is direct: the first standing federal record of AI’s role in real attacks, so the next decision like June’s can rest on evidence instead of guesswork.
The reason it is not verifiable today is that the federal government is limited in what it can and cannot effectively measure. Today, the federal government and model providers can measure and record what Mythos does in a test. For example, Anthropic said back in April 2026 that its Mythos model found thousands of high-severity zero-day vulnerabilities on its own, a claim not fully consistent with some independent testing performed subsequently. Any model that can discover serious flaws at scale like Anthropic claims would be a real proliferation risk in the face of a jailbreak that can be leveraged by capable non-state cyber actors or nation states. What Washington cannot measure in a reliable way today is what role AI plays in the kill chain of any real attack, and whether that laboratory capability is being weaponized in the wild, by whom, at what rate, to what effect.
Given this state of affairs, when the Trump administration felt it had a reason to act, it reached for the one lever backed by the evidence it could see and swung it as hard as the lever goes: a global kill switch on a commercial product, on a contested signal, with no standard for when a capability crosses into danger or against whom the response should fall. In national security, the government rarely has the luxury of waiting out uncertainty; when a threat cannot be verified or bounded, the protective option usually wins, and on those terms the ban may have been a defensible one-time call. But forced caution is not a substitute for a consistent policy, and the decision may be indicative of other considerations given the recent legal history between Anthropic and the Trump Administration. Acting on the meter that you can read (capability during testing) while blind on the one that’s missing (use in the wild) is not a stable way to govern a fast-moving technology.
This failure is not a one-off. Much of the architecture Washington built in the last year overlooked the same missing measurement. A February 2026 NIST standards initiative, a March 2026 national cyber strategy, a June 2026 executive order, and a House draft bill all proceed from the premise that AI has changed the way malign actors conduct attacks, all without a reliable data-driven way to tell how much of any real intrusion AI made newly possible versus just made faster and cheaper. Those are different aspects of the AI cyber threat demanding different responses, and the gulf between them is a well-established complaint: in February 2026, the International AI Safety Report conceded that incident data “rarely allow for confident attribution,” and analysts have warned the government has no systematic way to tell a genuinely AI-enabled attack apart from a conventional one.
The ambiguity is real in either direction and that is why just assuming or guessing won’t do. A randomized trial by RAND for the UK’s AI Security Institute in a May 2026 report found “generally statistically insignificant” gains when people used frontier models to run end-to-end attacks. Yet the capability side just moved: in April 2026 that institute reported that a model for the first time completed its 32-step simulated corporate intrusion on its own, and within weeks GPT-5.5 had solved that range in three of 10 attempts while Mythos solved it in six. The vendor numbers that drive headlines don’t resolve it either. The FBI’s first-ever AI breakout in its Internet Crime Report was $893 million of 2025 losses, but that is an AI-related tally counted only where victims recognized AI and a mix of fraud and intrusion, an incomplete indicator rather than a measurement of AI cyberattacks. Lab benchmarks, telemetry data, law-enforcement complaint data, and victim incident reports are four separate evidence streams that the federal government often treats as a single one. And the gap between an inflated vendor claim and a confirmed independent test leads to the same lesson: the measurement has to come from somewhere other than the parties with an incentive to skew it. Frontier model cyber capability is increasing; the real-world impact of it is largely unproven; and the distance will not be closed with better rhetoric.
None of the year’s marquee actions at the federal level are likely to close it either. The June executive order benchmarks frontier model cyber capability creates a voluntary pre-release access framework, and coordinates vulnerability discovery and patching. It does not mandate or suggest a count of AI’s operational role in any reported intrusion. The NIST standards effort asks how to secure AI agents, not how to count what they have done adversarially. When the gap is acknowledged, the reflex is to propose a new institution or government agency, like a dedicated AI Security Review Board or something similar, as some have urged. That may be a necessity in the future that is worth building but is likely to be a slow, deliberative, and political process, and a faster lever is open right now.
CISA is still finalizing the reporting rule required by CIRCIA, the law that will compel critical-infrastructure operators to report serious cyber incidents. That rule is overdue; its statutory deadline passed in 2025, and it remains unpublished. CISA spent this spring gathering additional stakeholder input on what the reports should contain before finalizing it. The rule is not yet written in stone, and the questions below belong in it before it is.
For any reported intrusion, answer the following questions:
- Did AI find the vulnerability?
- Did AI write the exploit?
- Did AI stand in for skilled human labor?
- Did AI in this attack operate without human direction?
Given the high likelihood of uncertainty in these answers, it is important to let “unknown” be a permitted answer, and to subsequently treat those “unknowns” as the baseline measure of how blind the country is, a rate that reflects both genuine attribution gaps and the early nature of the reporting. Within CIRCIA’s 72-hour window, a stressed response team often will not be able to say whether an exploit was written by a human or AI-generated (or to what degree), which is the point of permitting ‘unknown’ rather than forcing a guess. A record full of early unknowns still has value, because the unknown rate is itself the baseline, and watching it fall is how the country would measure its own improving sight. Each answer should also have an assigned confidence level like: confirmed, probable, possible, or unknown, so the form collects graded evidence and the nuance that exists rather than just bare assertions.
While not a panacea that addresses the issue in its entirety, the idea behind the fixed rubric is that it would bring forward the distinctions the headlines tend to blur. For demonstrative purposes, we can run the rubric on cases already in the public record (even if they don’t relate directly to critical infrastructure). The November 2025 espionage campaign that ran on Anthropic’s model would score a clear “yes, confirmed” on the third question, the model performed the bulk of the tactical work, and a “partial yes, probable” on the fourth, since humans still chose the targets. The Sysdig case from May 2026, where a human actor conducted the initial compromise but an AI agent ran the whole post-compromise chain by itself, scores “yes, confirmed” on the fourth question. The February 2024 $25.6 million Arup deepfake scores “no, confirmed” across all four. It was fraud, not an intrusion, and though it’s often cited alongside cyber-attacks, the rubric would exclude it from the intrusion count. Other existing taxonomies classify AI harms, like those cataloged in CSET’s harm taxonomy or the public AI Incident Database, but none of those appear to give CISA a CIRCIA-ready rubric for scoring AI’s operational role inside a network intrusion, and that is the specific gap four fields would begin to fill. CIRCIA won’t cover the whole threat surface, and the early returns are likely to be heavily marked “unknown,” and skewed toward victims with mature forensics, but it’s a useful starting point and would create a standardized federal record of where AI actually shows up in real intrusions. It has the added benefit of not requiring the creation of an entirely new federal agency.
It would also put a future Mythos-style decision on firmer footing with a real-world data-driven denominator rather than an assumption. With a running record of where AI capability is actually exploited in the wild, the government weighing a model like Mythos would have one input it now totally lacks. It would not act as a substitute for red-team results, model evaluations, and intelligence, but as a real-world ground truth that today has no source at all. Instead of “this model can find zero-days, a narrow jailbreak exists, so disable it,” this additional information would add a “this class of capability appears in this many real intrusions, against these targets, at this rate” to the conversation. The capability meter has already given its first reading; the incident meter remains yet to be built and read. Where benchmarks show machines clearing the real bottlenecks of an intrusion, graduated review of those models is warranted, and against catastrophic, irreversible risks, that capability evidence can justify precaution before any use in the wild is seen. But precaution still needs to be calibrated, and the same incident record that signals when to escalate is the one that could have told the government whether their Mythos/Fable action was proportionate, evidence it still does not collect. The Trump administration has spent the year deciding how to govern AI in cyberspace, but it has not yet decided to count its adversarial use. These four questions would be a start, in CIRCIA or whatever reporting vehicle comes after it.




