Anthropic announced the most powerful AI model ever built last week—then immediately told the world it couldn’t have it. The company is launching a restricted cybersecurity program instead, creating a new class of gatekeepers for dangerous AI capabilities.

PLUS: Meta is building an AI clone of Mark Zuckerberg to attend meetings, because the real one is apparently too busy coding.

The thing you need to understand about this moment is that we’ve crossed a threshold the industry has been nervously predicting for a decade. It’s no longer about what AI can do in theory, but what companies feel compelled to withhold in practice. According to detailed reporting from Level Up Coding and others, Anthropic’s new model, Claude Mythos Preview, didn’t just inch ahead on benchmarks. It achieved a 93.9% score on the SWE-bench software engineering test, up from Opus 4.6’s 80.8%. It scored 97.6% on a math olympiad. More critically, when Anthropic ran it against widely deployed software in the weeks before the announcement, it identified thousands of previously unknown, critical vulnerabilities.

The company’s conclusion was stark: the model was too dangerous for a general release. So it created Project Glasswing—a walled garden where vetted partners get controlled access to find and patch flaws before malicious actors can. Across town, OpenAI is running a parallel play with its own Trusted Access pilot for GPT-5.3-Codex, handing out $10 million in API credits to security researchers. The era of open-weight frontier models is over. The era of the security clearance has begun.

It feels like watching the birth of a new priesthood.

Following: The Cybersecurity Arms Race

The immediate catalyst is economic and geopolitical. In March, the U.S. Department of Defense severed ties with Anthropic, labeling it a “supply-chain risk to national security.” Weeks earlier, OpenAI secured a Pentagon contract under an “all lawful purposes” framework. People familiar with the matter suggest the DoD’s move was less about technical assessment and more about picking a winner. Anthropic is contesting the designation as unlawful. Not anymore.

So the business model revelation here is dual-use: sell restricted access for defense to governments, and sell the promise of pre-emptive defense to corporations. The goal, as one source put it, is to “harden baseline safeguards” in critical software before the bad guys get equally powerful tools. But the thing you need to understand is that this creates an immediate market for the capabilities they’re trying to contain. If you’re a Fortune 500 CISO, your board is now asking what your Glasswing strategy is. The subscription for existential risk mitigation is now live.

The Autonomy Problem

While the giants grapple with gatekeeping, the rest of the stack is sprinting toward agentic autonomy. This week, Z.ai open-sourced its GLM-5.1 model under an MIT license, optimized for tasks that run up to eight hours without human intervention. Google released Gemma 4, pushing “agentic AI” to local Android devices. And Anthropic itself is rolling out a research preview where Claude can autonomously use your computer—moving cursors, typing, and opening files like a human.

The narrative from these companies is one of convenience and empowerment. The unspoken tension is with their own security announcements. If a model is too dangerous to release because it can autonomously find software vulnerabilities, what does it mean when a slightly less capable model is granted autonomy to control a user’s terminal and network access? The security boundaries are becoming philosophical. I find myself asking engineers: is the difference between a dangerous capability and a product feature just a system prompt?

People familiar with internal debates at these companies say the tension is acute. The product teams are incentivized to ship autonomous agents that “just work.” The trust and safety teams are writing increasingly Byzantine policy documents trying to carve out what those agents cannot do. The gap between those two realities is where the real risk lives.

The Doppelgänger Gambit

Which brings us to Meta. According to a report in the Financial Times, Mark Zuckerberg is spending five to ten hours a week helping train an AI clone of himself. The avatar, trained on his image, voice, and mannerisms, could eventually interact with employees so they “feel more connected to the founder.” If the experiment works, creators might get to build their own AI avatars, too.

This is the logical endpoint of the splinternet—a platform where your online interactions are increasingly with AI doppelgängers of real people. The business model revelation is classic Meta: first, use the founder’s clone to solve internal scalability (meetings). Next, offer it as a product to creators to boost engagement (comments, DMs). Finally, monetize the entire parasocial AI layer through ads. The privacy pivot of 2019? Not anymore.

The cynical brilliance is that it inverts the Anthropic problem. Instead of restricting a powerful model because it’s dangerous, Meta is productizing a personal model by arguing it’s safe—because it’s just an extension of a person’s brand. The regulatory irony is thick. We’re building frameworks to lock down AI that finds software bugs, while actively encouraging AI that impersonates human relationships.

The Efficiency Mirage

Amidst the drama of withheld models and CEO clones, a quieter trend threatens the economic foundation of all this: efficiency. Research like the Memory Intelligence Agent (MIA) framework claims to enable 7-billion parameter models to outperform giants like GPT-5.4 on complex research tasks through architectural cleverness, not scale.

If true, it challenges the entire “bigger is better” capital escalation that OpenAI and Anthropic are built on. Why spend billions on training runs if a small, smart agent can do the same job? The industry’s response so far has been to double down on scale as a moat—hence the “high capability” designation for their cybersecurity models. But the bet on efficiency is a bet against their own business logic. Z.ai’s open-source, long-horizon model is a shot across the bow.

So where does this all end? I’ve been asking sources that question all week. The answer seems to be balkanization. We’re heading toward a world with three tiers of AI: restricted, sovereign models for critical security work; commercial, agentic models for productivity and entertainment; and efficient, open-source models for everything else. The gates around the first tier will be defended with government contracts and national security arguments. The fight will be over who gets the keys.

For now, the message from the frontier is clear. The value is no longer just in the information or the capability, but in the permission to use it. And that permission is now for sale.

Talk to us

Send tips, comments, and questions. We read everything, even if we can’t respond to all of it.