OpenAI announced on May 11, 2026 that it would grant the European Union access to its cybersecurity model GPT-5.5-Cyber, while Anthropic continues withholding its Mythos model from the bloc. The divergent approaches highlight growing tensions between AI companies and EU regulators as enforcement powers take effect in August 2026.
OpenAI Provides GPT-5.5-Cyber Access to EU Partners
OpenAI has decided to grant access to GPT-5.5-Cyber to EU partners, including businesses, governments, and EU institutions. The model is designed to be more permissive for authorized security work:
- Vulnerability identification
- Malware analysis
- Reverse engineering
- Patch validation
Anthropic Negotiations Remain at Early Stage
While Anthropic released its Mythos model a month ago, the European Commission has not yet secured access. European Commission spokesperson Thomas Regnier stated the Commission had held "four or five" meetings with Anthropic, but discussions were "not yet at the same stage as the solution we have on the table from OpenAI."
Anthropic introduced Claude Mythos Preview as a model designed to detect and fix software vulnerabilities, claiming it is "far ahead" of other models in cybersecurity. The company restricts access to select approved organizations including banks, government agencies, and utility companies, and created Project Glasswing with tech giants Amazon, Apple, Google, Microsoft, and JPMorgan Chase to secure critical software.
EU Prepared to Compel Access Under AI Act Enforcement Powers
Regnier issued a warning about regulatory enforcement: "Once the enforcement powers of the AI Office start in August 2026, we will ensure to receive, if needed, (Mythos) access." This indicates the EU is prepared to compel access to Anthropic's model once regulatory powers take effect under the EU AI Act.
The EU AI Act entered into force on August 1, 2024, with the majority of rules, including high-risk system obligations, applying from August 2, 2026. Penalties for non-compliance can reach 7% of global annual turnover.
Mythos Performance Falls Short of Marketing Claims
Recent testing revealed limitations in Mythos capabilities. The model found only one genuine vulnerability in curl after analysis, with three false positives and one standard bug among five flagged issues—falling short of its marketed security capabilities.
Broader Context of AI Company Regulation
The Department of Defense announced agreements with eight major technology companies to use their AI tools in classified networks but did not include Anthropic, which the Trump administration had blacklisted over the company's insistence on AI safety guardrails. However, the White House reopened discussions with Anthropic after the company made announcements about technology breakthroughs.
Key Takeaways
- OpenAI granted EU access to its GPT-5.5-Cyber model on May 11, 2026, for authorized security work including vulnerability identification and malware analysis
- Anthropic has held four to five meetings with the European Commission but discussions remain at an early stage compared to OpenAI
- The EU will gain enforcement powers under the AI Act in August 2026, with penalties reaching 7% of global annual turnover for non-compliance
- Recent testing showed Mythos found only one genuine vulnerability in curl, with three false positives, falling short of marketed capabilities
- The Trump administration initially blacklisted Anthropic over AI safety guardrails but later reopened discussions after technology breakthrough announcements