CISA Locked Out of Anthropic's Mythos AI as DoD Maintains Access
CISA is excluded from using Anthropic’s Mythos AI, even as the DoD continues its access.
Why it matters: Federal contractors and in-house counsel must monitor evolving rules as supply chain risk designations and agency-specific AI restrictions impose new legal, compliance, and reporting obligations.
- CISA currently lacks access to Mythos; DoD and intelligence agencies retain use rights.
- The DoD named Anthropic a supply chain risk on April 8, 2026, after disagreements over model controls.
- Mythos has identified thousands of undisclosed software vulnerabilities since its deployment in early 2026.
- The White House is developing a version of Mythos AI with stricter compliance safeguards for broader agency adoption.
The Cybersecurity and Infrastructure Security Agency (CISA) remains excluded from Anthropic’s Mythos AI, a decision that leaves the agency out of a critical tool credited with discovering thousands of previously unknown ("zero-day") software vulnerabilities since early 2026. In contrast, the Department of Defense (DoD) and U.S. intelligence agencies still use the AI system.
Mythos is engineered to autonomously scan and detect software flaws in systems from technology leaders like Microsoft, Apple, and Cisco. "We’re working closely with model providers... to ensure the appropriate guardrails and safeguards are in place before potentially releasing a modified version of the model to agencies," said Gregory Barbaccia, Federal CIO, confirming ongoing White House efforts to make a compliant version of Mythos available to more agencies, including CISA, in the future (Bloomberg).
On April 8, 2026, the DoD formally designated Anthropic as a supply chain risk after a dispute over demands for stricter monitoring controls within Mythos. This move triggers further scrutiny for federal contractors under rules requiring identification and management of supply chain risks tied to advanced technology, especially AI.
Legal professionals supporting federal procurement and compliance should note that CISA and Anthropic have not issued public statements detailing the specific criteria or risks leading to the access restrictions, nor the planned technical safeguards for the forthcoming version. These gaps require careful review of evolving agency guidance and supply chain assessment frameworks.
By the numbers:
- April 8, 2026 — Date DoD listed Anthropic as a supply chain risk.
- Thousands — Number of vulnerabilities Mythos has identified since early 2026.
Yes, but: Neither CISA nor Anthropic have disclosed detailed justifications for the ongoing exclusion or forthcoming compliance features, leaving gaps for legal analysis.
What's next: The White House plans to release a Mythos version with enhanced compliance controls for broader agency use, pending review.