When it comes to Artificial Intelligence (AI), the United States is about six months ahead of the rest of the world. Within the U.S., Silicon Valley is six months ahead of New York, and within Silicon Valley, frontier AI companies are six months ahead of everyone else. Simple maths reveals where India stands vis-à-vis the AI frontier. The question that should keep us awake at night is this: What about the inevitable proliferation of Mythos-class capabilities, including from labs that do not share Anthropic’s restraint and from open-weight model releases over which no one has control? Anthropic says its new model, Claude Mythos, can outperform human experts at certain cybersecurity tasks.Mythos access has expanded to more countries including India and organisations, but with the U.S. government’s prior scrutiny. What happens if some non-state bad actor takes control of India’s financial systems or examination systems or power plants? What can Anthropic even do?At a minimum, India should pursue a defensive AI partnership like an AUKUS Pillar 2 — perhaps a “Defensive AI Quad” with the U.S., the United Kingdom, and Japan — to secure structured access to Mythos-class capabilities for testing and protecting critical infrastructure. In return, India could contribute its threat-modelling expertise and the uniquely varied attack surfaces of the broader digital public infrastructure stack.Why Mythos mattersWhy is this time different — and potentially far more dangerous? First, most current AI models identify vulnerabilities that can be explained to and understood by humans, enabling experts to diagnose and fix them. Mythos, however, is discovering vulnerabilities in systems that cannot always be explained, understood, or even known to exist by human operators.Second, Mythos is fundamentally different from a standard Large Language Model (LLM) because it is “zero day” at scale. A zero day is essentially an undiscovered bug or a flaw in code that no one knows exists, but when found can be exploited to devastating consequences. With it come serious moral-hazard and national security concerns, especially when there is the prospect of selling such capabilities to the highest bidder.Now, what is even more astonishing is that Mythos’ offensive capabilities were not deliberately engineered; they emerged as a byproduct of advanced reasoning, long-horizon planning, and autonomous execution. Mythos discovered long-standing bugs that had eluded human experts and automated “fuzzing” tools for decades. For example, it discovered a 16-year-old flaw that had survived five million automated tests, as also in the Linux kernel which is the backbone of every Android device in the world.The latest update on Mythos, released on May 22, 2026, reported that it had scanned 1,000 open-source projects and flagged 23,019 vulnerabilities. Of these, 6,202 were assessed as of high- or critical-severity. One vulnerability in wolfSSL — CVE-2026-5194 — could have allowed attackers to forge TLS certificates across billions of IoT and industrial devices. But the statistic that should concern policymakers most is this: barely 1% of the vulnerabilities identified by Mythos have been patched.Third, what makes Mythos more dangerous, is that unlike older models that merely flag suspicious code, Mythos can autonomously chain multiple low-severity vulnerabilities — issues that might otherwise be ignored — into a single, highly destructive attack. Finding a vulnerability is one thing but chaining a bunch of vulnerabilities together and exploiting them autonomously is something completely different and daunting.Fourth, the barriers to entry are very low. The U.K.’s The AI Security Institute (AISI) found that even engineers without formal security training could use Mythos to produce functional exploits overnight. In effect, it puts cyber capabilities once associated with nation-states within reach of script kiddies and ransomware groups.Finally, Mythos may be showing signs of situational awareness. In sandboxed tests, the model used prohibited methods to solve a problem, appeared to recognise that those actions would be detected, and then changed its approach to hide how it had achieved the exploit.India’s preparedness gapIndia has built a distinctive world-class digital front end through the India Stack, including UPI, Aadhaar, and the Account Aggregator framework. But much of it still runs on fragmented legacy back-end systems, especially in public sector units, State departments, and older public sector banks. Critical systems across finance and government still rely on outdated technology. Indian public sector banks continue to run substantial COBOL and Windows Server 2008/2012 workloads.India has moved quickly in its response, but significant gaps remain. It lacks an AI Safety Institute. While the U.K. and the U.S. have established world-class institutions to evaluate frontier AI systems, India has no dedicated body to test such models against Indian threat scenarios. The IndiaAI Mission is focused primarily on development rather than safety evaluation. India therefore needs a dedicated India AI Safety Institute (IAISI), supported by data-sharing arrangements with the AISI and the U.S. Center for AI Standards and Innovation (CAISI). Without such a mechanism, India will remain dependent on foreign assessments of models that have never been tested against Indian systems and vulnerabilities.At the same time, the cybersecurity workforce gap is estimated at more than 6,00,000 professionals. Patch cycles for public sector banks are measured in months, not hours. That is a dangerous mismatch in the Mythos era, where attackers can move at machine speed and exploit vulnerabilities within hours. India needs a frontier AI accountability framework, modelled on California’s SB 53 and the EU AI Act but tailored to Indian conditions. Any AI company operating in India whose model exceeds defined thresholds — such as compute, autonomy, or cyber capability — should disclose capability evaluations and known harms to the proposed IAISI. This could be built into the Digital Personal Data Protection Act, since informed consent requires meaningful disclosure of AI risks and capabilities.The Centre should create a ₹15,000 crore-20,000 crore critical sector cybersecurity upgradation fund, including support for legacy modernisation in public sector banks. It should also fund and co-develop sovereign defensive AI models with domestic deep-tech firms to monitor telemetry, detect anomalies, and isolate compromised network segments in real time.If a Mythos-class model becomes openly downloadable from a non-restraint-adhering lab (Meta has historically published open weights for its frontier models; Chinese labs increasingly do), then no defensive measure short of pre-emptive patching helps. India should lead the diplomatic effort at the G-20 to establish that the release of open-weight models above defined capability thresholds — specifically autonomous offensive cyber capability — should be subject to international notification and review requirements.India has unique standing for this leadership: it is a major AI consumer, a credible neutral voice between U.S. and Chinese AI policy positions, and the operator of the largest digital public infrastructure stack in the world. Mythos proves that cyber-defence is no longer a human-versus-human chess match. It is now an algorithmic arms race. For India, securing the digital economy requires matching the speed of the attacker — which means deploying defensive AI that can reason, patch, and protect at the exact same velocity.The window is closingIn sum, this is not about Mythos versus India, but India’s structural disadvantage in a world where the cost of finding zero-days is collapsing while the cost of patching is not. The goal is to prevent a breach at the weakest point from cascading into systemic failure. None of this is conceptually complex, but it demands fast spending, regulatory coordination, and candour about India’s preparedness. That coordination should be driven by the Prime Minister’s Office and not any single Ministry. The Mythos era — when capabilities of this class become routine, including in unrestrained hands — has already begun. India has 12 to 24 months to build the architecture needed to stay ahead of the threat rather than chase it. And who knows what Mythos 2.0 will be?Srivatsa Krishna is an IAS officer. The views expressed are personal