TL;DR:

• Anthropic’s own disclosures about its next frontier model confirm that AI is making impersonation cheap, scalable, and automated.
• The biggest risk isn’t AI exploiting code — it’s AI exploiting identity. 81% of intrusions are already malware-free.
• Most enterprise security stacks verify accounts, not the humans behind them. That gap is the real attack surface.
• Agentic AI makes it worse: when an AI agent acts, organizations need to know which verified human authorized it — not just which account launched it.
• Detection won’t close this gap. Verified identity at the source will.

At the end of March, Fortune reported that Anthropic has been developing and testing a new frontier AI model — reportedly called Claude Mythos or “Capybara” — that the company itself describes as posing unprecedented cybersecurity risks. According to leaked draft materials, Anthropic believes the model is “currently far ahead of any other AI model in cyber capabilities” and that it signals an incoming wave of AI systems that can discover and exploit software vulnerabilities faster than defenders can patch them.

This isn’t an isolated development. Earlier this year, OpenAI classified its GPT-5.3-Codex as “high capability” for cybersecurity tasks — the first model to earn that designation under its own preparedness framework. Anthropic has separately disclosed that Chinese state-sponsored groups have already attempted to weaponize Claude in coordinated campaigns targeting dozens of organizations.

A clear pattern is beginning to emerge, showing that the most capable AI systems ever built are also the most capable offensive security tools ever built. And the companies building them are saying so publicly.

For security leaders, the temptation is to focus on the software vulnerability angle — patching faster, scanning more code, hardening infrastructure. That matters. But there is a second implication in this news that is getting far less attention, and it may be more consequential for most enterprises.

The Real Attack Surface Is Human, Not Technical

CrowdStrike’s 2025 Threat Hunting Report found that 81% of hands-on-keyboard intrusions are now malware-free. They don’t exploit software vulnerabilities. They exploit identity. An attacker with a convincing voice clone calls the helpdesk. A deepfake video filter defeats a visual check during onboarding. A compromised credential is used to escalate privileges with no verification that the person behind the session is who they claim to be.

AI models that can find and exploit code vulnerabilities are a serious concern. But for most organizations, the more immediate threat is AI that makes impersonation cheap, scalable, and indistinguishable from the real thing. Gartner reported that 62% of organizations experienced a deepfake attack involving social engineering in 2025. That was before models with dramatically improved cybersecurity capabilities entered the market.

When the next generation of frontier models reaches general availability — models that their own creators flag as posing elevated risk — the identity attack surface doesn’t just grow. It changes in kind. The social engineering playbook that used to require manual effort and human skill becomes automated, personalized, and executable at scale.

Authentication Is Not the Same as Identity

Most enterprise security stacks are built to answer the question: which account is acting? MFA confirms a device. SSO confirms a session. Zero Trust policies evaluate context. These are authentication controls. They verify credentials.

None of them answer a different question: which human being is acting?

That distinction becomes critical when the threat is no longer a brute-force password attack or a phishing link, but a convincing human impersonator — or an AI agent acting autonomously on behalf of a person who may not have authorized the action at all. In those scenarios, knowing which account is authenticated tells you nothing about whether the right person is behind it.

This gap is not theoretical. The MGM Resorts breach started with a social engineering call to the helpdesk. The attacker impersonated an employee, convinced a support agent to reset credentials, and moved laterally through the environment. Every authentication control downstream of that reset worked correctly. The failure was upstream: no one verified the human.

The Agentic AI Wrinkle

There’s a third dimension to this that most security teams haven’t fully reckoned with yet.

Frontier AI models aren’t just being used by attackers. They’re being deployed by enterprises as autonomous agents — initiating actions, accessing sensitive systems, and making decisions at speeds that make human oversight difficult. When an AI agent triggers a high-risk action, who authorized it? The honest answer for most organizations is: whoever authenticated to the system that launched the agent. That’s a credential, not a person.

As AI capabilities accelerate — and the Mythos disclosure suggests that acceleration is dramatic — the gap between “which account acted” and “which verified human authorized it” becomes the defining governance question for enterprises deploying agentic AI.

What Defenders Should Be Asking

The Anthropic disclosure is a useful forcing function. It puts in concrete terms what many security leaders have suspected: AI-driven offensive capabilities are advancing faster than AI-driven defenses can keep up. Organizations that rely on detecting threats after the fact are structurally behind.

For identity security specifically, three questions deserve immediate attention:

Can your helpdesk verify a caller’s identity, or just their credentials? If the answer involves security questions, manager callbacks, or knowledge-based authentication, the control is already defeated by commercially available AI tools. The answer needs to be biometric identity verification that confirms the human, not the claim.

Does your identity stack verify the person, or just the account? IdPs verify which account is acting. That’s necessary. It’s not sufficient. The question is whether you have a verification layer that confirms the actual human behind the account — especially during high-risk moments like account recovery, privilege escalation, and device changes.

When an AI agent acts on behalf of your organization, can you produce an auditable record of which verified human authorized it? If the answer is no, you have an accountability gap that grows with every agentic AI deployment. Boards, auditors, and regulators will ask this question. Having an answer before they ask is the difference between preparedness and remediation.

The Arms Race Framing Is Incomplete

The headlines about Mythos will focus on the arms race — smarter AI for attackers, smarter AI for defenders, an endless cycle of escalation. That framing isn’t wrong, but it is incomplete. It focuses on code and infrastructure while ignoring the most exploited attack vector: people.

Detection-based defenses are inherently reactive. They analyze threats after the fact and try to keep up with attackers who are iterating faster. For identity, the shift that matters is from detection to prevention — architectures that verify the human at the source rather than trying to detect impersonation after it has entered the pipeline.

The models are getting more capable. The attackers are getting more capable. And the question that matters most for defenders hasn’t changed: Is this person who they claim to be?

The organizations that can answer that question definitively — not probabilistically, not through inference, but through verified identity — are the ones that are ready for what comes next.