The moment a single AI model forces a government to convene emergency meetings with the CISOs of its largest tech companies, you're no longer talking about a software release — you're talking about a structural shift in how nations think about digital sovereignty. That's exactly where Korea finds itself this week, and the cybersecurity risks exposed by Anthropic's Claude Mythos Preview are a preview of a much larger geopolitical reckoning.

South Korea's Ministry of Science and ICT didn't hold one meeting — it held two, on consecutive days (Tuesday and Wednesday), pulling in the chief information security officers of Naver, Kakao, Woowa Brothers, and Coupang, alongside dedicated cybersecurity firms. That's not a routine briefing. That's a government recognizing that the threat surface has fundamentally changed, and that it doesn't yet have the tools or the access to respond.

The Korea Times Business report covering these developments captures the technical alarm clearly. But the deeper story isn't about one AI model. It's about who gets to set the rules when AI becomes the primary instrument of both offense and defense in cyberspace.

---

What Makes Mythos Different From Every Previous AI Security Threat

Most AI-related security conversations over the past three years have centered on phishing automation, deepfake social engineering, or AI-assisted malware generation. These are serious threats, but they're extensions of existing attack vectors — faster, cheaper, more scalable versions of things that already existed.

Claude Mythos Preview is categorically different, and Anthropic itself has been unusually candid about why. In its April 7 "Alignment Risk Update: Claude Mythos Preview" document, the company described Mythos as its most capable LLM to date — and simultaneously acknowledged that it "poses a higher risk than any previous model." That's a remarkable statement for a company to make about its own product at launch.

The specific capability driving alarm is Mythos's apparent ability to identify zero-day vulnerabilities — security flaws that are unknown to the software developers themselves. According to Anthropic's own documentation, Mythos has already identified previously unknown vulnerabilities in major browsers and operating systems, with demonstrated capability to carry out denial-of-service attacks based on those findings.

Zero-days are the most valuable currency in the cybersecurity underworld. Nation-state intelligence agencies spend hundreds of millions of dollars annually acquiring them. The NSA, China's PLA Unit 61398, and Russia's Sandworm have built entire offensive programs around stockpiling zero-days. What Mythos appears to do — and this is where the alarm is warranted — is automate the discovery process at scale.

If a sufficiently capable AI can identify zero-day vulnerabilities faster than human researchers, the economics of cyberattack change completely. The barrier to sophisticated offensive capability drops from "nation-state budget and talent pipeline" to "API access and intent."

"The emergence of Mythos and other high-performance AI-based cybersecurity services presents an opportunity to significantly enhance security levels, while also highlighting the potential risks if such technologies are misused." — Deputy Prime Minister and Minister of Science and ICT Bae Kyung-hoon, via Korea Times Business

That's a careful diplomatic framing of a very direct concern: the same model that can help defenders find vulnerabilities first can, in the wrong hands, hand attackers a systematic advantage they've never had before.

---

Korea's Specific Exposure: Why Seoul Is More Vulnerable Than It Looks

South Korea's digital infrastructure concentration makes it unusually exposed to AI-amplified cybersecurity risks. Consider the architecture: Naver and Kakao together account for the dominant share of Korean internet traffic, messaging, payments, and increasingly, cloud services. Coupang processes a substantial portion of the country's e-commerce. Woowa Brothers (Baemin) handles food delivery logistics for tens of millions of users. These aren't just tech companies — they're critical civilian infrastructure.

The government's urgency is compounded by a specific access gap that the Korea Times report highlights almost in passing: no Korean companies are currently among the limited partners receiving early access to Mythos through Anthropic's Project Glasswing. Google, Apple, and Microsoft are in. Korean firms are not.

This matters enormously. Project Glasswing is described as providing Mythos to select partners for "defensive security work" — essentially, letting trusted organizations use the model to find and patch vulnerabilities before bad actors can exploit them. Being excluded from that program means Korean companies are in a structurally disadvantaged position: they face the same threat landscape as Glasswing participants, but without the same defensive tools.

This is the geopolitical subtext that the Ministry of Science and ICT meetings are really about. It's not just "how do we defend against Mythos?" It's "why aren't we at the table when access to the most powerful defensive AI tools is being allocated?"

Korea has been through this before with semiconductor supply chains — the painful lesson that dependence on foreign technology providers creates strategic vulnerability when geopolitical conditions shift. The Mythos situation is an early signal that the same dynamic is emerging in AI-enabled cybersecurity, a domain where the stakes are arguably higher because the attack surface is everywhere simultaneously.

---

The "Trust Architecture" Problem: Beyond Technical Defense

The most intellectually interesting commentary in the Korea Times report comes not from government officials, but from academics and industry experts who are reframing the entire question.

"The side that gains the upper hand is no longer the one with superior attacking capabilities, but the one that designs and governs rules and protocols." — Professor Park Han-woo, Yeungnam University, via Korea Times Business

This is a profound shift in how cybersecurity should be conceptualized, and it aligns with how I've been thinking about the broader AI governance question. The traditional cybersecurity framing — offense vs. defense, attack vs. patch — assumes a relatively stable technological environment where the primary variable is technical capability. Mythos breaks that assumption.

When AI can autonomously discover vulnerabilities at scale, the technical gap between offense and defense becomes less important than the governance gap — who controls the AI, under what rules, with what accountability structures. Professor Park's point about separating "decision-making, execution and accountability" from a single company or platform isn't just good policy advice; it's a description of the fundamental architectural problem with how powerful AI tools are currently deployed.

Amazon Web Services' Kim Young-hoon put it in terms that resonate with anyone who has watched AI systems move from rule-following automation to agentic decision-making:

"AI has evolved from simple automation that follows rules to fully autonomous multi-agent systems with reduced human intervention. As uncertainties beyond human control emerge, security and ethical issues are becoming national-level concerns." — Kim Young-hoon, AWS Korea and Japan Director of Public Policy, via Korea Times Business

The phrase "uncertainties beyond human control" is doing a lot of work in that sentence. It's a polite way of saying that we've deployed systems whose failure modes we don't fully understand, into environments where the consequences of failure are measured in national infrastructure and civilian harm.

---

The Zero-Trust Imperative and the SME Gap

Kim Jin-soo, president of the Korea Information Security Industry Association, made a point that deserves more attention than it typically gets in these high-level policy discussions: the security gap between large enterprises and small-to-medium enterprises is the real systemic vulnerability.

Naver and Kakao have the resources to convene emergency security reviews, hire world-class CISOs, and implement sophisticated monitoring systems. They were in the room with the Ministry of Science and ICT this week. The thousands of Korean SMEs that run on software infrastructure built by those same large platforms — and that serve as suppliers, subcontractors, and integration partners — are not.

This is the software supply chain problem that has become central to cybersecurity thinking globally since the SolarWinds attack in 2020. A sophisticated attacker doesn't need to breach Naver directly if they can compromise a smaller vendor in Naver's supply chain. Mythos-level zero-day discovery capability makes this attack vector dramatically more dangerous, because it can systematically identify the weakest links across an entire software ecosystem.

The "zero-trust" framework Kim Jin-soo recommends — where no user or device is automatically trusted, and every access request is verified — is the right architectural response. But implementing zero-trust across Korea's SME ecosystem requires resources, expertise, and coordination that most small companies simply don't have. This is where government policy needs to move beyond convening meetings with large platform CISOs and develop concrete support mechanisms for the long tail of the economy.

Korea's broader economic policy context is relevant here. The government has been actively working to channel investment into productive sectors of the economy — as I've explored in analysis of Korea's 98 Trillion-Won Productive Finance initiative. Cybersecurity infrastructure for SMEs is exactly the kind of structural investment that fits within that framework, but it requires treating security as economic infrastructure rather than a compliance checkbox.

---

What the Global Context Tells Us

Korea is not alone in grappling with AI-amplified cybersecurity risks, but its situation has specific features that make the international comparison instructive.

The United States has moved toward a combination of regulatory pressure on AI developers (through NIST frameworks and emerging executive guidance) and direct government investment in AI-enabled defensive capabilities through CISA and NSA partnerships. The EU's AI Act creates a risk-tiered framework that would likely classify Mythos-level capabilities as high-risk, requiring specific conformity assessments before deployment.

China, meanwhile, has been building parallel AI security capabilities domestically — precisely to avoid the kind of access dependency that Korea now faces with Mythos. The MITRE ATT&CK framework, which is the global standard taxonomy for cyber threat intelligence, has been tracking AI-augmented attack techniques for several years, and the pattern is consistent: the countries that maintain indigenous AI research capacity have significantly more policy flexibility when powerful foreign models emerge.

Korea's situation sits uncomfortably between these poles. It has world-class technology companies and a sophisticated digital economy, but its frontier AI research capacity — particularly in large language models with the kind of autonomous reasoning that Mythos apparently demonstrates — remains dependent on US-developed foundation models. That dependency is now manifesting as a concrete security policy problem.

The exclusion from Project Glasswing is the most visible symptom. But the underlying issue is that Korea doesn't have a domestic equivalent of Anthropic, OpenAI, or even a Google DeepMind that it can bring into a national security partnership on equal terms. Samsung and SK Hynix are world leaders in semiconductor manufacturing, but that's a different layer of the stack.

---

Actionable Takeaways: What Should Actually Happen Next

The meetings this week are a necessary first step, but they're not sufficient. Here's what the evidence suggests needs to happen, and relatively quickly:

1. Pursue Glasswing access aggressively, at the diplomatic level. The exclusion of Korean firms from Anthropic's defensive AI partnership program is not just a business development problem — it's a national security gap. The Ministry of Science and ICT should be engaging the US State Department and Anthropic directly to establish a pathway for Korean critical infrastructure operators to access defensive AI tools on comparable terms to US tech giants.

2. Invest in domestic zero-day research capacity. Korea's National Intelligence Service and Korea Internet & Security Agency (KISA) need dedicated AI-augmented vulnerability research programs. If Mythos-level capability can find zero-days at scale, Korean defenders need equivalent tools to find and patch them first.

3. Extend the security conversation to the SME supply chain. The large platform companies in the room this week are not the primary risk vector — they're the most defended nodes in the network. The government needs a parallel track focused on the thousands of smaller companies in their supply chains.

4. Engage on international AI governance frameworks. Professor Park's point about designing trust architectures and governance protocols is exactly right. Korea should be actively participating in — and attempting to shape — the emerging international frameworks for AI security governance, rather than reacting to decisions made by US companies and their primary government partners.

5. Treat this as an ongoing intelligence function, not a one-time review. Naver's statement that it is "closely monitoring global trends" is the right instinct, but monitoring is not sufficient. Korean companies need active threat modeling that assumes Mythos-level capabilities will eventually be accessible to sophisticated threat actors, regardless of Anthropic's access controls.

---

The Deeper Question: Who Designs the Rules?

The most important insight from this week's events in Seoul is the one that Professor Park articulated most clearly: the competition in AI-augmented cybersecurity is not primarily about who has the most powerful attack or defense tools. It's about who gets to design the governance architecture that determines how those tools are used, by whom, and under what accountability structures.

Korea is currently a rule-taker in that architecture. The Glasswing access list was determined by Anthropic, in consultation with its existing major partners. Korean companies found out about Mythos's capabilities the same way everyone else did — through a published document on April 7. The Ministry of Science and ICT's emergency meetings this week are a response to decisions made elsewhere, by others.

That's not a sustainable position for a G20 economy with the digital infrastructure concentration that Korea has. The cybersecurity risks posed by Mythos are real and immediate. But the structural risk — of being systematically excluded from the governance conversations that will shape how AI security tools are developed, deployed, and constrained — is the one that will matter most over the next decade.

The question Seoul should be asking isn't just "how do we defend against Mythos?" It's "how do we get a seat at the table where the next Mythos is being designed?"

That's a harder problem. But it's the right one.