Two days after an unauthorized Discord group accessed Anthropic's Mythos cybersecurity model through a third-party contractor portal, OpenAI shipped GPT-5.5 alongside Trusted Access for Cyber, an identity-gated program that publishes its eligibility criteria. Mythos itself was accidentally surfaced one month earlier through a default-public CMS leak, so this is the second governance failure in its short public lifecycle. Within the same week, the first competitive market for frontier-cyber AI access took shape, and the two governance regimes that now define it are not interoperable. One is documented; the other is not.
GPT-5.5 hit 81.8% on CyberGym, a benchmark of 1,507 real historical vulnerabilities across 188 software projects (during development, AI agents on the benchmark discovered 35 zero-days with an average undetected lifetime of 969 days). The UK AI Safety Institute reported in OpenAI's system card that the model solved a 32-step corporate-network attack simulation, estimated to take an expert 20 hours, end-to-end in one of ten attempts. OpenAI classified the model "High" capability under its Preparedness Framework, but below the "Critical" threshold that would prevent general availability. Cybersecurity firm Irregular found a 2.7x cost reduction on complex offensive scenarios compared to GPT-5.4, even though API pricing doubled to $5/$30 per million tokens.
For the first time, two frontier labs have shipped competing access-control regimes for offensively-capable models in the same week, and CISOs at critical-infrastructure operators have to negotiate identity verification with both.
What TAC Publishes
OpenAI's Trusted Access for Cyber program is a published policy document, not an unwritten selection committee.
The eligibility criteria name the categories of organizations qualified to receive identity-gated cyber access, including operators of critical infrastructure such as power grid, water systems, and taxpayer data. The published framework establishes a verification pathway: organizations register, undergo identity verification, and gain access to a fine-tuned cyber-permissive variant of GPT-5.4 (announced April 20, three days before the GPT-5.5 launch). The document specifies what unlocks: deeper offensive-tool capability, fewer refusal triggers on legitimate red-team workflows, and audit logging.
The architecture is auditable in the way that governance research treats auditable; a third party can read the rubric, evaluate whether it matches stated principles, and assess whether the verification pathway is actually doing what it claims. Reasonable people can disagree with how OpenAI drew the eligibility lines, but they have something concrete to disagree with.
What Glasswing Has Not Published
Anthropic's Project Glasswing, which I covered on April 23, restricts Mythos access to approximately 50 organizations selected by an internal committee. The selection criteria are not public, the appeal process does not exist, and the organizations on the list are not disclosed.
The contrast became operational on April 21, when the Mythos breach occurred through a third-party contractor portal. According to TechCrunch's reporting, the unauthorized Discord group identified the model's location partly by guessing Anthropic's URL conventions, and insider involvement included an employee at a third-party contractor working with Anthropic. This is the second AI-lab-via-contractor incident in three weeks; Mercor's 4TB exfiltration on April 2 established the pattern, and Mythos confirmed it. The breach is not a moral failing of Anthropic's screening committee, but it is a test of whether the closed governance model produces better operational security than a published one. The first datapoint is that it did not.
Within four days of each other, two frontier labs ran the same governance experiment with different transparency levels. This is the same week-apart divergence pattern that played out on agent-config patching the prior week, where both labs declined to ship fixes in nearly identical postures within five days. OpenAI showed that a frontier lab can publish a rubric for offensive AI access; Anthropic's position that publication would compromise security is now a choice, not a constraint.
Why Auditable Governance Wins Procurement
The strongest counterargument to TAC's published rubric runs as follows: a public eligibility criterion is also a public attack surface. Adversaries who read the rubric can structure shell entities or contractor relationships to satisfy the verification requirements, and the fact that the document exists means the criteria can be gamed.
The counterargument is partially correct, but it does not change the procurement reality. CISOs at critical-infrastructure operators are not choosing between TAC and a perfect access-control regime; they are choosing between TAC and Glasswing, and they have to integrate both into their threat models because neither lab will hold off offensive-capable AI development for the other. The CISO question becomes operational: which governance regime can my legal, compliance, and risk teams actually evaluate? An auditable rubric, even an imperfect one, is procurement-tractable in a way that an internal committee is not.
There is also no transfer between the two programs. A CISO at a power utility who wants cyber AI capability from both labs has to apply for verified-defender status twice: once through OpenAI's documented TAC process, once through Anthropic's opaque Glasswing committee. Getting approved at one lab does nothing for you at the other, and there is no shared standard for what "verified defender" means across the two private companies running the verification. This is the same procurement architecture that produced the vendor-concentration problem in Dutch healthcare: a private company is making cybersecurity access policy for the enterprise market, and the regulator has no rubric to evaluate it against.
What the Preparedness Framework Is Actually Doing
OpenAI's Preparedness Framework classifies GPT-5.5 as High capability but below Critical, which is the threshold that would block general availability. The Critical threshold is defined as the ability to identify and develop functional zero-day exploits across many hardened real-world critical systems without human intervention.
GPT-5.5 did not independently produce a functional full-chain exploit, so it qualifies as High rather than Critical. But the model solved a 32-step expert-grade corporate-network attack in one of ten attempts, and the per-success cost on complex scenarios fell 2.7x. The framework's binary structure (High versus Critical) treats this as a single capability gate, but the operational threat-model implication is that defenders are paying twice as much for a tool whose attack-dollar-equivalent just got cheaper. This matches the dynamic I described from RSAC 2026: defenders are competing on time and budget against an adversary economy whose unit cost keeps falling, and the labs' governance frameworks are calibrated to ship capability on the High side of the line.
The "below Critical" classification is not wrong, but it is doing more procurement work than its definition supports. This is the same probability-without-blast-radius problem I flagged in Anthropic's ASL-3 reasoning: the framework's binary thresholds are calibrated to ship capability at the High side of the line, regardless of where the empirical risk curve is sitting. Every release that ships at High pushes the empirical capability frontier higher without ever crossing the threshold, because Critical is defined by what has not shipped yet.
What Defenders Should Do Now
For security leaders evaluating frontier AI access this week:
- Read TAC's eligibility criteria and Glasswing's published surface (such as it is). Document where your organization sits in each program's intake. The two regimes are different enough that "we are vetted at one" is not portable to the other.
- Treat the High-but-below-Critical capability gate as the procurement floor, not the threat-model ceiling. The 32-step attack capability is in the model your developers can call from the API today, regardless of how OpenAI scoped its framework.
- Audit which third-party contractors and integration partners have access to your verified-defender credentials at either lab. The Mythos breach was not a sophisticated penetration; it was a contractor portal. The governance regime is only as strong as your supply chain's weakest verified partner.
- Make the published rubric the procurement standard. If your vendor will not publish how it gates access to dual-use AI capability, treat that as a contract-eligibility issue, not a public-policy one. The lab that documented its rubric this week proved it was possible.
The two labs have now run the same governance experiment with different transparency levels. Within four days, one of them shipped a published policy that procurement teams can evaluate and the other had its private screening regime tested by an unauthorized Discord group. The market is going to converge on the regime that holds up under both procurement scrutiny and adversary contact, and it is not the one whose rubric is unwritten.
