When AI Becomes the Red Team: What the NSA-Mythos Story Reveals About Your Enterprise Security
A single sentence traveled from an intelligence agency director to a Senate floor speech to a magazine article to global social media – and by the time it arrived, it had transformed from a policy argument into a geopolitical alarm: AI had broken into the NSA.
The story, as it turned out, was both less dramatic and more alarming than the viral version. Less dramatic because Anthropic’s Mythos model was operating inside a replica of NSA systems during an authorized red team exercise, alongside other security tools, with engineers present. More alarming because the capability itself – discovering and chaining vulnerabilities across a complex classified environment in hours instead of weeks – is real, documented, and increasingly available to vetted organizations worldwide.
The distinction matters enormously for how enterprises think about their security posture. The question is not whether Mythos breached the NSA. The question is what it means that AI can find every weakness in a system like the NSA’s faster than any human team – and what your organization needs to do about it right now.
Key Takeaways
1. The “AI hacked the NSA” story was a red team exercise, not a live breach
Anthropic’s Mythos model was used alongside other tools inside a replica NSA environment during an authorized security test – the viral framing was a mischaracterization, but the underlying capability it demonstrated is real and consequential.
2. AI chains vulnerabilities at machine speed
What human red teams require weeks to accomplish, AI-assisted systems completed in hours – discovering and linking multiple attack paths across a complex classified environment replica simultaneously, at a speed that has no precedent in offensive security.
3. Defensive and offensive AI capability are two sides of the same coin
The NSA used Mythos to scan its own environment for weaknesses before adversaries could find them – the same AI capability that threatens enterprise security posture is the one that can defend it, provided it operates under governed, controlled conditions.
4. Ungoverned AI access to sensitive data is the actual security risk
Enterprises that give AI systems unrestricted access to sensitive repositories create exactly the exposure that authorized red teams exploit – zero-trust AI data governance is the architectural response, not a blanket ban on AI.
5. Defense sector compliance frameworks already model the right approach
FedRAMP authorization, CMMC 2.0 certification, and DFARS compliance require controlled, audited access to sensitive data at the request level – the same model every enterprise should apply to AI systems operating on sensitive data.
You Trust Your Organization is Secure. But Can You Verify It?
What Actually Happened – and Why the Clarification Matters
The chain of events began with NSA Director and U.S. Cyber Command head General Joshua Rudd, who told Senator Mark Warner that Mythos “broke through almost all of our classified systems in hours, not weeks.” Senator Warner cited the statement in a Senate Intelligence Committee session to argue for mandatory pre-release testing of frontier AI models – his broader point was that AI companies like Anthropic should be allowed to “go full throttle” on capability development precisely because their rigorous safety practices made controlled testing like this possible.
The Economist’s Shashank Joshi included the quote in a June 2026 briefing on U.S. AI policy. From there, the sentence escaped its context entirely. By the time it reached social media at scale, “authorized red team exercise on a classified environment replica” had become “AI breaches NSA live systems.” Joshi later acknowledged on social media that he should have included more qualifying language, noting the feat was accomplished under specific conditions with other tools. Security analyst Kyle Chase and others with direct knowledge of how red team exercises work were quick to push back publicly on the viral framing.
The more credible reconstruction – confirmed by security professionals and corroborated by Axios reporting on the NSA’s actual use of Mythos – is that the NSA placed the model inside a replica of its own classified environment and tasked it with finding and chaining vulnerabilities. It did so at a speed that far exceeded what human red teams could achieve. Calling that a breach of live NSA systems is the equivalent of writing “building on fire” after a fire drill. The drill reveals what would happen if the fire were real. That revelation is exactly the point.
The Real Takeaway: AI-Powered Vulnerability Discovery Is Not Theoretical
Set aside the headline. What the exercise demonstrates is a genuine shift in the security landscape. The Advanced Persistent Threats that defenders have spent years trying to detect now have access to AI tools that can accelerate every phase of an attack – reconnaissance, vulnerability enumeration, attack path chaining, and lateral movement – far beyond what human analysts can match.
Three capability categories are most relevant to enterprise security teams.
Vulnerability discovery at scale. Human red teamers enumerate vulnerabilities manually, one system at a time. AI-assisted tools can scan environments comprehensively, surfacing configuration errors, unpatched CVEs, and logic flaws across thousands of assets simultaneously. The speed advantage is not incremental. It is a category difference.
Attack path reasoning. Finding an individual vulnerability is one thing. Chaining multiple vulnerabilities into a viable attack path that bypasses layered defenses requires sophisticated reasoning across network topology, access permissions, and system interdependencies. AI models trained on security research, exploit databases, and system documentation can reason across these chains in ways that previously required senior red team engineers with years of specialized experience.
Iterative testing in controlled environments. Mythos was not operating against live systems – it was operating against a replica. This mirrors exactly how responsible vulnerability programs work: deploy an environment, test it aggressively, identify the gaps before adversaries do. The same AI capability demonstrated in that NSA exercise is being used today by approximately 150 institutions across more than 15 countries through Anthropic’s Project Glasswing program. Those institutions have collectively identified over 10,000 high or critical severity vulnerabilities in their own environments.
That last figure deserves emphasis. Government agencies, financial institutions, and technology companies are using AI-assisted vulnerability discovery right now to harden their own infrastructure. The red team capability is not on the horizon. It is in active deployment.
What This Means for Enterprise Data Security
The NSA exercise clarifies something that enterprise security teams have been treating as a future problem: AI risk is an active security consideration that requires immediate architectural response, not a roadmap item.
The core issue is access. AI systems that can discover and chain vulnerabilities need data – configuration data, network topology, code, logs, and documentation. The more access an AI system has to enterprise data repositories, the more dangerous it becomes if misused or compromised. Conversely, a well-governed AI system with constrained, audited access is precisely what organizations need to identify vulnerabilities in their own infrastructure before attackers do. Data classification is the prerequisite control: organizations that cannot identify which repositories contain sensitive data cannot enforce the access boundaries AI governance requires.
This is where zero trust architecture becomes directly and practically relevant. Traditional security models grant AI systems broad access once they authenticate – the assumption is that if a system is authorized to connect, it is authorized to see everything within its scope. The NSA exercise demonstrated exactly why that assumption is dangerous. An AI system with access to a complex environment can traverse it comprehensively in hours.
Zero trust data protection inverts this model. Never trust an AI system’s identity or intent. Always verify at the request level. Every operation is authenticated, evaluated against policy, and logged before data is returned. The question is not whether an AI system authenticated once at connection – it is whether every individual data operation the AI performs is authorized, policy-compliant, and auditable with complete attribution.
For enterprises with sensitive data repositories – regulated customer data, intellectual property, healthcare records, or defense information – the architectural principle is clear: AI systems need governed data access, not ungoverned access. The capability that makes AI dangerous as a red team tool is the same capability that makes it valuable for defense. The difference is control.
The Governed AI Data Layer Your Organization Needs
The same principles the NSA applied to its own red team exercise – controlled access, constrained scope, monitored operations – are available to enterprise organizations through governed AI platforms. AI data governance is the practice of ensuring that AI systems access only data they are explicitly authorized to access, that every operation is logged with complete attribution, and that policy enforcement happens at the individual request level rather than at connection time.
The Kiteworks AI Data Gateway provides a secure bridge between AI systems and enterprise data repositories, enabling Retrieval-Augmented Generation workflows and other AI operations with zero-trust data access as the foundation. Every data request from an AI system is authenticated, evaluated against ABAC policies in real time, and logged before any data is returned. An AI system operating through the AI Data Gateway cannot access data it is not explicitly authorized to access. Data minimization controls enforce that AI systems receive only the minimum data necessary for the specific task – rate limiting prevents bulk extraction even if the AI system itself is compromised.
The Kiteworks Secure MCP Server extends this governance to interactive AI assistants like Claude and Microsoft Copilot through the industry-standard Model Context Protocol. AI assistants that manage files, query document repositories, or automate data workflows do so with the same policy enforcement that governs human access – with OAuth 2.0 authentication storing credentials in the operating system keychain, never exposed to the AI model itself.
Neither capability treats AI as a trusted entity once connected. Both treat AI requests the way zero-trust architecture treats every access type: as unauthenticated and unauthorized until proven otherwise. This is not a feature. It is the foundational design principle, and it is exactly what the NSA exercise demonstrates is necessary.
What Defense Sector Compliance Already Requires
The defense sector’s compliance frameworks exist precisely because of scenarios like the one the NSA exercise revealed. CMMC 2.0 compliance requires defense contractors to demonstrate controlled access to CUI – Controlled Unclassified Information – with complete audit trails and documented policy enforcement across all channels through which that data moves. FedRAMP compliance requires federal cloud services to demonstrate continuous security controls with real-time monitoring and zero-throttle audit logging.
Both frameworks predate the current wave of AI capability. But their requirements map directly onto the problem the Mythos exercise revealed. If an AI system with access to a CUI repository can discover and chain vulnerabilities in hours, then every defense contractor without zero-trust AI data governance has a compliance gap and a security gap simultaneously – the kind that a motivated adversary could exploit before a human analyst notices anomalous activity.
DFARS 252.204-7012 requires 72-hour incident reporting for covered contractor information systems. ITAR imposes geographic restrictions on access to controlled technical data. Both create specific obligations around AI data access that most organizations have not yet mapped to their AI governance policies. The Kiteworks 2026 Forecast Report identifies AI governance gaps as one of the defining security challenges organizations will need to address in the near term – and the NSA story gives that challenge a concrete, visible form.
The enterprises that recognize this first – that AI governance is not an AI problem but a data security problem, and that the frameworks designed for the most sensitive data environments already provide the right model – will be better positioned both competitively and from a security standpoint.
Assume AI Will Be Used Against You – and Build Accordingly
The NSA exercise is a forcing function for a conversation that enterprise security teams have been deferring. The incident response calculus has changed. Assume breach has been a foundational zero-trust principle for years – assume attackers are already inside and design controls accordingly. The Mythos exercise adds a corollary: assume AI-assisted attack.
An attacker with access to a capable AI model and an initial foothold in your environment can enumerate your attack surface, discover chained vulnerabilities, and identify paths to your most sensitive data far faster than your security team can respond through manual analysis. Detection systems designed to catch human-speed lateral movement may not respond quickly enough to AI-speed reconnaissance and exploitation.
The practical response is architectural, not reactive. Implement zero trust data exchange across all channels through which sensitive data moves. Ensure every AI system operating on enterprise data has its access evaluated at the request level, not just at connection time. Maintain complete, real-time audit logs that feed directly into your SIEM – not throttled, not delayed, not requiring a premium license upgrade to access during an active investigation.
The NSA understood something important: you cannot protect what you cannot see, and you cannot see what you cannot log. The same principle applies to AI access in your enterprise. If an AI system operating in your environment queries hundreds of sensitive documents in the span of an hour, you need to know what it accessed, what it returned, under whose authorization, and through which policy path. Without that visibility, your incident response capabilities are effectively blind to the fastest category of attack now in active use.
The enterprises that build governed AI infrastructure today – before a security event forces the issue – are the ones that will be able to use AI as a genuine defensive capability rather than managing it as an unquantified liability. A Private Data Network architecture that enforces these controls across every content communication channel – secure email, secure MFT, secure file sharing, and AI integrations – ensures no channel operates outside the governance perimeter.
To learn more about governing AI access to your sensitive data with zero-trust architecture, schedule a custom demo today.
Frequently Asked Questions
No. The widely circulated statement was a mischaracterization of an authorized red team exercise. NSA Director General Joshua Rudd told Senator Mark Warner that Mythos “broke through almost all of our classified systems in hours, not weeks” – but the journalist who published the quote later clarified that the exercise was conducted on a replica of NSA systems, not live operational infrastructure, and that Mythos was used alongside other security tools. The distinction is material: a red team exercise on a controlled environment replica is a standard defensive security practice, not a hostile breach. The capability demonstrated – finding and chaining vulnerabilities at AI speed – is real and significant. Enterprises should direct their attention to what the exercise reveals about AI-assisted vulnerability discovery, not the accuracy of the viral framing. AI data governance and zero trust generative AI frameworks exist to address the actual risk the exercise surfaced. Organizations looking to assess their own exposure should begin with a risk assessment of every AI system that has access to sensitive data repositories.
Project Glasswing is Anthropic’s controlled access program for Mythos – its most capable AI model. Because the model’s offensive security capabilities are considered too dangerous for general release, Anthropic distributes it only to vetted defense and security organizations under strict conditions. As of June 2026, the program had expanded to approximately 150 institutions across more than 15 countries. Those organizations have collectively identified over 10,000 high or critical severity vulnerabilities in their own environments using Mythos. For enterprise security teams, Project Glasswing is instructive as a governance model: controlled access, authorized use cases, constrained scope, monitored operations, and explicit accountability for every query. This is the architecture that enterprises should apply to their own AI deployments. The Kiteworks AI Data Gateway implements this zero-trust model for enterprise RAG workflows and AI data access, ensuring AI systems operate only within explicitly authorized boundaries with a complete audit trail for every operation. The same security risk management discipline that governs Project Glasswing access decisions should govern every AI system that touches sensitive enterprise data.
The NSA exercise suggests that AI-assisted attack capability now belongs in enterprise threat models as a present-day risk, not a future scenario. Security teams should model for adversaries who can enumerate attack surfaces and chain vulnerabilities faster than human analysts can respond to alerts. This means defensive architecture needs to match offensive speed. Detection systems need real-time SIEM feeds with zero throttling – delayed logs are not useful for containing an AI-speed intrusion. Zero trust architecture limits blast radius if an attacker gains initial foothold, since AI-assisted lateral movement is only as damaging as the access it can reach. Policy enforcement at the request level rather than connection authentication is the critical control point – every data operation from every system, including every AI system, needs to be evaluated and logged in real time. Organizations should also review their supply chain risk management posture, as AI-assisted attacks targeting third-party vendor integrations represent a particularly high-risk vector.
The same frameworks that govern human access to sensitive data govern AI access – and regulators are signaling this increasingly clearly. For defense contractors, CMMC 2.0 compliance requires controlled access to CUI with complete audit trails – obligations that extend directly to AI systems querying covered data. FedRAMP requires continuous security controls and real-time monitoring for federal cloud services. HIPAA compliance requires technical safeguards for PHI access regardless of whether the accessor is human or AI-automated. GDPR requires a documented lawful basis for data processing, which includes AI retrieval. The practical implication is that organizations cannot treat AI data access as outside the compliance perimeter. Every AI system that queries a sensitive data repository should generate the same audit trail and policy enforcement documentation that a human accessor would require – and the Kiteworks platform produces this documentation automatically for every AI operation across every channel. Organizations managing data governance obligations across multiple regulatory frameworks will find that Compliant AI infrastructure provides a unified enforcement layer that satisfies multiple frameworks simultaneously.
Three actions deliver the most practical security impact in the near term. First, conduct an AI data access audit: identify every AI system in your environment that can query sensitive data repositories, and assess whether those queries are governed by zero-trust policy enforcement at the request level or by simple connection authentication. Connection authentication alone is insufficient. Second, verify your audit logs are complete and real-time. If an AI-assisted attacker traverses your environment in hours, logs that are delayed, throttled, or incomplete will not support incident response at the speed the attack demands. Zero trust data protection requires real-time visibility – there is no effective investigation without it. Third, build the same governance model that Project Glasswing uses: controlled access, explicit authorization, constrained scope, and monitored operations for every AI system that touches sensitive data. The CISO Dashboard gives security leadership the unified, real-time visibility across all AI data access events needed to detect anomalous activity at the speed AI-assisted threats demand. Kiteworks secure data exchange provides the infrastructure to implement all three immediately, with one policy engine and one consolidated audit log across every channel and every AI integration.
Additional Resources
- Blog Post
Zero‑Trust Strategies for Affordable AI Privacy Protection - Blog Post
How 77% of Organizations Are Failing at AI Data Security - eBook
AI Governance Gap: Why 91% of Small Companies Are Playing Russian Roulette with Data Security in 2025 - Blog Post
There’s No “–dangerously-skip-permissions” for Your Data - Blog Post
Regulators Are Done Asking Whether You Have an AI Policy. They Want Proof It Works.