Summary
- The Chertoff Group recently launched a podcast series called Mission Critical Conversations, bringing together experts to discuss today’s most pressing security issues.
- In this episode, David London leads senior advisors Michael Johnson, Sammy Migues and Dan Sutherland through the security implications of Anthropic’s Mythos, which can autonomously chain vulnerabilities and generate exploits in real time and push the offense-defense race to machine speed.
- The panel lays out practical actions for security leaders, including codifying governance, building real-time asset visibility and defining clear boundaries between AI decisions, agentic actions and human ownership.
The security landscape is undergoing a fundamental recalibration with the release of Anthropic’s Mythos Preview and other Mythos-class models. As we learned during its limited release, Mythos can identify and weaponize complex software vulnerabilities at unprecedented speed. Combined with the rapid acceleration of AI-assisted coding, security leadership and practitioners are facing an “offense-defense” arms race that is moving at machine speed.
To help security leaders navigate this transition, The Chertoff Group recently hosted a discussion led by David London, principal of cybersecurity, and featuring expert insights from senior advisors: Michael Johnson, former CISO of Meta Financial Technologies and Capital One; Sammy Migues, creator of the Building Security in Maturity Model (BSIMM); and Dan Sutherland, former Chief Counsel for CISA and former Meta attorney.
The Reality of the “Mythos” Threat
The apprehension surrounding Mythos is not merely marketing hype. As Johnson explains, Mythos represents a significant leap in capability. By ingesting vast amounts of publicly available source code and pairing it with the ability to dynamically ingest proprietary datasets, Mythos can design, build and execute a sophisticated cyber attack.
Unlike traditional LLMs that simply interpret information, this model can autonomously chain vulnerabilities to generate exploits in real-time. For security teams, this means that flaws that previously evaded detection for decades can now be identified and exploited in moments.
As Migues notes, this is a big deal today and will be for a while. It’s like having a massive team of hackers that have seen every line of code and every exploit ever created and can apply them in a single-minded way. Migues also noted that PCI and GDPR were also big deals but eventually the community adapted.
Governance, Risk and Compliance (GRC) at Machine Speed
A common reaction to rapid technological change is to deprioritize governance to maintain speed. Our experts argue the opposite: GRC is now more critical than ever.
Sutherland, who has managed legal frameworks for rapid innovation environments like Meta, suggests that GRC teams must evolve from slow, 50-page memo writers into agile partners.
Create Decision Templates: Don’t reinvent the wheel. Identify what your key decision-makers need to see and standardize the process.
Assemble the Right Team Early: Get cross-functional decision-makers including legal, engineering and security into the room before a crisis, not after.
Codify Governance: As Migues puts it, “we have gotten better at Infrastructure as Code and Security as Code, but Governance as Code still eludes many organizations.” This is the forcing function that will move us toward automated, scalable policy enforcement.
Asset Visibility: The Foundation of Defense
You cannot defend what you do not know exists. In an environment where asset enumeration can be automated by malicious actors, traditional, point-in-time CMDBs are no longer sufficient.
Johnson emphasizes that organizations must transition to “Mythos-ready” programs that address the latency and inaccuracies with legacy asset management approaches.
Address the refresh rate: Implement real-time asset insights and drift management through runtime sources of truth. When a new vulnerability emerges, your team should be able to instantly determine if it applies to your environment.
Strategic Resilience: Focus on burning down technical debt. Aging systems and end-of-life software are the primary attack surfaces that these models will exploit.
Managing the Flood of AI-Assisted Code
With GitHub projecting a 16-fold increase in code commits by 2026, software security programs are facing an unprecedented deluge. How do you maintain quality when agents can generate 5,000 lines of code in a single pull request?
The answer lies in clear delineations of agency. Migues suggests that organizations must carefully distinguish between:
AI Decisions: What are you comfortable allowing an agent to decide or respond to?
Agentic Actions: What can an AI do with those decisions?
Human Ownership: What risk responsibility must remain with a human in order to maintain accountability?
Ultimately, human oversight must shift from reviewing every line of code to setting the guardrails. You define the policy; the agents execute the work within those boundaries.
Practical Steps for Leaders Today
If you are leading a security program, GRC or engineering function, where should you start? Our panel concluded by recommending three practical actions in the near-term:
Secure the Business, Enable the Business: As Migues advises, document how your organization works. How is a security gate in the CI/CD pipeline implemented? Who does release engineering? You cannot automate or delegate what you have not first understood and defined.
Start a Transparency Report: Sutherland recommends creating a clear, “plain English” internal document. Define how your organization is using AI, your data sources and your infrastructure. This serves two purposes: it aligns your board and leadership today, and it provides a defensible audit trail for regulators tomorrow.
Refactor for Resilience: Johnson notes the hidden “superpower” of these tools. Use AI agents not just to find vulnerabilities, but to refactor legacy code and eliminate technical debt. The businesses that move from “managing” tech debt to “automating its removal” will be the ones that thrive.
The Bottom Line
This is a transitional period where regulatory frameworks are lagging technological reality. Rather than waiting for external mandates, build a defensible program now by integrating security into the development lifecycle at pace. By focusing on asset visibility, codified governance and precise human-agent collaboration, the challenges of the age of Mythos can be turned into an opportunity for securing and enabling the business.
Watch the episode here.
You can also read David London‘s Mythos blog from April 2026.
