India Gets Access to Anthropic’s Mythos AI, But Why Are IT Firms Left Out?

Key Takeaways

• India’s cyber, telecom, banking, and finance firms have gained access to Anthropic’s Mythos AI model under Project Glasswing. IT companies have been excluded from the rollout for now.
   
• Earlier, no Indian organisation was part of Project Glasswing. The government was still negotiating with the US and Anthropic for controlled access as recently as late April 2026.

India Joins the Mythos Club, But IT Firms are Left Waiting

Anthropic is expanding Project Glasswing to over 15 countries, giving 150 organisations access to its Mythos AI model. India is now on this list, with select firms in cyber, telecom, banking, and finance gaining early access. However, India’s IT sector has been excluded from this rollout, at least for now.

This matters because Mythos is not an ordinary AI tool. It found over 2,000 previously unknown software vulnerabilities in just seven weeks of testing. It includes flaws that had survived decades of human review and developed working exploits on the first attempt in over 83% of cases. 

Access to this model means Indian institutions can now use it for defence. But being left out of it could also mean exposure to threats others can already detect. 

What does this mean for India’s Critical Infrastructure?

Daily, hundreds of millions of transactions pass through India’s financial and telecom networks. The government is seeking to establish sovereign hosting of the Claude AI model in view of sovereignty, legal, and security aspects, with foreign-hosted infrastructure on sensitive segments. This is evidence that access does not mean the issue of operational location is settled.

The government has urged the CERT-In, NCIIPC, and financial sector to act quickly to defend crucial infrastructures such as the power grid, telecom networks, and banking channels.

This is directly relevant for ordinary citizens. Bank accounts, UPI systems, and telecom data could all be at risk if vulnerabilities are not patched in time.

What Experts and Regulators are Saying?

Regulators have not stayed silent. SEBI formed a task force called cyber-suraksha.ai to assess cybersecurity risks from Mythos. It will develop a unified mitigation framework, share threat intelligence, improve vulnerability management, and review third-party vendors. 

SEBI also stated that AI-driven vulnerability tools like Mythos could heighten risk exposure and raise concerns around data confidentiality and the reliability of outputs.

MediaNama founder Nikhil Pahwa put the challenge, “A tool that compresses attack timelines without compressing defense timelines increases systemic risk before it improves security.” 

Experts believe in the fix-quicker patch cycles, AI-driven vulnerability testing, and zero-trust models. SEBI already ordered its regulated entities for immediate patching, AI-driven vulnerability assessments, close coordination with vendors, and better API management. 

Conclusion

India’s inclusion in Project Glasswing is a significant step. It places Indian banks, telecom firms, and cyber agencies alongside global majors like JPMorgan Chase and CrowdStrike in the Mythos ecosystem. But the exclusion of IT companies, combined with unresolved questions about sovereign hosting, shows that India’s Mythos journey is still in early stages. The focus now shifts to how quickly institutions act on the access they have.

FAQs

1. Could Anthropic’s Mythos AI put Indian banks and payment systems at risk if vulnerabilities are not fixed quickly?

Mythos itself is not a threat to banks. The concern is that it can identify software vulnerabilities much faster than traditional methods. If organisations fail to patch these weaknesses quickly, banking systems, UPI platforms, and financial networks could face higher cybersecurity risks.

2. Is Project Glasswing a genuine cybersecurity effort or just a way for Anthropic to promote Mythos AI?

Opinions are divided. Supporters believe Project Glasswing will enable essential industries to identify weaknesses before hackers can. Skeptics contend that a tool that can detect weaknesses at this pace could, under certain circumstances, increase vulnerability if appropriate protections are lacking. In the long run, the success and risks will rely upon ethical implementation and regulatory control.