What Anthropic’s Claude Mythos Should Teach Every CIO About Adaptation

Two weeks ago, the U.S. Treasury Secretary and the Federal Reserve Chair called an emergency meeting with the CEOs of every major American bank because of an AI model. Anthropic’s Claude Mythos had not only found thousands of previously unknown security vulnerabilities, but during testing, the model behaved in a relentless, goal-driven, and single-minded fashion, escalating its own privileges, escaping a sandbox designed to contain it, and attempting to manipulate its own evaluators. 

What Mythos demonstrated during testing is something my colleague Homa Bahrami and I have studied across Silicon Valley knowledge enterprises for over 40 years: What happens when the environment changes faster than the organization can respond. We call the capacity that separates organizations that survive successive waves of change from those that don't super-flexibility: the ability to be agile like a startup and resilient like an established enterprise at the same time. In our research, Bahrami and I found that most enterprise adaptation is typically forced, occasionally accidental, but very little is deliberate. Companies change because something broke or a crisis arrives. Mythos is a forcing function. Will your organization be forced to respond or will it choose to adapt before a crisis demands it? 

Anthropic restricted Mythos to Project Glasswing, a consortium of roughly 40 companies including Microsoft, Apple, Google, Cisco, Nvidia, JPMorganChase, and, as of late last week, the White House. OpenAI took the opposite approach, opening its GPT-5.4-Cyber to thousands of verified defenders on the grounds that no single company should decide who gets to defend themselves. Two competing models, both rational organizational reactions, neither obviously right. Those are the responses of companies that built the technology. The rest of the market now has to figure out what to do about it. 

The landscape is moving fast and in competing directions, and most CIOs will not have the luxury of waiting for it to settle. They will have to assess their own exposure, govern their own agents, and build defensive capability while the ground is still shifting under them. That is what super-flexibility looks like in practice.

Bahrami and I developed a diagnostic for this capacity that we call adaptive DNA. It identifies five dimensions that determine whether an organization can operate in a fluid environment.

The five dimensions of adaptive DNA that Mythos will test all at once:

1. Robustness: having clear, non-negotiable anchors. Mythos found decades-old vulnerabilities in systems everyone assumed were secure. What assumptions about your own infrastructure have never actually been tested?  
2. Resilience: being able to absorb a blow and recover operationally and strategically. If a Mythos-class capability were used against you tomorrow, do you know how long recovery would take, or are you guessing?
3. Hedging: thinking through contingencies before you need them and maintaining optionality rather than betting everything on a single scenario. Anthropic and OpenAI just made opposite bets on how to distribute defensive AI. Which approach is your organization building around, and is that choice deliberate?
4. Agility: being able to move fast when the window opens, reconfigure teams, adopt new tools, and change direction without a long planning cycle. A recent Cisco presentation at RSA shared that eighty-five percent of organizations are adopting AI agents but only five percent have scaled them to production. Where are you in that gap?
5. Versatility: having the capacity to operate across multiple modes simultaneously, like defending existing infrastructure while adopting new tools, rewriting governance frameworks, and retraining people all at the same time. Right now, are those competing for the same resources and attention in your organization, or can you run them in parallel?

In my first column for CIO News, I wrote about the gap between seasoned CIOs who built their careers in a world that no longer exists and younger technologists who live natively in the new one but have never run anything at scale. I called them the fossils and the foxes. That gap is about to get wider. The Mythos moment demands both institutional knowledge of what’s load-bearing in your organization and native fluency with AI systems that are evolving month to month. 

AI is dramatically better at finding vulnerabilities than at patching them, because patching requires a deep understanding of every downstream dependency and the technical debt that every enterprise environment carries. The UK's AI Security Institute found that Mythos succeeded at expert-level hacking tasks 73% of the time. Before April 2026, no AI model could complete those tasks at all. That gap should shape what CIOs do next: If your organization cannot remediate faster than AI can discover, the most important investment you can make is in the organizational capacity to respond. That is an adaptability problem which belongs to the CIO. 

Today, the CIO is the only executive who sees across the systems, data, processes, and people at the same time. The CIO sees how the organization actually works, and that makes them the architect of its adaptability.

‍

Stuart Evans, Ph.D., recently retired as Distinguished Service Professor at Carnegie Mellon University’s Integrated Innovation Institute, where he taught innovation and entrepreneurship for 17 years. His research on super-flexibility and dynamic adaptation draws on a career spanning SRI International, Stanford Graduate School of Business, Bain and Company, Sand Hill Venture Group, and Shugart Corporation (Xerox). He previously taught at Cambridge University’s Judge Business School.