Politico flags GPT-5.5 hacking risk

Politico reported on May 24 that researchers who tested Anthropic’s Mythos and OpenAI’s GPT-5.5 in controlled settings said the models’ hacking capabilities are moving faster than expected. The article said nine cyber researchers and tech leaders who had experimented with the systems reached the same conclusion: the tools could materially change digital security. (politico.com) Lee Klarich, chief product and technology officer at Palo Alto Networks, told Politico that testing Mythos made clear to him it was “going to be a game-changer.” (bills.parliament.uk) That warning is now colliding with legislation in Britain. An amendment tabled by Labour MP Alex Sobel to the Cyber Security and Resilience Bill would allow the Secretary of State to direct the shutdown of data centres or AI systems used by data centres in an “AI security or operational emergency.” The amendment says those powers would apply only where ministers believe the compromise poses a “catastrophic risk,” including large-scale disruption to critical infrastructure, degradation of national security capabilities, or severe large-scale harm to human life. (bills.parliament.uk) ### What did Politico say researchers were seeing in GPT-5.5 and Mythos? (politico.com) Politico said on May 24 that Anthropic and OpenAI had spent the previous month promoting the cyber capabilities of their newest models, and that outside testers said the companies were not overstating the progress. The report said both companies had restricted testing to small groups of trusted organizations because the models’ cyber abilities had outpaced public tools and, in some cases, expert humans. Lee Klarich told Politico that the systems were more powerful than he had expected when he first saw Mythos. Isaac Evans, chief executive of Semgrep, said Mythos showed “an uncanny ability around exploit generation,” according to Politico. (bills.parliament.uk) Jonathan Trull, chief information security officer at Qualys, said GPT-5.5 “can basically do what your most advanced app security engineer can do,” the publication reported. ### How much outside evidence is there that the capability jump is real? CyberScoop reported on May 13 that separate findings from the UK AI Security Institute and Palo Alto Networks showed Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 had exceeded the trend lines researchers had been tracking for autonomous cybersecurity tasks. (politico.com) The UK AI Security Institute said both models had substantially exceeded the doubling trend it had measured since late 2024. The UK AI Security Institute said a Mythos checkpoint completed a 32-step simulated corporate network attack in 6 of 10 attempts and another previously unsolved range in 3 of 10 attempts. (politico.com) GPT-5.5 completed the 32-step “The Last Ones” range in 3 of 10 attempts, according to CyberScoop’s summary of the institute’s findings. Palo Alto Networks said the latest models were highly capable at finding vulnerabilities and turning them into exploit paths in near real time. ### What exactly would the UK “kill switch” amendment do? Amendment NC12 on the UK Parliament website says regulations could give the Secretary of State “last-resort powers” to direct the shutdown of data centres or AI systems used or deployed by a data centre. (cyberscoop.com) The text defines an AI emergency as a compromise to network and information systems caused or contributed to by an AI system, through autonomous or non-autonomous means, that poses a catastrophic risk. The amendment also says data centre operators could be required to install the technical infrastructure needed to comply with a shutdown order. It requires the government, within seven days of issuing a direction, to lay a report before Parliament and seek debate in both Houses as soon as reasonably practicable. (cyberscoop.com) The Parliament page lists the proposal as Alex Sobel’s amendment at report stage and says no decision has yet been taken. ### Why are ministers being asked to reach all the way to data centres? The amendment’s text ties the power to systems “used or deployed” at scale in the United Kingdom or by providers of essential services. (bills.parliament.uk) That wording places the focus not only on model developers but also on the facilities running or hosting the systems. Politico reported that government agencies, congressional committees, banks and regulators had been seeking access to Mythos and GPT-5.5 in recent weeks so they could secure critical networks before adversaries obtained similar tools. That sequence — restricted access, critical-network testing and emergency shutdown proposals — is the factual chain now driving the debate. (bills.parliament.uk) ### What happens next in Britain? The UK Parliament page says the House of Commons has not yet considered amendment NC12. If the proposal advances, ministers would need to write regulations setting out how any “last-resort powers” would work and what technical requirements data centre operators would have to meet. (bills.parliament.uk) Politico’s May 24 report suggests the policy pressure is unlikely to ease soon. The article said agencies, regulators and major companies are already trying to evaluate the models before wider access expands, while lawmakers in Britain are trying to build an emergency mechanism before a real-world AI-linked cyber crisis forces the issue. (politico.com) (bills.parliament.uk)