The Capability-Security Scissor: Models Converge 6 Points, Offensive AI Diverges 89x in One Generation

The Convergence Evidence: General Capability Is Now Commodity

The benchmark data is unambiguous. On SWE-bench Verified, the spread from proprietary to open-source SOTA is 3 percentage points: Claude Opus 4.6 leads at 80.8%, while GLM-5 (open-source) reaches 77.8%. On GPQA Diamond, the band is 4 points, with proprietary and open-source models indistinguishable. MMLU-Pro is effectively saturated at 83–90% with no meaningful discrimination.

BuildFastWithAI's April 2026 analysis makes the structural point explicit: 'workflow, prompting, and integration quality account for more of your output quality than which frontier model you are running'. For general enterprise use, the $15/1M tokens tier and the $0.17/1M tier produce output that is indistinguishable 90% of the time. This is the commoditization signal—one year ago, benchmark leadership was worth billions in API value; today, it is worth tens of millions at most.

The Divergence Evidence: Offensive AI Has Phase-Transitioned

Claude Mythos Preview, announced April 7, 2026, achieved 181 working Firefox exploits versus Opus 4.6's 2—an 89x improvement in a single generation. The model autonomously discovered a 27-year-old OpenBSD TCP SACK vulnerability, a 17-year FreeBSD NFS RCE, and a 16-year FFmpeg H.264 bug that had survived decades of expert review and automated fuzzing. It generated a 4-vulnerability sandbox-escape chain for a major browser, each link in the chain previously unknown to security researchers.

Anthropic deemed these capabilities too dangerous for general release, channeling access instead through Project Glasswing's $100M defensive-use commitment with 12 founding partners (AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks) plus 40+ critical infrastructure organizations. This is not a marginal improvement on a saturating curve; it is a capability threshold breach that Anthropic recognizes as structurally different from previous model releases.

In contrast, Veracode's Spring 2026 GenAI Code Security Update documents that AI-generated code has held steady at 55% security pass rate for two years despite dramatic capability improvements in underlying models. Syntax correctness climbed past 95% while security pass rate stayed flat. This reveals the asymmetry: generation models optimize for code-that-runs (the training objective); discovery models optimize for code-that-fails (the adversarial objective).

Why the Asymmetry Is Structural, Not Temporary

Benchmarks measure what is easy to measure: right-or-wrong answers on well-scoped problems (SWE-bench's 500 verified issues, GPQA's 198 expert questions). These are convex objectives—once a model gets most questions right, additional capability produces diminishing benchmark gains. Offensive security, in contrast, is a concave (or explosively super-linear) objective. The ability to connect N vulnerabilities in a chain scales attacker impact super-polynomially, and a model that autonomously navigates a codebase to find novel flaws is not measured by any published benchmark in production use.

The defensive side is structurally losing the velocity race. Aikido.dev's survey of 450 security leaders reports 20% have experienced serious AI-code security incidents; 84% of production code is now AI-authored; 67% of CISOs have limited visibility into AI usage. The defensive velocity curve is 1.2–1.4x over 2022–2026 while offensive/generative velocity is 3–5x over the same period—a structural gap accelerating, not converging.

The Compound Exposure: Production AI-Code + Mythos-Equivalent Adversaries

The connection that creates regulatory and security exposure is the combination of three factors that no individual dossier captures alone:

1. AI-code production at scale: Talk Think Do's Q1 2026 AI Velocity Report shows 84% of production code is now AI-authored, with a 16–31 week deployment lag. Code written today lands in production in September 2026, after security hardening (4–8 weeks), governance (4–6 weeks), observability (3–6 weeks), and scaling (3–5 weeks).

2. Flat security outcomes: That code is being written at 55% security pass rates, flat for two years. XSS and Log Injection vulnerabilities pass at only 13–15%; Java code drops to 29%. AI-code vulnerability density is 2.7x higher than human-authored code.

3. Organizational pressure toward deployment: 75% of enterprise leaders will not slow AI deployment for security concerns, per Straiker's survey. Competitive pressure to deploy is overriding security governance precisely when offensive model capability achieves phase transition.

A Mythos-equivalent adversary tool (which is only a matter of time—Meta is developing open-source frontier versions, DeepSeek V4 benchmarks are frontier-class, and sandbox-escape techniques leak even under Project Glasswing's controlled distribution) would discover vulnerabilities in AI-generated enterprise code at an 89x higher rate than previous generations. The attack surface is 2.7x larger per line; the attacker capability is 89x stronger per researcher-hour; the defender capability has improved 1.3x. The math is not compatible with current enterprise security budgets.

Why Capability Convergence Paradoxically Worsens the Security Divergence

When GPT-5.4, Claude, Gemini, DeepSeek V4, and Llama 4 produce indistinguishable SWE-bench results, the marginal security moat of any one lab's safety post-training becomes irrelevant because enterprises route to the cheapest acceptable option. Meta's open-source strategy makes this explicit: the Axios-reported plan for Avocado/Mango open-source releases excludes 'advanced post-training steps including safety-sensitive capabilities like cybersecurity code generation'—an admission that the safety-tuning layer is the real differentiator in an era of converged raw capability.

But that differentiator is a thin film on a commodity base. Every month, the commodity base gets more capable while the thin film is increasingly what labs choose not to release. The regulatory and security policy implication is severe: as open-source capability approaches proprietary frontier, the only remaining moat becomes dangerous-capability gatekeeping—precisely the position Anthropic is building with Project Glasswing.

The Contrarian Case and Remaining Uncertainties

The bull case on capability convergence argues it is a solved-problem signal: models are 'good enough' for most tasks and remaining gaps are workflow/integration. The bear case on the security scissor argues that 89x offensive gains over a single generation cannot be extrapolated—Mythos is one data point, access is controlled, and real-world capability transfer to adversaries may differ from lab measurements. Project Glasswing's defensive coalition is betting that capability transfers asymmetrically to defense, though the evidence to support that asymmetry is not yet public.

Bulls on convergence underweight that the 4–6 point benchmark spread hides 10–20 point spreads on specific domains (scientific reasoning, long-range code refactoring, multi-step agent tasks). Bears on offensive AI underweight that regulatory response (EU AI Act enforcement August 2026, four months away) is likely to accelerate rather than slow—Mythos's capabilities fall squarely into the Act's 'unacceptable risk' classification, establishing a forcing function.

What This Means for Practitioners: Two-Track Enterprise Strategy

Enterprise AI strategy needs two separate execution tracks that most organizations currently conflate:

Track 1: General Capability (Commodity Routing) Treat general-capability frontier models as indistinguishable on output quality. Route by price/latency/integration. Assume open-source parity within 12–18 months. Optimize for cost, not differentiation. Use inference routers and abstraction layers to switch models without code changes.

Track 2: Safety-Sensitive Capability (Critical Infrastructure) Treat offensive-security-capable models as critical infrastructure, not as optional tooling. Establish bilateral disclosure relationships with frontier labs. Assume Mythos-equivalent adversaries are 12–24 months from broad availability. Invest in AI-aware security tooling (Qodo raised $70M in March 2026 on exactly this thesis; Snyk, Veracode, Aikido are positioned) at the same pace as code-generation tooling. Require conformity assessment documentation for AI systems touching high-risk workloads. Conduct threat modeling that assumes attacker access to frontier models.

Conflating these two tracks—which is the default enterprise posture today—is where the velocity gap becomes a velocity crisis. Organizations that do not explicitly separate commodity capability workloads from safety-sensitive ones will find that economic pressure to deploy (Track 1) overrides security governance (Track 2), creating a compound exposure that grows monthly.