Claude Mythos found thousands of zero-day vulnerabilities. Here's why your identity infrastructure is the most exposed layer — and how to fix it now.
How Apple broke "Sign in with Apple" with an unannounced and silent redirect
Anthropic’s decision to delay the release of its latest AI model, Claude Mythos, after uncovering thousands of vulnerabilities in the software underpinning the internet should not be read as caution for identity security, it should be read as a signal. And a loud one at that.
Among the key findings, Anthropic’s new model found thousands of previously unknown zero-day vulnerabilities across even every major operating system (Linux, Windows, macOS) and every major web browser. The model also located decades-old bugs that had survived decades of human review and automated testing. From a 27-year-old bug in OpenBSD to a 16-year-old bug in FFmpeg, the findings are wide and deep across the board. The extent of the findings prompted the launch of the Project Glasswing initiative, designed to test and deploy advanced AI models specifically for "defensive" cybersecurity. Given the impact of the findings, it is likely that identity and access management infrastructure is among the exposed layers, especially unsupported self-managed and homegrown IAM stacks.
For years, security leaders have understood, at least in the abstract, that the global software ecosystem is fragile. Open source dependencies sprawl. Identity systems evolve organically. Patches lag behind disclosures. But what Anthropic has surfaced is something more immediate and more uncomfortable: at scale, modern AI systems don’t just use the internet—they examine and interrogate it. And in doing so, they expose systemic weaknesses more rapidly and more comprehensively than any human team ever could.
This isn’t a fad or an isolated event. It’s just the first wave.
Across the industry, we’re seeing a sharp uptick in both the volume of AI-powered vulnerability discovery and disclosures. Bug bounty programs are receiving submissions that are more sophisticated, more interconnected, and more impactful than ever before. This is not because attackers have suddenly become more creative; it’s because the tools available to find these vulnerabilities have fundamentally changed.
Nowhere is this gap more dangerous than in identity and access management.
IAM security risks are critical because these systems sit at the core of modern infrastructure. They are the control plane for authentication, authorization, and user data. And yet, in many organizations, identity infrastructure security is still treated as either a side project, built in-house over time, or as a loosely managed collection of open source components stitched together to “just work.” That model is no longer viable.
The reality Anthropic has exposed is this: you cannot afford to go it alone in managing Common Vulnerabilities and Exposures (CVEs) for homegrown or self-managed open source IAM. The attack surface of IAM vulnerabilities is simply too large. The discovery rate is simply too fast. And the cost of being wrong is far too high.
Security is no longer just about writing good code. It’s about operating secure systems in an environment where the ground is constantly shifting...and this is where specialization matters. Organizations need partners whose sole focus is staying ahead of this curve. Teams that are not just reacting to disclosed vulnerabilities, but actively monitoring, triaging, and patching them as part of a continuous, industrialized process. Faster patching isn’t a “nice to have” anymore; it’s the difference between exposure and resilience.
Equally important is guidance. Many vulnerabilities don’t exist purely because of flawed code; they emerge from misconfigurations, architectural decisions, and deployment eccentricities. Having access to expert support that can advise on these dimensions is no longer optional. It’s essential.
AI has become a force multiplier for discovery. And that creates a dangerous asymmetry. While vulnerabilities can now be identified at unprecedented speed, remediation inside most organizations still moves at a human pace. Triage meetings. Backlog prioritization. Internal ownership debates. Patch cycles that stretch from days into weeks, into months or longer. The result is a widening gap between what is known and what is fixed.
The takeaway from Anthropic’s delay should not be framed as “AI companies being cautious.” It should be understood as a preview of what happens when powerful systems collide with an imperfect infrastructure layer.
The question for every organization is simple: are you prepared for that collision? If your IAM stack is homegrown or lightly managed open source, the answer is increasingly likely to be no. This is a time-bound problem. The window between vulnerability discovery and exploitation is shrinking. The backlog is growing. And the tools accelerating both sides are only getting better. Waiting is a decision, and it’s one that increases risk every day.
The path forward is clear: start reducing your exposure now. Ensure that your critical identity infrastructure has as much coverage and support devoted to it as possible to combat this wave of vulnerabilities. Adopt solutions that provide not just software, but continuous security, rapid patching, and expert guidance.
Because the next wave of vulnerabilities isn’t coming...It’s already here.
Ory provides commercial identity infrastructure purpose-built to address the challenges outlined above. Whether you're running open source identity components today or maintaining a homegrown IAM stack, Ory's commercial offerings include continuous security patching, CVE management, and expert guidance, so your team isn't left carrying that burden alone.
