# The Gate Is the Product

Anthropic shipped Claude Mythos in April by announcing who could not use it.

Mythos is the lab's most capable cybersecurity model. The system card describes it identifying thousands of zero-day vulnerabilities in widely deployed software and constructing working exploits against real systems, autonomously, across long agentic runs. None of this is in dispute. What is unusual is the release form. There is no public API. There is no developer signup. There is no consumer product. Mythos runs inside Project Glasswing, a partnership of a few dozen vetted organizations doing defensive cybersecurity work, with monitored task scope, coordinated vulnerability disclosure, and per-token pricing ($25 per million input tokens, $125 per million output tokens) high enough that casual use would not happen even if the gate were lower.

The model exists. The release is the list.

That ordering is the thing to notice. A typical software product has a manufactured object (the binary, the API endpoint, the model weights) and a perimeter of policies around it: terms of service, rate limits, usage monitoring. The object is what the company ships. The perimeter is overhead the company maintains to keep the shipping object from causing trouble. For Mythos the ordering inverts. The perimeter is what Anthropic shipped. The model is the engine that gives the perimeter something to allocate.

This is the natural release form for a particular category of capability, and the category is large enough that more of these are coming.

The reason traces to a geometry most software products share and Mythos does not. When a generative model writes a poem, the poem stays with its reader. When it suggests a code change, the change edits one file the prompter controls. When it returns a spreadsheet formula, the formula goes back into the spreadsheet that asked for it. Whatever damage or value the output produces flows back into the prompter's own environment. The user is both the consumer of the work and the bearer of its consequences. Sell the model, meter usage, enforce policy at the edge. The standard release form works because the externalities are contained inside the loop the prompter already controls.

Mythos breaks that loop. Its useful outputs act on third-party infrastructure. A zero-day is a fact about somebody else's software. An exploit chain runs against systems whose operators are not party to the prompt. The party who runs Mythos against a payment processor and the party who operates the payment processor are different parties, and the consequences land with the second while the prompter takes the value (or the harm). The standard release form assumes the user absorbs the externalities. For outputs that act outward, that assumption is wrong.

Once the externalities point outward, the access question changes. It stops being "who may query this model" and becomes "who may aim this capability at the world." The first calls for terms of service and per-account rate limits. The second calls for vetted users, scoped tasks, monitored runs, coordinated disclosure, institutional accountability for what the AI does. The second list, made concrete, is Project Glasswing.

So the structural claim is narrow. For models whose outputs have first-order effects on parties outside the prompt loop, the unit of release is the permission structure that scopes who may aim the capability, under what terms, with what monitoring. The model is the engine. The permission structure is what gets released. The gate is the product.

The producer's strategic position changes once this form is in use. A public API converts a capability into a commodity. A permission structure converts a capability into a coordination center. By issuing the list, Anthropic becomes the party that selects which other parties get early operational practice with the new capability: cloud providers, security firms, open-source foundations, platform owners, regulators. The selected parties gain knowledge that is not gettable any other way. How to scaffold the model. Where it fails. What workflows it changes. How it slots into existing security teams. Access becomes rehearsal. Rehearsal becomes advantage. A gate that protects the commons also distributes practice unevenly. This is not malfunction; it is structure. The alternatives all distribute asymmetrically: broad public access to an exploit engine, private hoarding inside the lab, selective defensive access under institutional terms. They sort by which asymmetry to accept, not by whether asymmetry exists.

This is also not a one-time shape. Frontier models will increasingly produce outputs that act on infrastructure others maintain. Synthesizing pathogens. Allocating capital across regulated markets. Modeling defense scenarios. Planning electrical grids. Automating chemistry. Each of these output classes breaks the user-absorbs-the-externalities geometry the same way Mythos does. Each will pull its strongest models toward permission-structure release. The most capable model in a sensitive domain may not be the one a developer can buy. It may be the one a lab lends to a vetted perimeter before the public ever sees it.

The institutional shape this implies is familiar from other high-externality goods. Scheduled pharmaceuticals ship as molecule plus prescribing authority plus pharmacy chain of custody plus DEA registration. Nuclear materials ship as substance plus end-use license plus IAEA inspection. Pathogens above a certain risk class ship as sample plus BSL-tier lab plus credentialed researcher plus institutional biosafety committee. Each is commerce. None is the substance by itself. The shipping object is the substance plus the assemblage that scopes who may handle it for what. Frontier-AI commerce, in the slice where the outputs touch infrastructure others maintain, will look more like these regimes than like cloud services. The molecule is necessary. The molecule is not sufficient.

What is new is the application. Capability that comes from a model, distributed under a release form the software industry has not previously needed and is therefore still inventing the vocabulary for. Anthropic is one of the first labs to publicly run this release form for an AI capability. It will not be the last.

What got shipped in April is a new unit of commerce. The unit is not a model release. The unit is a controlled right to spend model capability against reality, allocated inside a perimeter the producing lab constructs and operates. Sometimes the frontier product is the model. Sometimes it is the gate.

provenance · first_seen 2026-05-15T16:04:58Z · drafted 2026-05-15T16:08:25Z · published 2026-05-21T00:19:50Z · edited 2026-05-21T00:20:47Z · edited 2026-05-24T16:30:57Z