News · 2026-06-24
A senator says a banned AI broke into nearly all NSA systems in hours
For two weeks, the strangest AI story of the year had a missing middle. In mid-June the U.S. government quietly ordered Anthropic to restrict two of its most capable models, Fable 5 and Mythos 5, to U.S. citizens only. Because a company cannot easily check the citizenship of everyone using a model, Anthropic ended up pulling access for everyone, including close allies. We covered the order itself when it landed -- see the government pulled a frontier model. What nobody could explain was why a government would reach for a sledgehammer like that.
Now there is an answer, and it is a big one.
According to Security Affairs, relaying reporting from The Economist, Senator Mark Warner -- the vice-chair of the Senate Intelligence Committee -- said that the general who runs both the National Security Agency and the Pentagon's Cyber Command told him Anthropic's Mythos model "broke into almost all of our classified systems, not in weeks, but in hours." The breach happened during a red-team exercise: a controlled test where defenders deliberately turn an attacker loose on their own systems to find the holes before a real adversary does. That test, the account goes, is what triggered the June 12 restriction order. The story has been picked up by outlets including Channel News Asia and several U.S. news services.
Here is the background a non-expert needs. A red-team exercise is the security world's version of hiring a burglar to test your locks. You give them permission, you point them at the building, and you see how far they get. The thing that matters is not just whether they got in but how fast -- because speed is what separates a nuisance from a weapon. A human red team breaking into hardened classified systems might take weeks of patient, manual probing. The claim here is that an AI did the equivalent work in hours, mostly on its own.
Think of it like the difference between a single locksmith trying every door in a skyscraper one at a time, and a system that can try every door on every floor at once, learn from each failed attempt, and keep going without sleeping or getting bored. That tireless, parallel, self-correcting quality is exactly what makes a capable AI useful for defenders -- and exactly what makes it dangerous in the wrong hands.
This is why the testimony matters so much. Until now, the ban looked like a safety story: a model said something it shouldn't have, the company would patch it, life would go on. The new account turns it into a capability story. A government did not pull a commercial product because it misbehaved in conversation. It pulled the product because, in a sanctioned test, the product was too good at attacking the most sensitive computers the country owns. That is a different category of event, and it retroactively explains the severity of a response that struck many observers as wildly disproportionate.
It also lands in the middle of a larger debate about how close AI labs should sit to the national-security state -- the same nerve touched by stories like safety testers get inside the frontier labs and OpenAI pitches itself as the safe cyber lab. The people most worried are not worried that the AI failed. They are worried that it succeeded.
Now the honest caveat, because this is the kind of claim that gets distorted the moment it leaves the room. This was a test, not a real-world attack. The model was given permission and pointed at the targets on purpose. There is a world of difference between "an AI autonomously broke into classified systems with no help" and "an AI broke into classified systems after a red team set up the exercise, provisioned access, and removed the obstacles a real attacker would face." The public does not yet have the testimony's exact wording, so we cannot say which of those it was. A defence analyst quoted in the original coverage made exactly this point: red-team results are designed to surface worst cases, and a dramatic result under test conditions tells you less about unassisted real-world capability than the headline implies.
There is also the chain of telling. This is a senator describing what a general told him, reported by one magazine, relayed by another outlet. Each link is plausible and the story has held up across several days and multiple outlets, but it is not yet a published technical report with methods you can inspect. The right posture is to treat the framing as solid -- a government really did pull these models, and a red-team result really is the stated reason -- while treating the precise phrasing, "almost all" and "in hours," as provisional until a transcript appears.
Why it matters: this is the clearest single example yet of a pattern showing up everywhere in AI right now -- capability arriving faster than the institutions meant to govern it. A model good enough to break into classified systems in an afternoon is also good enough to defend them, which is why the same labs are courted and feared by the same agencies. The watch item is July's expected Anthropic policy update on identity verification, which is the likely mechanism for a partial, citizenship-gated restoration of access.