Frontier AI's cyber weapons force Trump to abandon deregulation

On May 5, 2026, the Trump administration reversed its core AI policy in a single day. The Cyber AI Safety Institute signed expanded agreements with Google DeepMind, Microsoft, and xAI to conduct mandatory pre-deployment evaluation of all frontier models before public release. This was not a gradual pivot. This was a forced hand. The trigger was simple and undeniable: frontier AI models had crossed a capability threshold where they autonomously discover and exploit zero-day vulnerabilities faster than human defenders can patch them.

Claude Mythos discovered 271 vulnerabilities in Firefox 150 alone, including a 27-year-old bug in OpenBSD and a 16-year-old flaw in FFmpeg that automated security tools had scanned millions of times without finding. The previous version, Claude Opus 4.6, had found 22 vulnerabilities in the same codebase. The jump from 22 to 271 is not incremental improvement. It is a category shift. GPT-5.5 completed a 32-step simulated corporate cyberattack in 2 of 10 test runs, matching Mythos Preview's performance on UK AI Security Institute benchmarks. The frontier cyber-offense capability is doubling every four months.

This matters because the Trump administration had spent its entire first year dismantling AI safety infrastructure. On Day 1, it eliminated Biden's 2023 AI executive order, rescinding safety evaluation requirements and reporting on models with military applications. CAISI, the rebranded AI Safety Institute, was expected to pivot from safety to acceleration. The Pentagon declared Anthropic a supply-chain risk in March 2026 after the company refused to allow unrestricted military use. OpenAI signed the Pentagon contract within hours. The policy direction was clear: deregulate, accelerate, let the market decide. Then the models started finding zero-days at scale, and policy met reality.

The vulnerability discovery capability emerged as a downstream consequence of general improvements in code reasoning and autonomy, not as a purpose-built exploit engine. Anthropic did not set out to create a zero-day finder. Mythos inherited the ability to reason about code as part of its general reasoning improvements. This is the core problem: there is no architectural solution to decouple coding ability from vulnerability exploitation. Every future frontier model will inherit this risk. The capability cannot be surgically removed without crippling the model's core reasoning.

Why this matters for infrastructure: vulnerability discovery at frontier-model scale breaks the historical assumption that defenders have time to patch after disclosure. A single frontier model can now discover thousands of vulnerabilities faster than enterprises can remediate them. Firefox needed to patch 271 vulnerabilities identified by Mythos. That is not a patch cycle. That is a flood. Traditional security assumes an asymmetry in the defender's favor: the attacker finds one vulnerability, the defender patches it, the attacker moves on. Frontier AI inverts that asymmetry. One model can find thousands. The patch cycle cannot scale.

Anthropic's response was to restrict access. Claude Mythos is limited to 12 partner organizations under Project Glasswing. OpenAI's GPT-5.5-Cyber is limited to vetted defenders through the Trusted Access for Cyber program. This creates a two-tier AI ecosystem where offensive cyber capabilities are government-mediated. Approved developers get access to restricted models. Unapproved developers do not. The field is fragmenting. This is not a free market outcome. This is a national security partition.

The government's new role is to evaluate these models before release and to maintain access to unrestricted versions for testing. CAISI now handles unrestricted versions of frontier models from multiple agencies. This creates a new attack surface: evaluators from multiple government organizations now handle versions of frontier models with safeguards removed. The more agencies that touch these models, the more potential vectors for compromise. The security perimeter expands, and the attack surface grows.

What makes this reversal significant is that it was not driven by a change in administration philosophy. The Trump administration did not suddenly embrace safety-first AI policy. It was driven by a technical fact that could not be argued away. When a model discovers a 27-year-old vulnerability that automated tools had missed millions of times, there is no ideological position that survives that reality. The administration faced a choice: allow unrestricted frontier models to proliferate and watch critical infrastructure become vulnerable to AI-discovered exploits, or implement pre-deployment evaluation. It chose evaluation.

The second-order effects are already visible. Enterprises must shift from reactive patching to continuous AI-assisted vulnerability management. The old model of patch Tuesday no longer works. The new model is continuous discovery and continuous remediation. This requires new tools, new processes, and new hiring. The security industry is about to grow substantially. Vulnerability management becomes a permanent, automated process rather than a periodic event.

The market has already voted on who benefits. Anthropic's revenue eclipsed OpenAI in Q1 2026, reaching $44 billion ARR versus OpenAI's $24 billion, despite the Pentagon blacklist. The market is rewarding safety-first positioning. Companies that can demonstrate responsible AI development are winning contracts and customer trust. OpenAI signed the Pentagon contract, but Anthropic is winning enterprise revenue. This suggests that customers value safety more than military access.

The policy precedent is now set. Dual-use AI models require government pre-clearance before release. This establishes a framework for mandatory national security review of frontier capabilities. Future administrations cannot easily reverse this without explicitly choosing to allow unrestricted frontier models to proliferate. The bar for deregulation just got much higher. Any administration that wants to remove pre-deployment evaluation must be willing to accept the political and security consequences of frontier models discovering zero-days at scale. That is a difficult position to defend.

The real constraint on frontier AI is no longer ideology or regulation. It is capability itself. When models become powerful enough to pose a genuine national security threat, policy follows. This is not a victory for safety advocates who argued for precaution. It is a vindication of the technical argument that frontier models would eventually develop capabilities that force policy response. The question now is whether the pre-deployment evaluation framework is actually sufficient to manage the risk, or whether it is simply a checkpoint that slows down release by weeks.

Watch for three signals. First, how many vulnerabilities do the restricted models discover in the next evaluation cycle. If the numbers stay in the hundreds, the current framework might hold. If they jump to tens of thousands, the evaluation process will become a bottleneck that either delays releases indefinitely or becomes a rubber stamp. Second, whether other nations implement similar pre-deployment evaluation or whether they allow unrestricted frontier models. If China or Russia allow unrestricted models, the security advantage of US evaluation becomes moot. Third, whether the two-tier ecosystem holds or whether unapproved developers begin releasing frontier models without government evaluation. If the restriction is only on approved developers, the policy creates a perverse incentive for developers to go rogue.