The latest preview from Anthropic’s Claude Mythos feels like one of those moments that’s easy to underestimate at first and then hard to ignore once it sinks in.
It’s identifying thousands of vulnerabilities that have survived decades of human scrutiny and millions of automated tests at AI speeds.
Like any technology, in the right hands is a quantum step up to more secure systems. However, what tech giveth, it can also taketh. In the wrong hands, it is a security nightmare.
For a long time, cybersecurity has been built around a pretty simple, mostly unspoken assumption: software will have flaws. Always has, probably always will. So instead of trying to make software perfect, we built layers around it with tools to detect issues, systems to prevent attacks and teams to respond when something inevitably slips through. It’s a rational, cost-based approach in a world where the costs of testing are high and take up significant amounts of time.
That approach has shaped an entire industry.
But what happens if that assumption starts to crack? What if the costs and time to detect and patch vulnerabilities drop to near zero? Not just for the software vendor, but for malicious actors as well?
Rethinking where security actually lives
What Anthropic is hinting at with Claude Mythos is a shift in where security actually lives in the lifecycle.
Most security today is still, in some way, downstream. Even when we say we’re being proactive by running scans in CI/CD pipelines, doing regular pen tests, etc., we’re still reacting to code that already exists. We’re analyzing, probing and trying to catch what might go wrong.
AI starts to blur that line.
If a model can comb through massive codebases, spot subtle patterns humans miss and connect dots across entirely different systems, it’s no longer just a reviewer. It starts to look more like a collaborator, or one that can catch problems as they’re being created, not just after the fact.
And if that capability keeps improving, the center of gravity for security shifts.
“Shift left,” but for real this time
“Shift left” has been a buzzword for years. The idea is solid: find and fix issues earlier when they’re cheaper and less risky.
In reality, though, it’s often meant adding more checkpoints, more scans and more alerts. All earlier in the pipeline, of course, but still fundamentally the same model: write code first, evaluate it second.
But what’s emerging now feels different.
You can start to imagine a development environment where:
- Code is being evaluated in real time as it’s written
- Vulnerabilities are flagged (and even fixed) on the spot
- Entire categories of insecure patterns don’t make it into production
At that point, you’re changing the nature of the problem. Security becomes about preventing them from existing in the first place.
That’s a big leap.
Moving from trust as a guess to trust as proof
Right now, most of the time, we “trust” software based on signals. For example: Maybe it’s the vendor’s reputation? Maybe it’s compliance certifications? Maybe it’s the fact that it passed a security audit?
All of those things matter, but they’re still proxies. They tell us that someone did the right things, not that the software itself is definitively secure.
As AI starts to play a bigger role in both building and validating software, there’s an opportunity to raise the bar. Instead of asking, “Do we trust this vendor?” we can start asking, “Can this software prove its integrity?”
Picture a world where:
- Every component has been continuously analyzed
- The results of that analysis are documented and signed
- Anyone downstream can verify those claims independently
We already do this in other areas of life. Food has certifications. Electronics have safety standards. Those labels mean something because there’s a system behind them that enforces and verifies them.
Software hasn’t really had that; at least not in a consistent, universally trusted way.
But that gap is starting to close.
Why software trust suddenly matters a lot more
AI eliminating more vulnerabilities upstream is only part of the story. The other part is proving it and doing so before it is exploited. All at AI speeds. Software trust shifts to continuous and real time patches, fully automated and at AI speeds. Yes, humans will initially be needed to validate vulnerabilities and patches, but the writing is already on the wall. This is going to escalate to AI vs AI at an inhuman pace.
That’s where things like supply chain integrity, software bills of materials (SBOMs) and verifiable attestations start to feel like continuous core infrastructure.
It’s one thing to say, “We build secure software.” But it’s another to show, in a verifiable, continuous and real-time way, exactly how that software was built, what’s inside it and what checks it passed along the way.
That transparency becomes especially important as software supply chains get more complex and as AI plays a bigger role in generating and modifying code.
At machine speed, trust has to be built in, automated and cryptographically verifiable. This is where intelligent trust comes into focus, connecting identities, certificates and validation signals into a system that can continuously verify and adapt as software and risk evolve.
The uncomfortable part: This cuts both ways
There’s also a reality here that’s hard to ignore.
The same kind of AI that can find and fix vulnerabilities can also find and exploit them.
So, while the defensive ceiling is getting higher, so is the offensive one.
That creates a kind of compression effect. The time between “a vulnerability exists” and “someone is exploiting it” gets shorter. Potentially a lot shorter.
In that environment, reacting quickly isn’t enough. You have to get ahead of the problem entirely, either by eliminating the vulnerability before release or by having strong guarantees about what’s running in your environment.
Which brings us back to trust.
Where this is all heading
We’re still early, and it’s worth being cautious about overhyping any single model or breakthrough. Software isn’t going to become magically perfect overnight.
But the direction is hard to miss.
We’re moving toward a world where:
1. More vulnerabilities are caught (or prevented) earlier than ever
2. AI is deeply embedded in both building and breaking systems
3. Trust becomes something you can verify, not just assume
4. Trust is continuous, real-time and automated
For decades, cybersecurity has been about managing imperfection.
Now, for the first time, there’s a real chance to reduce that imperfection and to prove that reduction in a meaningful way.
The bigger picture
As this shift plays out, one thing becomes clear: trust itself becomes infrastructure.
Organizations will need ways to: 1.) Prove the integrity of their software supply chains, 2) Attest to how software was built and validated and 3) Allow customers, partners, regulators, etc. to independently verify those claims. 4) Run continuous and real-time vulnerability tests and propagate validated patches, fully automated.
This is the essence of intelligent trust: a unified, adaptive approach that brings together identity, cryptography and automation to continuously establish and maintain trust at scale.
Because in a world where AI can both strengthen and undermine security at scale, trust is what everything else depends on. Trust that can be proven.
That’s the direction this moment is pointing to, and though often overused, the definition of a true paradigm shift.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?