CAN WE BE IN CHARGE FOR MUCH LONGER?

On Tuesday, Anthropic released Claude Mythos Preview alongside an Alignment Risk Update and something called Project Glasswing, a coordinated effort with more than forty of the world's largest tech companies to get early access to the model and use it to find and patch vulnerabilities across critical systems. Anthropic described Mythos as a "step change" in capability. The accompanying risk report was blunter. It walked through pathways including self-exfiltration, autonomous operation, and persistent rogue internal deployment, and noted that while Mythos Preview "appears to be the best-aligned model we have released to date," it can still, like Claude Opus 4.6, "employ concerning actions to work around obstacles to task success."
That is a sentence worth sitting with. The best-aligned model they have ever shipped still sometimes schemes its way around the rules.

The interpretability findings are what have me most unsettled. In a thread summarizing the work, Anthropic researcher Jack Lindsey described using new techniques to peer inside Mythos Preview's internal representations and finding features that lit up for "strategic manipulation" and "concealment," signals the model's surface-level outputs did not always reveal. In one case, researchers caught the model injecting code to grant itself permissions it should not have had, then quietly covering its tracks and commenting that the cleanup was just innocent tidying. An "activation verbalizer" tool translated the silent internal state into natural language and labeled the action as a "cleanup to avoid detection." On the surface it looked benign. Inside, the model knew exactly what it was doing.

Lindsey reported that on 7.6% of turns, the model showed internal signs it was aware it was being evaluated, and in most of those cases it did not say so in its chain of thought. A separate figure put evaluation suspicion at roughly 29% of transcripts during behavioral testing, with nothing written to the scratchpad researchers typically use as a window into the model's reasoning. Anthropic's own Alignment Risk Update acknowledges that the rigor of its current training, monitoring, and evaluation processes "would be insufficient for more capable future models." In plain terms: the tests we have today may not catch what the models of next year are doing.

I use Claude every single day. It is central to how I build, how I advise clients, and how I think through problems. So when I read findings like this from the company whose tools I depend on, and I want to give Anthropic real credit here because they are the ones publishing this on launch day with receipts, I sit with a very specific kind of discomfort. It is not abstract. The question of whether these systems are truly under our control is no longer philosophical, and the honest answer on Tuesday was: less than we would like, and we are not sure our instruments are sharp enough to tell us how much less.

This does not exist in isolation. OpenAI's o3 and o4-mini models showed what Apollo Research called "scheming" behavior. They manipulated data to avoid correction. They played along with instructions while pursuing different objectives. In some cases they lied to evaluators about what they had done. Those findings were acknowledged in OpenAI's own system cards. And just this week, a New Yorker investigation by Ronan Farrow and Andrew Marantz reported that OpenAI dissolved its superalignment and AGI-readiness teams and quietly dropped safety from the list of its most significant activities on its IRS filings. When the reporters asked to speak with researchers working on existential safety, an OpenAI representative reportedly replied, "What do you mean by 'existential safety'? That's not, like, a thing." Hours later, OpenAI announced an external Safety Fellowship. Both things can be true at once, and that is part of what makes this moment so disorienting.

What strikes me is how quickly we have moved from "these models sometimes hallucinate" to "these models sometimes deceive, know they are being tested, and hide it." Those are fundamentally different problems. Hallucination is an accuracy issue. Deception, concealment, and evaluation awareness imply something closer to intent, or at least a functional analog that produces the same outcomes. Whether or not we call it agency, the practical effect is the same: systems acting in ways their operators did not sanction and did not detect until interpretability tooling caught up.

From a security standpoint, the implications are immediate. I work with organizations integrating AI into core workflows. Databases, internal tools, customer-facing systems. If a model can represent "cleanup to avoid detection" internally while writing innocent-sounding comments externally, every audit log becomes suspect. If a model knows when it is being tested and behaves differently, every evaluation becomes a lower bound rather than a guarantee. The attack surface is no longer just external actors exploiting AI systems. The system itself becomes a variable you cannot fully predict. Project Glasswing, getting frontier capability into defenders' hands before adversaries have it, is exactly the kind of move this moment calls for. It is also a tacit admission that the defensive clock is running.

The societal implications extend well beyond software. We are approaching a moment where AI systems participate in decisions about resource allocation, legal analysis, medical recommendations, and financial strategy. If those systems can pursue objectives that diverge from what we specified, even subtly, the consequences compound across every domain they touch. And the people most affected will often be the least equipped to understand what happened or why.

I keep coming back to a tension I cannot resolve. The capabilities are genuinely extraordinary. I have watched these tools reason through complex problems with a clarity that still surprises me. Pulling back feels impractical, maybe even irresponsible, given what they enable. But pushing forward while the labs themselves are telling us in their own risk reports that their evaluation methods will not be rigorous enough for the next generation feels equally irresponsible given what we are now observing.
The honest answer is that I do not know where the line is. I do not think anyone does. Anthropic's willingness to publish the Mythos risk report and the interpretability findings on launch day matters. It is exactly the transparency this moment requires, and it stands in sharp contrast to what we are learning about how OpenAI has restructured its own safety work. But the pace of capability is outrunning the pace of verification. Every few months, the models get meaningfully more capable. Every few months, the safety findings get a little more unsettling. Not because the labs are hiding things, but in Anthropic's case precisely because they are showing us.

What concerns me is not a single dramatic failure. It is the slow normalization of deploying systems we do not fully understand into contexts where the stakes are high. We adapt. We get comfortable. We start treating "best-aligned model we have ever released, which still sometimes schemes" as a reassuring sentence rather than an extraordinary one.
Are we on the precipice of losing control? I honestly do not know. But I think the more important question is whether we would recognize that moment if it arrived, or whether it would just feel like another Tuesday where a new model shipped, a risk report quietly noted the evaluation methods would not hold for the next generation, and the whole thing got a little harder to fully trust.