The headlines last week screamed about Mythos, Anthropic’s new AI model, finding security vulnerabilities faster than humans can patch them. Regulators scrambled. Bankers convened emergency meetings. The subtext was familiar: a machine has escaped the lab and we’re all doomed.
Except that’s not quite what happened.
A small startup called Aisle replicated Mythos’s bug-finding capabilities using cheap, open-source models within days. The sky, it turned out, was not falling in any novel way. What is falling, and has been for years, is our collective willingness to honestly reckon with how broken digital infrastructure already is.
The real story isn’t AI. It’s neglect.
The encryption protocol underpinning every secure message you send has over 3,000 known vulnerabilities. Billions of people depend on software maintained by lone volunteers, sometimes tricked into installing backdoors by patient, sophisticated attackers. France has hemorrhaged the social security numbers, medical records, and bank details of tens of millions of citizens, not because of superintelligent AI, but because of under-resourced systems and misaligned incentives.
As one industry insider put it bluntly: engineers aren’t shipping insecure code because they’re malicious. They’re shipping it because the incentives reward speed and user growth, not durability. Tech culture optimised for the product launch, not the unglamorous work of hardening what’s already built.
AI doesn’t change this dynamic. It simply removes the excuse of “it would take too long to find these bugs.” Now it won’t. Which means the vulnerabilities we’ve been quietly ignoring will be surfaced, by defenders, yes, but also by criminals, teenagers, and hostile states running the same cheap models on a lunch break.
Centralization makes it catastrophically worse.
Here’s the part that should alarm you most: while our security culture lags dangerously behind, governments are doubling down on centralised digital identity schemes. The UK is pressing ahead with plans despite abundant evidence that large, centralized stores of personal data are irresistible targets. When, not if, they breach, they don’t just expose one organization. They expose you, comprehensively, permanently.
The honest question to sit with is this: do you genuinely expect to reach the end of your life without your personal data, your medical history, financial records, biometrics, leaking somewhere? If not, the follow-up question matters even more: what are you doing about it now?
What you can actually do.
The roof is leaking. AI just made the rain heavier. You don’t have to wait for governments or corporations to fix it.
- Audit your exposure. Use services like HaveIBeenPwned to check which of your credentials are already compromised.
- Minimize your footprint. Don’t hand over data you’re not legally required to. Read privacy policies on anything centralizing your health or financial data.
- Pressure your representatives. The UK digital ID scheme is still being designed. How it stores, federates, and limits data access is still contestable, but only if citizens engage.
- Demand better from tech. Support open-source security auditing projects. Fund or advocate for the solo maintainers keeping critical infrastructure alive.
The Mythos panic will pass. The vulnerability it exposed, however, in our complacency, not our code, will remain until we decide fixing the roof is worth the effort.
