Anthropic, the artificial intelligence safety company behind the Claude family of models, inadvertently exposed nearly 3,000 internal assets on its public-facing website in , including images, PDFs, and details about an unreleased model named "Claude Mythos" that the company itself has flagged as its most capable and potentially most dangerous system to date. The disclosure was first reported by Fortune reporter Bea Nolan, who found that assets intended for internal use had been made publicly accessible, including materials tied to an exclusive chief executive officer event. The exposure has drawn sharp attention not only because of what was leaked, but because of who leaked it: a company whose entire identity is built on the premise that AI development must be done carefully, with safety at the center.
What Was Exposed, and How Significant Is "Claude Mythos"
The short version: close to 3,000 internal assets sat accessible to anyone who knew where to look. The interesting part is what those assets contained.
Among the materials was information about a model Anthropic has internally named "Claude Mythos." According to the exposed data, Mythos is designed to be Anthropic's most capable model yet, and the company's own internal documentation (now inadvertently public) describes it as posing unprecedented cybersecurity risks. That framing is notable. Anthropic has been unusually candid, at least internally, about the dangers its own technology could present. The fact that those candid internal assessments ended up accessible without authorization gives outsiders a rare and unplanned window into how the company thinks about model risk behind closed doors.
Anthropic had not announced Claude Mythos publicly before this exposure. The company's current publicly available models sit within the Claude 3 and Claude 4 families. Mythos, based on what the leaked materials indicated, would represent a step beyond those in raw capability, which is precisely why the company's own internal documentation attached language about unprecedented risk to it.
The Specific Irony of an AI Safety Company Having a Security Lapse
There is no way to write about this story without addressing the obvious tension directly. Anthropic's founding premise (the reason it exists as a separate company from OpenAI, where several of its founders previously worked) is that building increasingly powerful AI systems requires an organization structurally committed to taking safety seriously as a first-order concern, not an afterthought. The company has published extensive research on model evaluation, Constitutional AI training methods, and responsible scaling policies. Its communications consistently position Anthropic as the company in the room that is willing to slow down, audit carefully, and say no when the risk profile demands it.
That positioning makes this incident particularly jarring. The lapse was not a sophisticated external attack. It was not the result of a nation-state adversary penetrating Anthropic's infrastructure. It was, by all available accounts, an internal configuration error that left assets publicly accessible when they should not have been. The company that argues most vocally for careful, methodical practices in AI development left nearly 3,000 internal files sitting unsecured on its own website.
Anthropic had not issued a detailed public statement on the specific nature of the exposure or the internal processes that failed at the time of publication. Fortune's reporting, drawing on the accessible assets themselves, provided the substantive detail. The gap between Anthropic's public posture on safety and this operational failure will likely become a recurring reference point in debates about whether AI safety rhetoric translates to organizational practice. For broader context on how Anthropic has navigated its relationships with big tech and the Trump administration, that political context shapes the stakes of this incident considerably.
How Pre-Release Model Security Works, and Where It Breaks Down
AI model development happens in stages, and most of the meaningful risk decisions are made well before a model reaches the public. During development, a company like Anthropic runs internal evaluations, red-team exercises, and capability assessments that produce documentation (safety reports, risk tiers, capability benchmarks) that is explicitly not for public consumption until the company decides how to frame it.
Think of this process like a film studio's test-screening program. The studio runs previews of a cut that may be significantly different from the final release. Audience reactions, internal notes about what works and what doesn't, and early marketing materials are tightly controlled because they reveal the gap between intention and execution. If that material leaks, it doesn't just create a spoiler problem: it shapes public expectations based on an unfinished product and exposes commercial strategy that was never meant to be visible.
For AI companies, the stakes are higher and the material is more technically sensitive. Internal risk assessments for unreleased models contain information that is valuable to competitors for benchmarking and to security researchers for understanding the threat landscape before a company has established its own public narrative. When Anthropic's internal documentation described Claude Mythos as posing "unprecedented cybersecurity risks," that phrase landed in the public domain before Anthropic had the opportunity to contextualize it, explain what mitigations were being built, or frame what "unprecedented" meant relative to their evaluation rubric.
That loss of narrative control is significant in a field where public trust in AI companies is already fragile. Statements about unprecedented risk, stripped of context, do not convey the nuance that distinguishes "we identified a risk and are actively managing it" from "we are building something dangerous and proceeding anyway." Both readings are now available to anyone who encountered the Fortune report. This category of exposure is part of a wider pattern of security gaps in AI development pipelines: see also the Checkmarx GitHub Actions supply chain attack for a parallel case study in how development tooling becomes an attack surface.
Anthropic's Fight With the Pentagon, and the Judge Who Weighed In
The leak did not occur in a vacuum. Anthropic is simultaneously engaged in a substantive political conflict with the United States government over the terms under which its technology can be deployed.
The Department of Defense had moved to designate Anthropic as a supply-chain risk, a designation that would effectively bar Claude from being used in government work. The Pentagon's rationale centered on Anthropic's refusal to strip guardrails from its models, specifically protections against using Claude to enable mass surveillance programs or autonomous weapons systems that operate without meaningful human oversight. Anthropic declined to remove those restrictions even under government pressure, positioning the conflict as a principled stand on the limits of what its technology should do.
A US federal judge blocked that Pentagon designation, describing the government's framing as an "Orwellian notion," a notably sharp characterization from the bench. The ruling was a legal victory for Anthropic, but the broader fight with the Trump administration over AI guardrails continues. The administration has pushed for fewer restrictions on AI deployment in national security contexts, while Anthropic has maintained that certain use cases (mass surveillance, autonomous lethal systems) fall outside what it will enable regardless of who is asking.
Positioning this political dispute alongside the Mythos leak creates a complicated picture. Anthropic is publicly arguing that it takes AI safety seriously enough to refuse government contracts rather than compromise its principles. Simultaneously, internal documents describing its most dangerous model in development were sitting on an unsecured server. The two facts do not cancel each other out (principled policy positions and operational security failures can coexist) but they do complicate the clean narrative that Anthropic has carefully constructed around itself.
The Broader Question of Model Security During Development
The AI industry does not yet have a mature standard for pre-release model security. This is partly a function of how fast the field has moved. Three years ago, the number of organizations training frontier AI models (models capable enough to generate serious safety concerns) could be counted on two hands. Today, that number has expanded considerably, and the organizations involved range from well-resourced labs with dedicated security teams to smaller efforts with more limited operational infrastructure.
Anthropic sits at the larger, better-resourced end of that spectrum. The company has raised billions of dollars in funding and counts Amazon among its major investors. It employs dedicated safety and security researchers. The fact that an exposure of this kind occurred at Anthropic, rather than at a scrappier operation with fewer resources, suggests the problem is not simply one of resourcing. It is organizational: the processes for tracking which internal assets are web-accessible and which are not did not catch nearly 3,000 files before they became a story in Fortune.
The AI industry's leading labs (Anthropic, OpenAI, Google DeepMind) have begun developing more formal frameworks for pre-deployment evaluation, including third-party audits and structured red-teaming exercises. But those frameworks have focused predominantly on what models can do, not on securing the documentation about what models can do during the period before they are released. That gap is now visible in a way it was not before.
For every lab currently developing a model they consider to be a step up in capability from what exists publicly, the Anthropic situation raises a practical question: what is sitting on an internal server right now that is one misconfiguration away from being accessible? Internal safety assessments, preliminary capability benchmarks, code names, and risk classifications all carry informational value that their authors never intended to share before a controlled release. These security concerns connect directly to the kind of nation-state cyber activity documented in the surge in cyber retaliation following US-Israel strikes against Iran, where adversaries actively seek access to sensitive AI development information.
AI in the Newsroom: A Related Data Point
Fortune's reporting on Anthropic's exposure came from the same publication that recently documented its own experience with AI-assisted journalism. Fortune reporter Nick Lichtenberg, using AI tools, produced more stories in six months than any colleague had delivered in a full year. That data point, reported within Fortune itself, sits in an interesting relationship with the Anthropic story. The publication that found and reported a major AI company's operational security failure is itself a case study in how AI tools are reshaping the capacity of individual journalists.
Lichtenberg's output represents one version of the argument that AI multiplies rather than replaces skilled human work, a faster pipeline that still requires editorial judgment at every step. That the story illustrating this most vividly in happens to be about an AI company's own security practices is a detail that would not be out of place in a media industry analysis piece, though it lands here as context rather than conclusion. The full Fortune Anthropic Mythos deep dive provides additional context on what the leaked materials revealed.
What Comes Next for Anthropic and AI Security Practices
For Anthropic specifically, the immediate question is what the company says publicly about Claude Mythos and the timeline for any formal disclosure. The exposure has already seeded the phrase "unprecedented cybersecurity risks" into coverage of the model without the context Anthropic would have chosen to provide. Any subsequent announcement about Mythos will now be read against that framing, which raises the stakes for how the company communicates the model's risk profile and the mitigations it has built.
The broader question for the AI industry is whether this incident becomes a forcing function for more rigorous pre-release information security standards. The major labs share information about safety evaluations through bodies like the FMF, and there is growing discussion of government-mandated disclosure frameworks for models above certain capability thresholds. Those frameworks have largely focused on what gets disclosed publicly and when. The Anthropic situation suggests equal attention is needed for what never gets disclosed: how it is stored, who can access it, and what happens when the answer to the second question turns out to be "anyone with a browser."
Anthropic built its reputation on the argument that the most important decisions in AI development are made before a model ships, in the evaluation phase, the red-teaming sessions, the internal safety reviews. If those are the decisions that matter most, then the documents that record them are among the most sensitive assets an AI company holds. Treating them with the operational discipline that matches their stated importance is not a technical problem. It is a matter of whether practice matches stated values. The gap between those two things is what Fortune found on Anthropic's website.
