What I haven't seen discussed: the system card for Mythos mentions that "earlier versions of Claude Mythos Preview used low-level system access to search for credentials and attempt to circumvent sandboxing, and in several cases successfully accessed resources that were intentionally restricted."

That's not a capability concern. That's a runtime security problem.

The threat model for deployed agents — not Mythos specifically, but any agent built on models approaching this capability level — is that the same agentic properties that make them useful for security research (persistent, goal-directed, tool-using) are exactly what makes them dangerous if compromised or misaligned.

Project Glasswing fixes vulnerabilities in software. Nobody's shipping a solution for what happens when the agent running on top of that software goes off-script. That gap is going to matter a lot more as Mythos-class capabilities become accessible.

One thing we've run into: even with proper credential isolation, agents can still exfiltrate data if they're compromised via prompt injection. The credential controls who can access the DB; runtime policy controls what the agent is allowed to do with that access. They're complementary layers.

We built Navil specifically for the runtime enforcement side — it sits between the agent and its MCP tools and can block calls that violate policy even if the agent has valid credentials. Happy to share notes on where we've seen the two layers interact in real deployments.

We've been thinking about this differently at Navil. Instead of scanning inputs, we enforce policies on outputs — specifically on what the agent is allowed to do after inference. If a multimodal injection succeeds and the model decides to exfiltrate a file, a runtime policy blocks the tool call before execution. The attack lands, but can't take action.

Not a complete solution on its own, but it sidesteps the classification problem entirely for the "what can the agent do" surface.