Anthropic has put its most advanced AI model on the table for the European Union, but getting a seat at that table is proving to be a slow, grinding negotiation. The company’s Mythos model, capable of autonomously discovering zero-day vulnerabilities across every major operating system and web browser, remains accessible to only about 40 vetted US companies and select government entities. The EU wants in. Anthropic hasn’t said no. But progress, according to Spain’s economy minister, has been “limited.”

What Mythos actually does

Anthropic announced the Claude Mythos Preview on April 7, 2026. In internal testing, the model discovered thousands of zero-day vulnerabilities, the kind of software flaws that vendors don’t know about and therefore can’t patch, across all major operating systems and web browsers.

Mythos doesn’t just flag vulnerabilities. It autonomously generates working exploits, meaning it can demonstrate exactly how an attacker would use each flaw. On industry benchmarks like Cybench, the model surpasses every prior AI system at conducting complex, multi-step cyber-attack simulations.

That dual capability, defense and offense in a single package, is precisely why Anthropic chose to restrict access. The company launched Project Glasswing to manage distribution, limiting the model to roughly 40 vetted US companies and chosen government entities.

The EU negotiation

European officials have been trying to secure access to Mythos for their own cybersecurity apparatus. As of May 22, 2026, Spain’s economy minister characterized the progress in EU-Anthropic negotiations as “limited.”

The European Commission planned to send officials to San Francisco in late May 2026 to press for more details on the model and explore terms for access. Meanwhile, OpenAI provided the EU access to its own cyber-focused model, GPT-5.5-Cyber. The UK’s AI Safety Institute has been evaluating Mythos separately, suggesting that Britain’s post-Brexit positioning may be giving it a faster track to access than the broader EU bloc.

What this means for investors

Crypto exchanges, custodians, and DeFi protocols are among the most targeted digital infrastructure in the world. The roughly 40 US companies in the Project Glasswing cohort are essentially receiving a head start in AI-augmented cybersecurity. European competitors without equivalent access face a structural disadvantage that could persist for months or longer, depending on how negotiations unfold.

The EU has historically been more aggressive than the US in regulating AI through frameworks like the AI Act, with enforcement set for August 2026. The irony of Europe now needing to negotiate for access to American AI capabilities, while simultaneously trying to regulate how those capabilities are deployed, creates a genuine policy tension.

The OpenAI-EU arrangement with GPT-5.5-Cyber also signals that competition for institutional AI partnerships is intensifying. Investors should watch whether Anthropic’s restrictive approach ultimately strengthens its brand as the “responsible” AI company, or whether it simply cedes market share to rivals willing to distribute more broadly.