Your AI Threat Model Was Written for the Wrong War
Enterprises governed what the model might leak. Two events this week show they skipped the harder question: what the tool itself can do, and what can be done to it.
Enterprises evaluated AI dev tooling on capability and cost. They never evaluated it as attack infrastructure, because nobody asked them to. That's the category error sitting under most AI governance written in 2023 and 2024, and two events this week dragged it into the open.
Those playbooks governed the AI's outputs: prompt injection, data leakage, what the model might say or spill. The tool itself as a capable attacker, or as the thing being attacked, wasn't in the document. Anthropic's research shows its Mythos model weaponizing known vulnerabilities in hours, and within the same day Microsoft pulled GitHub repositories for its Azure and AI coding tools after a reported credential theft. Neither lands inside the threat model anyone wrote it for.
Enterprises evaluated AI dev tooling on capability and cost. They never evaluated it as attack infrastructure.
These aren't the same threat, and flattening them weakens the point. Mythos is the tool as a weapon, an offensive agent that compresses exploit development from days to hours. The Microsoft compromise is the tool as a passive surface, third parties walking in through infrastructure you standardized on without ever treating it as critical. One is what your tools can do to others; the other is what can be done to you. They close on the same gap from opposite sides.
Be honest about both sources, though. The Mythos "hours" framing comes from Anthropic demonstrating its own model's offensive power, which conveniently sells the safety story and the capability in the same breath. And the Microsoft event, underneath the headline, is a repository compromise, a well-understood attack class where the AI angle is the setting rather than the mechanism. So one is a capability demonstration and the other a documented breach, a warning next to a piece of evidence. Don't file them in the same drawer.
But the warning and the evidence point the same way, and that's what makes this more than two headlines. The frameworks were built for a world where the AI was a feature you bolted on, not a piece of infrastructure with its own blast radius.
I don't know how fast the offensive capability translates from a research demo into a breach in the wild. That gap matters, and I won't pretend to size it. What I'm sure about is the planning error. Governance belongs before you open the floodgates, and most enterprises opened them on a threat model that didn't have either of this week's events in it.
Sources
Want to talk about this?
Get in touchMore on AI
AI Skill Debt Doesn't Show Up Until You Need It
A worker who ships clean output and a worker who understands what they shipped look identical on a dashboard. They stop looking identical the first time something breaks.
Washington Applause Is a Lagging Indicator
A gala full of generals and lobbyists toasted American AI this week while the public kept souring and the lawsuits kept stacking. If your AI strategy is tuned to that applause, you're calibrating to the wrong signal.
You Can't Govern the Bill You Can't See
A $920M/month compute lease just showed up in an SEC filing. It won't show up in your vendor's pricing sheet. That gap is the whole problem.