The UK National Health Service just became the first major government body to take direct defensive action because of one AI model. Today the NHS ordered its technology leaders to wall off hundreds of open-source GitHub repositories by a May deadline. The reason cited in the directive is the rapid advancement of AI cybersecurity tools that can scan public code at machine speed and identify exploitable vulnerabilities in seconds. Anthropic's Mythos was specifically named. Hours earlier, intelligence agencies from the Five Eyes alliance, the United States, United Kingdom, Canada, Australia, and New Zealand, issued joint guidance warning that the rapid rollout of agentic AI systems is creating serious resilience risks. Two separate government actions on the same day pointing at the same underlying concern. The most powerful cybersecurity AI ever built is now too dangerous to allow free access to public code. The era when public GitHub was assumed to be safe by default just ended.

The NHS directive. Technology leaders inside the NHS were given a May deadline to temporarily wall off hundreds of open-source GitHub repositories. The walls are not abstract. They mean that code which has been publicly accessible for years is being moved behind authentication, geo-restrictions, or pulled from public access entirely. The reason cited in the directive is the rapid advancement of AI tools that can scan public code at machine speed and identify exploitable vulnerabilities in seconds. Mythos was specifically named in the reasoning.

Why the NHS is the canary. The NHS runs some of the most critical software infrastructure in the United Kingdom. Patient records, hospital systems, prescription tracking, diagnostic software, scheduling. Much of it is built on top of open source libraries that are themselves hosted on public GitHub. If a frontier AI can scan those libraries and find vulnerabilities faster than human security researchers can patch them, the NHS becomes vulnerable through code it does not even maintain directly. The wall off is a defensive move. Pull the open source code behind a wall so attackers cannot use AI to scan it.

The Five Eyes warning. Hours before the NHS directive surfaced, intelligence agencies from the United States, United Kingdom, Canada, Australia, and New Zealand jointly issued guidance on agentic AI risks. The warning was direct. Agentic AI systems are being deployed faster than security frameworks can adapt. Organizations need to slow down. They need to prioritize resilience over productivity. They need to assume that the AI tools their adversaries are using are at least as capable as the ones they are using themselves.

The numbers behind the panic. Mandiant's M-Trends 2026 report found that 28.3% of CVEs are now exploited within 24 hours of disclosure. Time to exploit went from over 700 days in 2020 to 44 days in 2025. In some cases, exploits are arriving before patches. AI is the reason. Frontier models running on benchmarks like SWE-bench have hit performance levels that translate directly to faster vulnerability discovery in the real world. Defenders cannot patch as fast as attackers can probe.

Because Mythos is not just better than previous AI cybersecurity tools. It is in a different category.

Mythos was launched by Anthropic on April 7 as part of Project Glasswing. It scores 93.9% on SWE-bench. It runs autonomously inside containerized environments, reads source code, forms hypotheses about where vulnerabilities exist, executes proof of concept exploits, and outputs full bug reports. All without human guidance. In early testing it found thousands of high severity vulnerabilities across major operating systems and browsers that human researchers had missed.

Anthropic gated Mythos to 40 partner organizations specifically because they understood what would happen if the model got into the wrong hands before defenders could prepare. Amazon, Apple, Google, Microsoft, Nvidia, JPMorgan Chase, the Linux Foundation, and CrowdStrike are using it to find and fix vulnerabilities at a pace human teams cannot match.

The problem the UK is grappling with is the next phase. Even with Mythos gated to defenders, the underlying capability is now known to exist. Other frontier labs are building toward similar capabilities. White House AI czar David Sacks said publicly last week that GPT-5.5-Cyber already matches Mythos and that all frontier models will reach this level within six months. Once that happens, scanning public code at scale becomes a baseline capability for any sophisticated attacker. The UK is acting now to restrict access to public code before that capability becomes widespread.

Today's NHS directive and the Five Eyes warning are part of a pattern that has been accelerating for weeks.

The Pentagon excluded Anthropic from its classified network deals last week, citing supply chain risk. The White House quietly drafted workaround guidance to let civilian agencies access Mythos. Fortune 500 cybersecurity firms are paying for Mythos access at premium rates. Security researchers across the industry are finding vulnerabilities in their own products faster than they can patch them. And now governments are starting to take defensive measures that affect the basic infrastructure of how software has been built and shared for decades.

The era when public code repositories were a free flowing global commons is ending. The next era will involve more authentication, more geo-restrictions, more enterprise-only access tiers, and more careful curation of what gets published openly. Open source itself is not dying. But the assumption that everything on GitHub is safe to leave public is being rewritten in real time.

For developers this means the world they have built careers in is changing. Code review is going to involve more AI assistance. Security auditing is going to involve more AI assistance. Public contributions are going to require more scrutiny. The old workflow of pushing code to public GitHub and letting the community find issues is going to be supplemented by AI scans that need to happen before the push, not after.

For governments this is the start of a long policy conversation. The UK acted first. Other major government cybersecurity authorities are watching. The Five Eyes alliance issued joint guidance specifically because no single country can solve this problem alone. The next eighteen months will likely produce a wave of national policies on AI access to critical code infrastructure.

The UK National Health Service ordered hundreds of open-source GitHub repositories walled off today, citing Anthropic's Mythos and the rise of frontier AI cybersecurity tools. The Five Eyes intelligence alliance issued joint guidance warning that agentic AI systems are creating resilience risks faster than defenses can adapt. Time to exploit went from 700 days in 2020 to 44 days in 2025. 28.3% of CVEs are now exploited within 24 hours of disclosure. The most powerful AI cybersecurity model in the world is gated to 40 organizations and governments are still acting defensively because they know other frontier models will catch up within months. Open source built modern software. AI just changed what open means. The first government to act is the UK. The next will not be the last.

Article regarding UK NHS being scared of Mythos 👉 Here

Stay building. 🤖