The Setup
The AI security conversation has been full of theoretical threat models for two years. CISOs have sat through presentations about what frontier AI models could do to enterprise environments. Then a large North American technology company actually ran one — Anthropic's Mythos — against its production environment, with no safety net and no artificial constraints.
Mythos was designed for advanced cybersecurity research and autonomous penetration testing. It doesn't invent new attack techniques. What it does is execute existing techniques — credential enumeration, lateral movement, privilege escalation — continuously, adaptively, and without the pauses and errors a human operator introduces. The security industry has spent a decade building detection and response programs around the assumption that there's meaningful time between an attacker's actions and a defender's response. That assumption is now empirically broken.
The issue is that the model is clever and It's enterprise environments are full of posture debt — over-permissioned service accounts, undefined authentication paths, trust relationships that nobody has revisited in years — and Frontier AI can find and exploit that debt faster than any team can investigate and remediate. The test didn't expose a new vulnerability class. It exposed how quickly an AI-driven operator can weaponize the vulnerabilities that were already there.
This matters right now because Glasswing's Project Glasswing has made Mythos available to a small group of trusted organizations for exactly this kind of structured testing. The enterprises running these exercises are getting a preview of what an AI-powered adversary looks like in a real production environment. The organizations that haven't run one are operating on assumptions that may no longer hold.
What Actually Happened
A large technology company with over 40,000 employees decided to run a real-world test. They turned Anthropic’s Mythos model loose inside their production environment as an autonomous red teamer. The goal was simple but important: see how an AI-powered attacker would actually behave if it got inside their network.
What happened next was striking. Within roughly two hours, Mythos went from an initial foothold all the way to full domain administrator access. It escalated privileges multiple times, moved laterally through the environment, and eventually pulled password hashes from production systems. It didn’t need to invent any new exploits. It simply found and chained together weaknesses that were already there — things like over-permissioned service accounts, gaps in their security posture, and a lack of strong controls at the moment of access.
As one of the security leaders involved in the test put it:
“The lesson for us was that AI dramatically compresses the time between initial compromise and real impact. You don’t have time to wait for everything to land downstream.”
After seeing how fast the attack moved, the company brought in Silverfort to implement runtime identity controls. When they ran the test again with those controls active, the difference was significant. Mythos was effectively blocked from spreading. In fact, the security team eventually had to turn the controls off just so they could continue testing.
One of the leaders summed it up directly:
“Silverfort is phenomenal. It blocked Mythos’ attempts to spread in the network. At some point we had to disable Silverfort’s defenses to allow further testing.”
That second comment carries real weight. It’s one thing for a vendor to say their solution works. It’s another when the customer admits they had to disable it just to let the attack continue.
How the Attack Moved
Mythos doesn’t operate like a human attacker. A person usually goes after specific high-value accounts because they know what’s worth targeting. Mythos, on the other hand, looks at the entire environment as one big connected web of trust. It tests every possible path — every service account, every permission, every trust relationship — all at once. It doesn’t get tired, it doesn’t second-guess itself, and it doesn’t need to ask for help. It just keeps moving and adapting based on what it finds.
This speed completely breaks how most security teams are set up to defend. Attack paths that used to take hours or even days can now unfold in minutes. By the time someone sees an alert, the AI may already have reached domain admin.
Traditional identity tools struggled for different reasons.
Identity Governance and Administration (IGA) systems are built around policies and scheduled reviews. They’re designed for normal human changes like people joining or leaving the company. But Mythos moved faster than most access review cycles. Static policies simply can’t keep up with an attacker that’s constantly discovering new paths across a complex environment.
Traditional Privileged Access Management (PAM) also fell short. It focuses on protecting a known list of privileged accounts through vaulting and session controls. Mythos didn’t limit itself to those accounts. It used whatever it could find — including over-permissioned service accounts that were never properly locked down. In this case, it was a regular service account that helped it make the final move to domain admin.
Detection and response tools ran into the same timing problem. They’re designed to spot unusual behavior after it starts. When an AI is moving quickly using legitimate credentials and normal authentication methods, it often looks like a busy administrator doing their job. By the time an analyst reviews the alert and starts investigating, the damage may already be done.
As one of the security leaders put it:
“We needed controls we could apply quickly and inline at the identity layer, without creating friction across the business.”
Governance Implications
The Mythos exercise showed how weaknesses that had quietly built up over time across the environment enabled a fast-moving attack. The path to domain compromise already existed. Mythos simply followed it at a speed most organizations aren’t used to seeing.Looking at the exercise through GAIG’s four control layers helps show where those weaknesses were and how the attack was able to advance so far.
Governance Layer
A key issue surfaced around a service account that carried significantly more risk than the organization realized. Ownership documentation was incomplete, the full scope of its permissions wasn’t clearly understood, and there was no formal classification of the potential impact if it were misused.These situations develop gradually in large enterprises. Teams change, systems evolve, responsibilities shift, and accounts often remain active long after their original creators have moved on. Over time, visibility into these identities slowly fades.When Mythos used this account, it highlighted the difference between what the organization believed it knew about its identity environment and the actual reality.
Security Layer
The attack chain took advantage of existing permissions and trust relationships throughout the environment. Accounts had access to systems they no longer needed. Old authentication paths remained open even though their original purpose had disappeared. Service accounts held privileges that went well beyond what their roles required.While each permission may have seemed reasonable when originally granted, together they created a viable route across multiple systems and privilege boundaries. The exercise made clear that many security programs focus primarily on well-known privileged accounts and high-value assets, while quieter, less-scrutinized paths often receive far less attention.
Monitoring Layer
The organization had logging and monitoring in place. Authentication events were captured, security tools generated alerts, and analysts had access to relevant data. However, the speed of the attack created real challenges. Because Mythos operated through legitimate credentials and normal authentication channels, its activity blended in with regular business operations. By the time the alerts stood out as clearly suspicious, the attack had already made significant progress.This highlights a growing reality for security teams: having visibility is essential, but it must be paired with response processes that can match the pace of modern threats.
Compliance Layer
Once the attack reached domain-level access and began extracting password hashes, it entered an area that would have carried serious regulatory consequences in a real incident. Frameworks in regulated industries place heavy emphasis on understanding how access to sensitive systems was obtained, how credentials were exposed, and whether the organization can fully reconstruct the sequence of events. Producing that level of detailed explanation after the fact is often much more difficult than identifying the final point of compromise. It requires piecing together governance decisions, permission assignments, and trust relationships that enabled the attack path.
The Mythos exercise demonstrated how an attack can cross multiple control layers before reaching its target. The runtime identity controls introduced in the second phase effectively disrupted the attack in real time. At the same time, the underlying governance issues that allowed the path to exist in the first place still required attention.
This distinction matters deeply for organizations in regulated sectors. As autonomous systems gain the ability to explore and exploit identity environments at high speed, traditional risk management approaches will need to evolve. Stronger detection is important, but long-term success will also depend on much deeper governance — particularly around identities, permissions, ownership, and trust relationships across the enterprise.
What's Still Missing
The case study and supporting materials are well-produced and the results are credible. But they're vendor documents, and vendor documents are written to make the vendor's product look necessary. A few important questions go unanswered.
Which specific posture weaknesses did Mythos exploit? The documents say "posture gaps and over-permissioned identities" but don't name the specific misconfigurations, the specific service accounts, or the specific trust relationships. For a real-world failure analysis, that specificity matters. Knowing what broke tells you what to look for in your own environment. General patterns are less useful than specific failure signatures.
Did alerts fire and get ignored, or did nothing fire at all? The documents say detection was too slow. Those are two different governance problems. If alerts fired and no one acted, the issue is accountability and response SLA — a monitoring program design failure. If nothing fired, the issue is detection coverage. The distinction changes what you build next.
Is this Silverfort-specific or is the principle general? The case study is written by Silverfort. It's reasonable to believe that runtime identity enforcement at the authentication layer — the core capability demonstrated — would produce similar disruption to machine-speed attacks regardless of vendor. The principle is sound. Whether Silverfort's specific implementation is the only way to achieve it is a different question buyers should ask during evaluation.
AI agent governance is absent from the defensive response. This is the most significant gap. Mythos operated as an autonomous agent. The controls that stopped it were identity controls on service accounts and authentication flows — not controls on the AI agent itself. That distinction matters because the industry stopped this attack. But the governance infrastructure for AI agents acting as attackers — agent-level identity, agent-level access controls, agent-level audit trails — doesn't exist in most enterprise programs. The Mythos exercise proves runtime identity controls can break the attack chain. It doesn't prove we have the governance architecture to handle AI-on-AI adversarial scenarios at scale.
No cost or consequence data. The case study describes a controlled test, not a real breach. The "what it would have cost" analysis — financial exposure, regulatory consequence, data exfiltration scope — is absent because the test was stopped. That's appropriate. But readers evaluating organizational risk need to do that analysis themselves, because the Mythos exercise only shows what was possible.
Sources
Silverfort. Fighting AI-powered attacks: How Silverfort stopped Mythos. Case study, 2026. silverfort.com
Silverfort. Why Runtime Identity Security is the only way to stop AI-powered attacks. Product brief, 2026. silverfort.com
Silverfort. How to stop AI-powered attacks: A readiness guide for Identity and Security teams. eBook, June 2026. silverfort.com
GetAIGovernance.net. Your Agents Are Running. Nobody Owns What They Do. May 7, 2026. getaigovernance.net/blog/your-agents-are-running-and-nobody-owns-what-they-do
GetAIGovernance.net. SlashID Launches AI Identity Governance to Close the OAuth and MCP Security Gap in Agentic AI. May 5, 2026. getaigovernance.net/blog/slashid-launches-ai-identity-governance…
Silverfort. Silverfort Expands its Non-Human Identity (NHI) Security Offering to the Cloud. Press release, April 28, 2025. silverfort.com
Anthropic. Project Glasswing — program overview. anthropic.com/glasswing
Our Take
AI Governance Take
The Mythos exercise made one thing painfully clear: governance debt in your identity environment is no longer just theoretical risk. When frontier AI gets involved, that debt becomes a fast, operational attack path.
Most organizations are still treating identity governance as a housekeeping issue. Mythos showed it’s actually one of the highest-leverage attack surfaces they have. Here’s what the evidence strongly suggests organizations should do next.
First, start with service accounts. Everything else is downstream. Mythos found and exploited an over-permissioned, poorly understood service account faster than any human red team would have. If you don’t have a complete inventory, clear ownership, strict least-privilege baselines, and proper fencing around your service accounts, that is currently your shortest path to domain compromise. Fix this before investing in advanced runtime tools or briefing the board on AI risk. This is foundational governance work.
Second, reposition detection as a supporting control, not the main line of defense. The exercise showed that detect-correlate-triage workflows are simply too slow when facing machine-speed attacks. Detection remains valuable for visibility and investigation, but if your primary strategy depends on analysts catching and responding to alerts before damage is done, the math no longer works. Runtime enforcement at the point of authentication needs to become a core part of your security architecture.
Third, run the test before a real adversary does. The organizations that participated in the Mythos exercises gained something incredibly valuable: empirical, environment-specific evidence of how AI-powered attackers behave inside their network. Generic threat intel can’t show you which of your service accounts leads to domain admin. A targeted AI red team exercise can. Treat the results as a prioritized remediation list, not a compliance checkbox.
The message is straightforward. AI isn’t just making attacks faster — it’s exposing weaknesses that were already there. The organizations that succeed will be the ones willing to do the hard governance work now, before an actual incident forces them to.
