Every major AI breakthrough arrives with the same question: does this change the rules? According to a TechRadar analysis, Anthropic's Claude Mythos Preview – and the company's assertion that it can outperform humans in certain hacking and cyber defense tasks – has predictably reignited debate among regulators, financial institutions and enterprise cybersecurity leaders about systemic risk to digital infrastructure.
At the same time, Anthropic has positioned Mythos as a defender-first capability, highlighting its role in identifying and helping remediate vulnerabilities before adversaries can exploit them. This dual-use reality underscores a broader truth: the same technologies that strengthen defense can also expand risk, noted the CEO & Co-Founder of Keeper Security in the analysis.
This moment is significant, but not unprecedented. Claude Mythos represents the latest step in a wider trend where AI systems are becoming more autonomous, more deeply embedded in enterprise environments and more capable of executing complex tasks at scale. As organizations integrate these models into workflows, they expand both their operational potential and their attack surface.
AI Does Not Change Cybersecurity Fundamentals
Despite the rapid pace of AI innovation, the fundamentals of cybersecurity remain unchanged. Attackers still rely on the same core techniques: exploiting identities, compromising credentials and abusing access. While AI introduces some novel attack surfaces, it primarily accelerates and amplifies the vulnerabilities organizations already struggle to remediate. Organizations are already facing increasingly sophisticated attacks, including those enhanced by AI-driven automation.
The underlying weaknesses, however, remain consistent. Weak credential hygiene, excessive privileges and inadequate access controls continue to be the primary entry points for breaches. AI raises the speed limit on every attack, it does not rewrite the playbook.
AI as an Identity Multiplier
Where models like Mythos do shift the landscape is in how identity is defined and managed. Every AI system, agent or automated workflow introduces a new non-human identity (NHI). These identities often require privileged access to systems, data and IT infrastructure to function effectively. As a result, organizations are rapidly expanding the number of identities that can interact with sensitive environments.
This creates three immediate structural changes:
- Sprawling NHI inventories create ungoverned privileged access at scale
- Increased system and data access expands the blast radius of compromise
- Greater reliance on automation reduces human oversight at critical decision points
From a security perspective, each AI-driven process is effectively a privileged user. If left ungoverned, these identities are high-value targets for attackers. Credential-based attacks remain the most effective path to compromise. That has not changed as environments grow more complex and distributed – it has become more consequential. In AI-driven environments, identity is no longer just a control layer; it is the control plane through which access, risk and trust are managed.
Implications for Trade Professionals
For international trade organizations, the proliferation of NHIs is particularly pressing. Customs portals, supply chain management systems, and trade finance platforms increasingly rely on automated workflows and AI-powered analytics. Each integration introduces new privileged identities that must be governed. A compromised NHI in a customs brokerage system, for example, could disrupt cargo clearance or expose sensitive trade data.
The same dual-use dynamic seen with Claude Mythos applies to AI tools used in trade: they can strengthen fraud detection and compliance checks, but if their identities are left unmanaged, they become attack vectors. Security leaders in trade firms must therefore extend identity governance to cover all non-human actors in their digital ecosystems.
Recommended Controls
The answer to AI-driven risk is not a new strategy. It is disciplined, scaled execution of the strategy organizations already know they need. Organizations should prioritize the following controls:
- Principle of Least Privilege (PoLP): Ensure users and systems only have access to what is necessary, reducing the blast radius of any compromise
- Credential and secrets management: Secure, store and rotate credentials and machine secrets regularly
Additionally, organizations must inventory all NHIs, monitor their access patterns, and enforce segregation of duties. The pace of AI adoption in trade – from automated import classification to predictive logistics – demands that identity security programs keep pace. Without robust controls, the efficiencies gained through AI will be offset by heightened breach risk.
What to watch: How regulatory bodies and industry standards evolve to mandate identity security for AI systems in critical trade infrastructure, and whether organizations adopt unified identity platforms that cover both human and non-human identities.
Sources:
