Wer kontrolliert die mächtigste Cyberwaffe der Geschichte – und wer hat das entschieden?

In April 2026, Anthropic announced Claude Mythos — an AI model capable of autonomously finding and exploiting zero-day vulnerabilities in every major operating system and browser. They deemed it too dangerous for public release. Instead they gave access to Microsoft, Google, Apple, Amazon Web Services, JPMorgan Chase, and Nvidia.
Anthropic made that decision. No government. No international body. No affected population.
The governance problem this creates is the same one that destabilized every previous era of asymmetric capability concentration — except this one has no physical infrastructure to inspect, no warhead to count, and no treaty framework within reach. The capability crosses every jurisdiction simultaneously and the people deciding how to deploy it were selected by market forces, not consent.
I’ve written a framework proposing a collective, distributed, and accountable alternative — modeled on deterrence logic but structured like an immune system rather than a weapons program. It’s a working paper, not a finished proposal. It’s posted here for people who think the current arrangement is the wrong answer to the right problem.

Thanks for the read. I have thoughts.

1. There is more than one copy of Mythos. You can’t pretend it exists in just one place or can’t be developed elsewhere. By your national adversaries.

2. The OpenBSD bug proved the wrong thing. It cost $30,000 to find a remote denial of service bug. Mind you, that’s *subsidized* $30,000, because Anthropic is still operating at a loss. If we were to factor in the real cost if might have been $40,000 or even $60,000. We don’t know yet.

That’s $40,000 paid for remote DoS. You could take that money today, and go to a reputable security consultancy and pay them that amount and get another remote DoS. Mythos didn’t save money. It just saved time. Anyone with $40,000 can buy (or hire the talent to find) one remote DoS. But no one ever wasted time because its almost impossible to make money out of DoS (some DoS for hire sell for a few hundreds of $ *per week*!)

3. Dealing with more zero-days was never the defender’s problem. Knowing what your assets are and have the ability to patch them was always much more expensive.

4. You can’t contain innovation globally. If you’re a national decision-maker you can make life harder for innovators in your nation. You can’t control anyone else. And your own innovators will just leave to innovate somewhere else.

5. I may be wrong, but it feels like you resent that this scary capability is in non-governmental hands who’se interests may not align with national interests. Kind of like Microsoft and Google and Oracle and Nvidia and ASML and TSMC and Intel and Meta and Amazon and plenty of other companies that are in the exact same position but are not in the newscycle today. Every one of them has immense power to do harm, if it so wishes, and governments have very little they can do to prevent that. The horses are long out of the barn.