Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
Earlier this spring, Claude’s developers found the cyber potential of Anthropic’s model, Mythos 5, hazardous enough to pump the brakes on model release, creating the Project Glasswing collaboration to give cyber defenders the upper hand through controlled access to the model. Despite these efforts, the U.S. government stepped in on June 12, 2026, and forced Anthropic to take down Mythos and its safeguarded form, Fable 5 — an action the company disputed, calling the trigger a narrow, nonuniversal jailbreak. A lack of standard processes, complex legal terrain, and information-sharing obstacles resulted in a “pickup game” where, absent a shared factual basis, government and industry invented the rules of the road in the moment, rather than through structured, routine public-private collaboration. Following agreement with the government, on June 30th, Anthropic restored access to Mythos and Fable. In the aftermath of these events, especially the seemingly punitive and arbitrary way in which the government has administered control, public-private trust in frontier AI is running low. But the answer lies in more bridges — not higher walls — between the government and the nation’s frontier AI companies.
Mythos’ cyber capabilities have galvanized the national security community around the growing potential for high-consequence AI misuse, including by well-resourced state actors, prompting new directives, structures, and tasking for addressing cyber threats. But Mythos is the latest challenge, not the last. With other high-risk threshold-busters on the way, cyber threats won’t take center stage for long, and cyber-tailored solutions will not address the highly sensitive AI-misuse threats on the horizon. Frontier models will continue to surpass capability thresholds, creating opportunities for misuse and increasing pressure to keep these capabilities out of the wrong hands while defenders play catch-up. Moreover, a threat-informed understanding of how malign actors seek to acquire and use AI-enabled high-risk capabilities will remain locked behind highly classified walls. Building much-needed public-private sector trust will be difficult, but without it, the structures, relationships, and protocols for sharing essential information to face the next challenge will not exist.
As of 2025, frontier models were already “outperforming 94% of expert virologists” according to one of the most extensive benchmark studies to date. While this benchmark measures knowledge, not weaponization, it does set a trajectory for the continued rapid expansion of frontier model capabilities in the biological sciences. The day when frontier models can exceed their defined critical capability thresholds by providing substantial uplift to the “chemical, biological, radiological and nuclear development capabilities of moderately resourced state programs,” or enabling development of “a highly dangerous novel threat vector” will soon be within striking distance. Unfortunately, this distance is closing faster than our institutions can adapt.
As frontier models approach these thresholds through advanced capabilities such as protein design and advanced genomics, observers increasingly share the concern that a “Bio Mythos’ Moment” could soon become a reality. And yet, this moment will not look like the last. In the cyber domain, the path from capability to potential misuse is clear. Cyber attacks are common and fairly predictable, and the organizational structures for sharing information (at least at the unclassified level) are more developed. Demonstrable use cases for biological risks are (thankfully) rare, and pre-established mechanisms for government-industry information sharing do not exist. Dual-use complexities and dependencies on highly sensitive threat information further complicate this terrain.
As companies approach these critical risk thresholds in the biological arena, we should expect to sit uncomfortably in a complex window of ambiguity, where anxieties run high and shared context is low. The question is: Can we build the team and playbook now, or only after the next crisis arrives?
The policy community recognizes these gaps, especially in the aftermath of Anthropic’s Mythos review and release process. Various proposals converge on the need for stronger, more structured government-industry channels for AI threat and risk information. The Institute for AI Policy and Strategy’s national security playbook for frontier AI proposes designating a “federal fusion point for AI risk information.” The Center for Security and Emerging Technology also makes the case for sharing national-security intelligence with frontier developers, and the Center for a New American Security’s Prepared not Paralyzed report recommends expanding AI information-sharing with the AI industry. Finally, the June 5 National Security Presidential Memorandum goes further, recognizing that the national security enterprise should adopt advanced AI faster, while securing AI systems and defending against AI-enabled threats. It is time to move beyond general principles, however, and build the structures necessary to meet the challenge at hand.
The private sector’s dominance in frontier AI development creates a critical gap in our understanding of the evolving threat landscape, particularly around complex, highly technical, and often highly classified risks such as chemical, biological, radiological, and nuclear threats. Without shared data and joint threat analysis, the United States cannot adequately identify, evaluate, and warn of new and emerging AI-enabled national security risks, nor evaluate dual-use information hazards or conduct classified, threat-informed evaluations of frontier models. The moment calls for an AI Threat Fusion Center — charged with this intelligence coordination and public-private information fusion mission, established in partnership with frontier AI companies, and built on a foundation of mutual benefit, strong civil liberty protections, and sound governance. Such a standing body could provide the bidirectional, classified channel that is missing today.
While the president’s national security memorandum does not specifically direct this kind of classified threat- and risk-sharing entity, its private-sector partnership provisions aimed at securing AI systems and resources against foreign threats suggest an opportunity to engage proactively. An AI Threat Fusion Center would be fully consistent and could be included as part of the interagency 120-day tasking to build partnerships for sharing threat intelligence, joint red-teaming, personnel vetting, and data-center security. The White House guidance, however, is cyber-focused and still treats the needed public-private partnerships as a series of ad hoc arrangements. The interagency response should also call for a standing chemical-biological-radiological-nuclear-prioritized entity, with infrastructure and cleared personnel, ready for what is coming.
An AI Threat Fusion Center should focus on closing concrete national information security gaps, while supporting and complementing — not duplicating — the broader AI industry-government efforts already underway. Fortunately, this effort does not start with a blank slate, but can leverage and learn from other entities charged with integration, information sharing, and coordination functions. Structures such as the Center for AI Standards and Innovation and the Frontier Model Forum, along with informal industry-government collaborations, can bridge gaps and alert authorities to AI risks through voluntary information sharing and expanded unclassified model evaluations. While this entity’s national security mission would be distinct, close coordination with other information-sharing bodies like the Information Sharing and Analysis Centers, which focus on AI cybersecurity incidents and vulnerabilities rather than classified national security threats, remains essential.
Companies need government threat intelligence to ground theoretical risks in the real-world data needed to design effective mitigations. National security and intelligence agencies require rapid, consistent, and appropriately sanitized reporting of suspicious and malign actor behavior to detect and fuse threat patterns and to respond rapidly to misuse in high-stakes contexts like nuclear and biological risks. Existing structures cannot provide the legal authorities, classified communication and computational systems, nor the ability to maintain cross-cleared personnel at sufficiently high levels of access to share and analyze intelligence and threat data.
Meeting this challenge requires new structures, organizations, systems, and protocols to build common risk frameworks and actionable threat assessments, integrate public and classified information securely, and facilitate crisis preparedness and response. Through this AI Threat Fusion Center, government and industry can fuse threat intelligence to calibrate safety measures, inform classifier design, and evaluate dangerous capabilities, while giving government and frontier companies better insight into how malign activity manifests inside the models. An AI Threat Fusion Center would fill a specific gap: structured sharing of classified, threat-sensitive information on AI-related security risks that requires the communication, computational systems, facilities, and authorities of the intelligence community.
Such an entity, however, also requires reciprocity, trust, and transparent governance to ensure mutual benefit and genuine multidirectional information flows. Clear firewalls should prevent the use of shared threat data for punitive regulatory or law enforcement action, while safe harbor protections can reduce liability risks for companies engaging in good faith. Company-provided information should be limited to threat-relevant information such as suspicious actor patterns, high-risk prompts and outputs, model capability findings, information-hazard questions, and evidence of foreign targeting or misuse — not identifiable user logs or proprietary information. Similarly, while intelligence analysis and reporting are essential, the AI Threat Fusion Center should remain isolated from any foreign intelligence collection responsibilities or domestic law enforcement. The National Counterterrorism Center offers a model for how such a center can provide codified oversight and appropriate legal authorities to protect information involving U.S. persons, while providing the classified infrastructure, cleared personnel, and convening power needed to bring technical intelligence agencies like the National Security Agency together with the analytic expertise of the Central Intelligence Agency. Finally, a shared governance structure including both company and government stakeholders could ensure information and benefits travel in both directions.
Ideas matter, but success and the mutual benefits to keep all stakeholders engaged hinge on the mechanics. An AI Threat Fusion Center providing genuine bidirectional information sharing and coordination on AI-enabled national security risks requires the following: authorities, personnel, resources, and classified infrastructure — pursued with urgency and flexibility.
Tasks and Responsibilities
This center would conduct day-to-day sharing of company-sensitive and classified threat data and manage secure distribution and handling across participants. It would develop threat-informed risk assessments, with analytic capacity to contextualize and fuse technical findings with sensitive intelligence, prioritizing high-risk sectors such as chemical, biological, radiological, and nuclear risks that are not already addressed in other coordination mechanisms. Working with government partners, the AI Threat Fusion Center would also conduct classified evaluations of frontier models and provide structured, consistent channels for AI companies to report indications of malign or high-risk behavior to national-security stakeholders. Finally, the center would assess information hazards regarding the release of dual-use data, as well as coordinate and transmit detection and warning data for crisis scenarios.
Physical Infrastructure and Security
An AI Threat Fusion Center requires cross-cleared personnel and secure communications, storage, and meeting facilities. As clearing private-sector staff will remain slow, and the cleared population will stay small and limited to U.S. citizens, a realistic model would include a core of cleared experts, supplemented by one-time read-ons and compartmentation in the most sensitive areas. Wide diffusion of sensitive information throughout the frontier AI companies, especially where non-U.S. citizens are present, is not realistic or appropriate. “Tear line” procedures — providing products at lower levels of classification for sharing purposes — and time-driven downgrading will be essential. Security assessments must include vetting models and classifiers for their susceptibility to misuse or manipulation by adversarial or malign actors. Finally, this entity would provide classified computing capacity, secure facilities, and the machinery for clearing and managing cross-cleared personnel.
Resources and Personnel
Cost- and personnel-sharing can bridge the gap between government and industry compensation and leverage the resources AI companies already spend on safety. Rotational and temporary-duty models such as the U.S. Digital Service, the National Guard and Reserve, or liaison assignments offer templates. The Institute for AI Policy and Strategy playbook’s “National AI Reserve Corps” concept of pre-vetted experts activated as Special Government Employees and non-reimbursable secondments offers another option. Incentives such as liability relief and export-control safe harbors could draw companies to engage and contribute in-kind. An exchange of “seats” through Joint Duty Assignments or intergovernmental details with other key national security partners, such as the Department of Defense, could ensure close coordination and efficient communication.
Authorities and Legal Requirements
In addition to essential civil liberty protections, any information-sharing architecture must be designed with anti-trust and export control constraints in view and must provide the mechanisms to address them. For example, nonproliferation and export control laws prohibit governments and industry partners from sharing information that could facilitate the proliferation of sensitive weapons-related information. The compliance risk compounds this, as transmitting controlled findings can expose a lab to civil penalties and criminal liability, making non-disclosure, rather than information sharing, the safer course. Anti-trust concerns also arise when frontier players appear to pool information for mutual benefit. A formal entity with a clear mandate and governance structure for AI and national security information sharing can reduce these friction points by clarifying who is eligible to receive sensitive dual-use information and how it should be reported, controlled, and shared. The 2014 joint Federal Trade Commission and Department of Justice policy statement also offers the precedent that well-designed information sharing can mitigate anti-trust issues, and co-mingling anonymized data inside the entity rather than among companies can further reduce the risk. Complex export control restrictions, many of which are ill-suited for the complexities of today’s AI industry, may require legislative relief, but the existence of the entity could help set the conditions to create the necessary safe harbor arrangements like those provided in the Cybersecurity Information Sharing Act of 2015. Finally, nondisclosure agreements, information security, and antitrust instruments must also be in place before the entity operates.
Bilateral and Multilateral Engagement Structures
AI’s national security risks will not stop at borders, and neither should our ability to coordinate and cooperate on information-sharing with allies, partners, and key international organizations. An AI Threat Fusion Center can support and leverage existing networks, including the relationship between the Center for AI Standards and Innovation and the U.K. AI Security Institute, as well as the International Network of AI Safety Institutes initiated at the AI Seoul Summit 2024. A fully joint entity would be too complex and slow to negotiate. However, a networked approach is likely to be more feasible and could later accommodate additional partners, including through the “Five Eyes” intelligence-sharing community comprised of Australia, Canada, New Zealand, the United Kingdom, and the United States — assuming the partners can manage the many export control challenges successfully. Finally, profound knowledge gaps remain between the United States and the United Kingdom and most other states, gaps that predate AI and will widen given limited foreign access to the frontier models.

The rate of AI advancement and the associated global diffusion of high-risk dual-use technologies will not slow to the pace of normal bureaucratic processes. There is no time for lengthy reviews or interagency slow rolling. Rather, the timelines at hand require improvisation and adaptability to avoid repeated pick-up games. The next 120 days offer a critical opportunity for progress. What do we do next?
Build the Partnership
Quickly convene high-level government and industry stakeholders to outline the governance process and build support and mutual interest. Within government, engage collaboratively to bring the intelligence community, the Center for AI Standards and Innovation, and the frontier companies into the process to ensure shared success.
Prioritize Filling Gaps, Not Overall Centralization
An AI Threat Fusion Center fills key gaps in sensitive and classified information-sharing, but it does not need to be a one-size-fits-all solution — it cannot do everything all at once. Given the relative consensus that AI biological risks are on the horizon, start there. Use the National Security Presidential Memorandum process to assign clear expectations for timelines to achieve operational readiness. The initial stand-up plan should include deliberate timelines and processes to quickly expand topics and participants in response to evolving conditions.
Plan for the Future
Design the flexibility needed to respond to the unforeseen risks that will inevitably appear and the mechanisms to expand and engage new companies, government components, and international partners as the needs arise from the outset. Identifying the primary residence for the center, formalizing the ground rules, establishing a minimum classified backbone, and accelerating the process for clearing essential personnel are day-one tasks.
Test and Iterate
As part of the stakeholder development process, develop a series of tabletop exercises to engage government and frontier lab representatives in a dialogue and explore these information-sharing challenges in both day-to-day operations and potential crisis simulations. Scenario “stress testing” is necessary to test and shape potential solutions and determine how best to manage the seams and gaps that can emerge from any organizational fix. An incremental, spiral approach to building this capacity fits the administration’s innovation-first frame in the 2025 AI Action Plan. Organizational change not tested for real risk reduction wastes time and money.
Be Practical, if Not Perfect
Practical solutions, even if stop-gap or intermediate measures, are more important than perfect ones. Ideal solutions, especially those that require complex negotiations, new authorities, and large government resource investments, risk being late to need. And the need is for action today.
Fundamental information gaps create blind spots and inhibit efforts to deter, detect, and mitigate national security threats. A more permanent solution is essential to prevent each new revelation or foreign actor intrusion sparking a new round of organizational improvisation. An enduring enclave for AI national security information sharing will allow government and industry to share resources, risk, and responsibility. While cyber threats are the problem of the day, national security information sharing across the threat spectrum — including AI-enabled chemical, biological, radiological, and nuclear threats — is essential in addressing tomorrow’s threats before they fully materialize. Moreover, the inability to maintain sensitive information in a structured and secure manner not only inhibits day-to-day risk characterization and prioritization. It also prevents the routine habits of communication essential in a crisis. Effective crisis response shouldn’t be improvised. It requires pre-established legal frameworks, cross-cleared personnel, secure facilities and communications, and validated access agreements that are built in advance, not on the fly. Anthropic’s Mythos is a wake-up call that may finally tip the scales towards action and provide the sense of urgency needed to take on this difficult organizational and structural challenge. It shouldn’t take a bio Mythos moment, or worse, to launch the bureaucratic innovation we need.
Rebecca Hersman is a senior research scholar at GovAI focusing on national security risks, including chemical, biological, and nuclear weapons. She previously served as director of the Defense Threat Reduction Agency, director of the Project on Nuclear Issues at the Center for Strategic and International Studies, and deputy assistant secretary of defense for countering weapons of mass destruction.
Image: Midjourney