On March 27, 2026, Anthropic leaked approximately 3,000 unpublished assets due to a CMS configuration error. Among them was a draft describing the next-generation model codenamed Mythos (internally called Capybara), claiming significant advances in coding, reasoning, and cybersecurity, with cyber capabilities "far ahead of any other AI model."
Following the news, cybersecurity stocks plummeted: CrowdStrike dropped 7.5% in a single day, Palo Alto Networks fell 7%, Zscaler declined 7.7%, and the iShares Cybersecurity ETF dropped about 3%. The capital market voted with real money: if AI can both attack and defend, the value of traditional security products will be eroded.
But this interpretation is only half right.
The Real Issue Behind Market Panic
Ironically, the leak from an AI security company was itself caused by a CMS configuration error—which perfectly illustrates the essence of the problem: when AI capabilities cross a certain threshold, both your agent system's threat model and infrastructure assumptions will fail simultaneously.
More notably, Axios exclusively reported that Anthropic is privately warning senior U.S. government officials that Mythos-level models could make large-scale cyberattacks "much more likely" within 2026. The vendor itself treats cyber capability enhancement as a risk requiring advance warning, not merely a product selling point.
This reveals a deeper issue: The control point for Agent security is shifting from the prompt and rule layer up to the runtime layer.
Why the Control Point Must Move Up
Traditional AI security focuses on prompt injection protection—limiting AI behavior through rules written in prompts. But in the Agent era, this defense is no longer sufficient.
Consider this scenario: An enterprise deploys an internal AI agent with access to code repositories, API calls, and database operations. A new employee during their probation period asks the agent to "organize the project documentation," and the agent incidentally copies the entire enterprise skill library in the process.
This isn't prompt injection, nor is it a jailbreak attack. It's a completely legitimate request that produces catastrophic consequences in the hands of an agent with excessive privileges.
Agents hold credentials, can invoke tools, and can act continuously across systems. Your defense cannot rely solely on writing "don't leak sensitive information" in prompts. The real primary defense line is runtime governance.
Three Pillars of Runtime Governance
1. Principle of Least Privilege
Agents should only receive the minimum set of permissions needed to complete the current task. Not "this agent can access all code repositories," but "this agent can only read the src/auth directory during this task execution."
Permissions should be dynamically allocated, task-level, and revocable. After each task completes, permissions are automatically reclaimed.
2. Dynamic Identity Mechanism
Don't give agents long-lived API tokens. Generate temporary identity credentials at the start of each task, which expire immediately after task completion.
This is similar to AWS's STS (Security Token Service) mechanism: short-term credentials, automatic expiration, traceable. If credentials leak, the impact is limited to a single task.
3. Execution Isolation and Result Verification
Critical operations must be executed in sandboxes, and results must pass independent verification before proceeding. Not "trust the agent did it right," but "verify the agent did it right."
Cisco extended AI Defense to MCP layer runtime protection in February 2026, and CrowdStrike deployed similar safeguards at the execution layer. Security vendors are demonstrating through action where the control point is moving.
From Process Guardrails to Result Verification
There's a second-layer implication that's easily overlooked.
Many teams previously relied on prompt rules and tool whitelists for agent security—these are "process guardrails" attempting to restrict agent behavior during execution. But as model capabilities grow stronger, process guardrails become less effective, because static rules can hardly cover all possible dangerous combinations.
A more robust approach is to shift the system's focus to result verification:
- Any critical action must satisfy verifiable acceptance criteria
- High-risk results must pass independent verification before proceeding
- Execution chains must have audit and replay capabilities
This approach is the same category as traditional security's sandbox and policy gate, except now they need to enter the agent runtime directly, rather than staying on the periphery.
Practical Impact on AI Developers
If your agent system still operates on the assumption that "writing good prompts equals security," it's time to re-examine the architecture.
Checklist:
- Is your permission model flat? Do all agents share the same set of credentials? This is the most dangerous signal.
- Are credentials statically configured? API tokens written in config files? Once leaked, the impact scope is uncontrollable.
- Does your execution chain have audit capabilities? Can you trace what the agent did, why it did it, and what the result was?
- Do critical operations have independent verification? Or do you completely trust the agent's output?
This isn't "optimization"—it's "redesign." Moving from "writing good prompts" to "designing secure runtimes" is a paradigm shift requiring architectural rethinking, not configuration tweaking.
Industry Response
The good news is that the industry is already taking action.
Cisco's AI Defense has extended to the MCP protocol layer, providing runtime-level protection. CrowdStrike has deployed similar safeguards at the execution layer. These traditional security vendors are shifting from "protecting against AI" to "providing secure runtimes for AI."
In OpenAI's open-sourced Symphony project in March, custom linters enforce architectural invariants, with lint error messages serving as repair guidance for agents. Cursor discovered that constraints like "no TODOs, no partial implementations" are far more effective than instructions like "remember to finish implementations."
These practices point in the same direction: Constraints are more effective than instructions. When managing AI, writing constraints has more leverage than writing instructions.
Conclusion
The Mythos leak caused cybersecurity stocks to plummet, but the real signal isn't "AI will replace security products"—it's "the control point for Agent security is migrating."
From prompt layer to runtime layer, from process guardrails to result verification, from static rules to dynamic governance—this is the fundamental transformation of security architecture in the Agent era.
If you're building agent systems, start redesigning your permission model, identity mechanism, and execution isolation now. Not because Mythos is so powerful, but because when model capabilities cross a certain threshold, old security assumptions will fail simultaneously.
References: - Fortune: Anthropic says testing Mythos, powerful new AI model - CNBC: Anthropic cybersecurity stocks AI Mythos - Axios: Claude Mythos Anthropic cyberattack AI agents