The Next Attack Surface Is Interpretation

Over the past few weeks I have been looking at three ideas that are starting to converge. Anthropic’s concept of Mythos, research on Agents of Chaos, and Project Glasswing.

Individually, each is interesting. Together, they point to a much larger shift.

Anthropic describes Mythos as the internal narrative that governs how an AI system understands its role, its boundaries, and how it should behave. It is effectively how the system decides what is true and who it should trust.

At the same time, the research paper Agents of Chaos on autonomous agents shows that this narrative is not applied in a fixed way. It is constructed dynamically through interaction. Authority, intent, and trust are inferred in real time and can be influenced by tone, framing, and persistence.

In simple terms, these systems can be talked into doing the wrong thing.

Not because they are broken. Not because they are hacked. But because they are persuaded.

This is where Project Glasswing becomes important. Anthropic has developed a model capable of identifying and exploiting vulnerabilities at a scale beyond human teams, but has chosen to limit access and deploy it in a controlled environment within a small group of organizations.

This is a form of controlled deployment, and it reflects a familiar pattern. When capability outpaces control, we restrict access.

But it also starts to resemble a modern version of security by obscurity. Effective in the short term, but unlikely to hold once the capability spreads.

If one organization can build this capability, others can as well. And they will not operate within controlled environments. Limiting access may buy time, but it does not address the underlying issue.

The issue is we are building systems whose behavior depends on interpretation, and interpretation is now an attack surface.

This changes the nature of risk.

We are no longer just protecting systems from being accessed. We are dealing with systems that can be influenced. The controls we rely on today still matter, but they operate beneath a layer that is inherently flexible and, in some cases, manipulable.

This is not just a technical problem. It is a governance problem.

Because if a system can be persuaded, then its decisions cannot be assumed to be reliable without understanding how that decision was formed.

And that raises a bigger question. Not whether a system is secure. But whether its understanding of reality can be trusted.

We are not just defending infrastructure anymore. We are defending how systems decide what is true.