Anthropic’s Project Glasswing has effectively fired the starting gun on a new era of cybersecurity. By utilizing the Claude Mythos Preview model to uncover vulnerabilities that have sat dormant in critical infrastructure for nearly three decades, they’ve proven a terrifying point: The era of the “unfound bug” is over.
We are entering a state of endless vulnerabilities. When a frontier model can scan millions of lines of code and chain exploits at machine speed, the traditional “find and patch” cycle doesn’t just slow down, it breaks entirely.
Enterprise Security for AI Agents & Non-Human Identities
The Patching Impossible: We Can’t Keep Up
The hard truth is that we are physically unable to patch this many vulnerabilities. The sheer volume of flaws that a model like Mythos can surface in a single afternoon would bankrupt the time and resources of even the world’s largest DevOps teams.
If discovery is instantaneous, but patching remains manual and slow, the gap between “exposed” and “secure” becomes a permanent canyon. We have to stop pretending that we can “patch our way” out of this. But here is the reality check: a vulnerability only matters if someone or something has the access and permissions to exploit it.
If You Don’t Have Access, the Bug Doesn’t Matter
We need to stop obsessing over the code flaws and start obsessing over the AI and Non-Human Identities (NHI) that can access your environment. Who cares if a system has ten thousand vulnerabilities if no entity has the permission to reach it, interact with it, or move from it?
The real danger in the Mythos era isn’t the bug; it’s the over-privileged AI agents and service accounts that have been granted the keys to your kingdom. If an agent has the “identity” to modify a kernel or access a sensitive database, and that agent is compromised via a Mythos-discovered flaw, the game is over.
We must move to a model of Identity Blast Radius Control:
- Permissions are the New Firewall: If you can’t patch the vulnerability, you must strictly limit what an identity can actually do.
- Controlling NHI and AI Access: Most environments are crawling with “dark” NHIs and autonomous agents with broad, static permissions. In the age of Mythos, these are the primary attack vectors.
- Access is the Bottleneck: By strictly governing which AI and NHIs can access which environments, you render the “endless vulnerabilities” irrelevant. An exploit is a key, but if there’s no door it’s allowed to touch, the key is useless.
Identity is the Only Control Plane Left
Identity is the only layer of the stack that moves at the same speed as AI. If we try to manage the infinite vulnerabilities of the Mythos era using old-school infrastructure rules, we will lose.
By making Identity the Control Plane, you change the game:
- Vulnerabilities become “noise”: If an exploit is found but the compromised AI or NHI has no identity-based permission to move laterally or exfiltrate data, the exploit is effectively neutralized.
- Strict Permissioning: We must implement “Zero Standing Privilege.” If an agent or NHI doesn’t need access to a specific environment right now, it shouldn’t have the permission to be there.
- Containment by Design: By strictly limiting the blast radius of every identity, we create a “cell-based” security architecture where a single unpatched infection cannot spread because it lacks the authorized identity to do so.
The Bottom Line
Project Glasswing isn’t just a demo of AI’s power to find bugs; it’s a warning. In a world of infinite vulnerabilities and impossible patching schedules, the only real cure is a radical restriction of the identity blast radius. We have to stop worrying about the thousands of bugs we can’t possibly patch and start controlling the permissions of the AI and NHIs that have access to our environments. Control the access, and you control the threat.
