The National Security Agency cannot stop using a blacklisted AI model — because the model found a bug that evaded human detection for 27 years.
The vulnerability, a memory handling error in OpenBSD's TCP networking code that sat undetected since 1998, is the reason the NSA is still running Anthropic's Mythos Preview, according to two sources who confirmed the agency's continued use to Axios. The Pentagon designated Anthropic a supply chain risk on February 27, 2026, after the company refused to restrict the model from use in autonomous weapons or mass surveillance of Americans, a designation that bars federal contractors from using Anthropic technology in defense work. A federal appeals court declined to block that restriction while Anthropic's legal challenge proceeds, Reuters confirmed.
Mythos Preview, Anthropic's most powerful model to date, also found a 17-year-old remote code execution hole in FreeBSD's network file system and a 16-year-old bug in FFmpeg's H.264 codec during its testing — all missed by human researchers over decades of collective scrutiny. In Anthropic's own benchmark tests, Mythos fully compromised all ten test systems — what security researchers call full system takeover — compared to near-zero success for the prior Opus 4.6 model. Anthropic has not disclosed what specific NSA systems the model is running on or what it found inside those systems.
The NSA is not alone. Treasury and State have separately requested Mythos briefings, Reuters reported. The Commerce Department Center for AI Standards and Innovation is actively assessing the model, RedState reported. The pattern — multiple agencies treating the Pentagon's designation as a negotiating position rather than a final answer — suggests the governance structure the blacklist was supposed to create is under real pressure, according to legal analysts at Just Security.
The blacklist has a specific legal basis. The designation traces to a February 27, 2026 directive from President Trump directing federal agencies to cease using Anthropic technology, followed by Defense Secretary Pete Hegseth formally designating the company a supply chain risk, Mayer Brown explains in a legal analysis. Federal contractors are barred from using Anthropic products in defense work. The NSA's use case falls outside that contractor restriction — the agency operates under different legal authorities — but the optics of running a blacklisted model while the appeals court weighs the designation's legality have not gone unnoticed inside the Pentagon, according to people familiar with the matter.
Anthropic has disclosed the vulnerabilities through standard responsible disclosure channels and offered detailed write-ups to affected projects. Most received patches. Fewer than 1 percent of the vulnerabilities Anthropic discovered across its broader testing have been patched, according to the company's blog. Anthropic will restrict access to prevent harm, but the capability itself is now in the world. The question is who gets to decide who uses it — and on what terms.
