A month after Anthropic's Claude Mythos sent shockwaves through the cybersecurity establishment with its ability to autonomously discover and chain software vulnerabilities, the geopolitics of who gets access to these models has become as consequential as the technology itself.
OpenAI moved decisively on Monday by announcing it would grant the European Union direct access to GPT-5.5-Cyber, a variant of its latest model with loosened guardrails for defensive cybersecurity tasks.
The offer extends to European businesses, governments, national cyber authorities and EU institutions, including the EU AI Office, and sits within a broader initiative the company is calling the OpenAI EU Cyber Action Plan.
The timing and framing are pointed. Commission spokesperson Thomas Regnier confirmed at a press briefing that Brussels has had "four or five" meetings with Anthropic about Mythos access, but that those discussions are "not yet at the same stage" as talks with OpenAI.
In diplomatic language, that means Anthropic has been slower to share, and the Commission has noticed.
When Anthropic released Mythos in April, it adopted a tightly controlled distribution model called Project Glasswing, limiting access to roughly 40 organisations, most of them large US companies and government agencies, including Apple, Amazon, JPMorgan Chase, Palo Alto Networks and several federal departments.
The rationale was that a model capable of finding previously unknown vulnerabilities in critical software was too dangerous to distribute broadly, and that access should be restricted to organisations with the resources and governance structures to use it responsibly.
OpenAI has taken the opposite view. Its Trusted Access for Cyber programme is designed to scale to thousands of individual defenders and hundreds of teams, with a verification process that requires phishing-resistant authentication but is otherwise designed to be accessible.
GPT-5.5-Cyber is explicitly positioned as less restrictive than the standard model: it reduces refusals for legitimate security workflows, including vulnerability identification, malware analysis, reverse engineering and patch validation, while maintaining blocks on credential theft, malware deployment and exploitation of third-party systems.
The EU has spent the past three years building the most comprehensive AI governance framework in the world through the AI Act, the Digital Markets Act and associated enforcement mechanisms.
Brussels has consistently argued that it should not be dependent on the goodwill of American technology companies for access to critical capabilities, and the spectacle of Anthropic's chief executive briefing the White House and Treasury about Mythos while European institutions waited in line reinforced that concern.
OpenAI's George Osborne, the former UK Chancellor of the Exchequer who now leads the company's country-level operations, framed the offer in language designed to resonate in Brussels: "AI labs like ours shouldn't be the sole arbiters of cyber safety, as resilience depends on trusted partners working together."
The statement is a diplomatic masterstroke. It implicitly positions Anthropic as the company that is the sole arbiter, keeping its most capable cyber model behind a velvet rope while OpenAI democratises access. Whether that characterisation is fair, Anthropic would argue its caution is precisely the responsible approach, is less important than how it lands in European capitals that are already sensitive to American gatekeeping of critical technology.
For Anthropic, the risk is reputational and regulatory. If the Commission concludes that OpenAI is the more cooperative partner on cybersecurity, that perception will colour every future interaction, from DMA enforcement to AI Act compliance negotiations to procurement decisions across the bloc's institutions.
The Commission confirmed it will continue discussions with both companies this week, but the sequencing tells its own story: OpenAI has already delivered access while Anthropic is still talking.
Related reading
- Anthropic's Claude Mythos faces questions over value despite strong cybersecurity scores
- OpenAI warns macOS users to update apps after supply chain security breach
- Microsoft warns AI agents risk becoming "double agents" as it unveils security controls at RSAC
The underlying technology is less different than the distribution strategies suggest. OpenAI has acknowledged that GPT-5.5-Cyber is not intended to be a significant capability upgrade over standard GPT-5.5; it is primarily a permissions change, lowering the refusal threshold for security-related tasks.
Mythos, by most assessments, remains the more capable model for autonomous vulnerability discovery. But in the emerging geopolitics of AI cybersecurity, the question of who can use the model is proving at least as important as what the model can do.
The recap
- OpenAI to give EU access to GPT-5.5-Cyber model
- Model rolled out in preview to vetted teams
- European Commission plans further discussions with companies this week
