The reports surrounding Anthropic's Mythos 5 and Fable 5 have generated the usual reactions. Some see a necessary security measure and others see government overreach. Anthropic has disputed portions of the reporting and pushed back that the models represent an extraordinary threat. And now we're in a familiar grey area that is Anthropic models.
For two decades, “penetration testing” has meant the same thing: once a year, you hire a firm, a human tester spends a week or two on your systems, and you get a PDF. Most compliance frameworks were written around exactly that ritual, a slow, manual, point-in-time engagement. Software doesn’t ship once a year anymore. It ships many times a day.
TL;DR: AI governance solutions help organizations inventory, secure, and monitor AI systems. Best for AI security and shadow AI: Mend AI; enterprise risk and compliance: Credo AI and IBM watsonx.governance; model monitoring: Fiddler AI. Effective AI governance implementation involves establishing a cross-functional committee, compiling an AI bill of materials (AI-BOM) to identify risks, and implementing policies based on frameworks like NIST AI RMF.
Third party risk management is breaking because AI writes the questionnaire and AI writes the answer. That leaves security teams with polished vendor responses, less proof, and far less confidence that supplier controls, governance and cyber risk are being measured honestly.
Every security leader has a version of the network in their head. They know which systems should be segmented, which applications should be reachable, which ports should never be open, and which access paths should not exist. They know how the architecture is supposed to work. The harder question is whether the live environment is actually enforcing that design right now. That question is getting more difficult to answer.
OWASP, the Open Worldwide Application Security Project, has published Top 10 lists for over two decades to help security teams prioritize the risks that matter most. The original OWASP Top 10 for web applications became the industry’s default checklist for application security. When large language models moved into production, OWASP followed with the Top 10 for LLM Applications, addressing risks like prompt injection and sensitive information disclosure in single-turn model responses.
AI! It's in everything, everywhere, all at once! It’s reading emails, summarising meetings, drafting documents, and writing code, and it’s no longer just giving us answers. We now also have agents that act on their own, access other systems, and make decisions with little to no human oversight. From a capability standpoint, it’s amazing.
Still sleeping on your AI app risk problem? Save yourself the insomnia-induced eye twitch. Without adopting a goat (you’ll understand once you watch this vid with @AlexisGay)... Vanta monitors all your vendors so you can track risky app usage. Even the AI apps that sneak past procurement. So don’t stress about who’s using AI apps and also has prod access. Just sleep well knowing you can review and approve every tool in one place.
The Five Eyes just put a number on something most security teams haven't priced in: AI is shrinking the gap between "vulnerability" and "actively exploited" faster than patch cycles can keep up. Adrian Culley and Tova Dvorin explain why CVSS scores alone can't tell you what's actually reachable in your environment — and why attack path validation is becoming the only way to know.