The Regulatory Vacuum Meets Mythos-Class Danger: AI Governance at a Critical Inflection

Capability Dangerous Enough to Warrant Regulation Meets the Absence of Regulatory Capacity

Claude Mythos is the first AI model where an independent government body (UK AISI) has assessed that the capability is dangerous enough to require containment. The assessment is specific: 73% success rate on expert-level capture-the-flag challenges, completion of 32-step network takeover in 3 of 10 attempts, demonstrated ability to chain exploits autonomously across multiple systems.

These are not abstract risks. They are demonstrated capabilities at thresholds previously seen only in human security researchers with years of training. UK AISI's evaluation framework is rigorous and conservative — the 73% figure is a lower bound on Mythos' actual offensive capability, not an upper bound.

The White House National Policy Framework (March 20, 2026) was released weeks after UK AISI's evaluation became public knowledge. In response, the administration recommended creating zero new federal AI regulatory bodies. Existing agencies (FDA, FTC, FCC, CMS) retain jurisdiction. None of these agencies have dedicated AI safety evaluation capacity comparable to UK AISI. None have published AI-specific safety standards or evaluation frameworks.

This is not a temporary capacity gap. It is a structural decision that the federal government will not build AI safety evaluation capability in response to demonstrated frontier capability danger. The decision is presented as 'light-touch regulation' and 'innovation-friendly policy.' It is, functionally, the absence of a regulatory response to capability that warrants one.

Federal Government Actively Dismantles State-Level Enforcement

The December 2025 Executive Order established an AI Litigation Task Force inside the DOJ specifically to challenge state AI laws. The federal government is not building capacity in place of states — it is actively dismantling the only existing enforcement layer while providing no replacement.

New York RAISE Act (effective March 19, 2026) requires frontier AI developers to disclose capability and safety information to New York regulators. It is the closest US equivalent to UK AISI evaluation authority. The Trump AI Litigation Task Force is explicitly targeting it for preemption challenge.

California TFAIA, Texas RAIGA, and similar state-level AI laws are the only currently enforceable AI safety and transparency requirements in the US. They are imperfect (state-by-state fragmentation is inefficient) but they are active. The federal government's response is litigation to invalidate them, not cooperation to strengthen them or to replace them with federal standards.

36 state attorneys general published a bipartisan letter opposing federal preemption. The states recognize they are the only current enforcement layer. If preemption succeeds, there is no federal replacement. The regulatory vacuum becomes complete.

Self-Assessment Without External Validation

Anthropic's RSP v3.0 (Responsible Scaling Policy) and ASL-4 designation are entirely self-assessed. No independent external body has validated that Mythos truly meets ASL-4 criteria. If Anthropic reclassifies Mythos to ASL-3 or lower tomorrow (to free up revenue as competitive pricing pressure mounts), there is no legal recourse.

Project Glasswing's consortium contains zero external validators or enforcement mechanisms. The 40 members could collectively decide to relax deployment restrictions. The public would have no visibility into that decision until Mythos was already in private use across the consortium.

UK AISI provides external validation, but only for models sent to the UK voluntarily. Future frontier models are not obligated to participate. DeepSeek's open-weight models are not subject to external evaluation at all — they are released as weights and used by anyone with sufficient compute.

Open-Weight Breaks Regulatory Jurisdiction

DeepSeek V4's anticipated Apache 2.0 release means Mythos-comparable offensive capability will exist in a form not subject to any US regulatory framework. Not Anthropic's voluntary ASL-4, not state AI laws, not federal oversight — there is no mechanism by which the US government can restrict deployment of a leaked or released open-weight model.

Defensive capability buyers — offensive security firms, nation-state proxies, critical infrastructure red teams — will have legal access to Mythos-comparable capability through DeepSeek V4. The US regulatory vacuum becomes irrelevant because the model is not subject to US jurisdiction at all.

This was theoretically true before DeepSeek V4. Open-weight models existed. However, they were not frontier-tier models with demonstrated offensive capability. DeepSeek V4 changes the equation: open-weight + frontier + offensive-capability = the first model where unregulated access to dangerous capability is both legal and straightforward.

AI Displacement Without Transition Framework

Gartner data shows 9,200 explicit Q1 2026 AI-attributed tech layoffs. Challenger Gray's modeling suggests 200K-300K actual AI-displaced positions in 2025 alone. These are workers with jobs that no longer exist — not due to economic cycle, but due to AI substitution.

The White House framework includes a 'workforce preparation' pillar. It is nonbinding recommendations, not federal policy. There is no mandatory AI-displacement reporting, no workforce transition benefits, no retraining infrastructure. The displaced workers are a statistical externality in a Federal Reserve model of 'productivity gains,' but they are economically real.

This is the public health equivalent of 'we are releasing a new medication that is effective but we have no plan for patients who have adverse reactions.' Except the adverse reaction is permanent job displacement and the 'medication' is frontier AI.

Three Paths Forward: Crisis, State Regulation, or Voluntary Standard

By 2028-2029, one of three paths is likely:

(A) Catastrophic incident forces emergency regulation. A large-scale enterprise breach, election interference, or critical infrastructure attack using Mythos-class offensive capability triggers emergency federal AI regulation structurally similar to post-2001 security state. Regulatory capacity is built rapidly but with significant civil liberties tradeoffs.

(B) State laws survive preemption and become de facto national standards. California, New York, and allied states win preemption litigation. Their AI laws remain enforceable. Multinationals comply with state laws voluntarily as the de facto national standard. Fragments the regulatory landscape but preserves some enforcement layer.

(C) Voluntary industry framework matures into de facto standard. RSP frameworks, ASL tiers, Project Glasswing-style consortia mature into an ISO-style industry standard with external audit requirements. Potentially incorporated by reference into insurance and enterprise procurement requirements. The industry prefers this outcome because it preserves autonomy and pricing power.

Path (C) is least likely. DeepSeek's open-weight strategy directly undermines it — companies committed to voluntary frameworks cannot compete with companies that release openly. Unilateral restraint does not work in a competitive market. Path (A) requires a forcing incident. Path (B) requires state legal victories that are not guaranteed. The most likely outcome is a combination: partial state victories in some jurisdictions, selective industry adoption of stronger safety frameworks in response to reputational pressure, and continued regulatory vacuum until a significant incident occurs.

Winners and Losers in the Governance Vacuum

AI labs with existing safety posture (Anthropic, Google DeepMind) win: voluntary frameworks becoming de facto standards without mandatory federal oversight is their preferred outcome. They benefit from being first-movers on safety.

Cyber offense capability buyers win: they face no US federal restriction on acquiring Mythos-comparable capability through open-weight DeepSeek V4. The gap between declared policy ('AI safety is important') and enforcement capacity ('we cannot actually stop you') is irrelevant if there is no enforcement.

State AGs and state legislators win: they retain high political relevance as the only active enforcement layer. High-profile AI safety cases concentrate political capital at state level.

Insurance underwriters and enterprise risk managers win: the regulatory vacuum makes their private-sector risk pricing the effective governance mechanism. Enterprises unable to get liability insurance for frontier AI deployments self-regulate through insurance costs.

Civilian AI safety research community loses: their policy recommendations have no legal pathway to implementation at federal level. Academic arguments for international AI governance mean nothing if the US itself has no governing framework.

Small businesses and consumers lose: they bear the costs of AI misuse (fraud, identity theft, automated social engineering) without federal protection mechanisms or recourse.

Displaced workers lose: no federal framework, no transition support, no mandatory corporate reporting. They are a political non-entity in a framework optimized for 'innovation.'

Any US enterprise eventually subject to EU AI Act enforcement loses: they will lack domestic compliance infrastructure to defend themselves against European regulators. The US' regulatory vacuum means US companies cannot domestically comply with EU standards.