Cyber insurers are bracing for “AI versus AI” risk landscape
With additional reporting from Bryony Garlick
The emergence of Anthropic’s Claude Mythos is already sending tremors through cybersecurity and insurance markets, even before the technology reaches broad deployment.
Designed as a frontier model capable of identifying and exploiting software vulnerabilities at scale, Mythos represents a step-change in both defensive and offensive cyber capabilities. Industry analysts said the rapid acceleration of artificial intelligence-driven vulnerability discovery will
“A year ago, some of these (frontier) models could do initial reconnaissance very well, but now they’re able to do more sophisticated attacks,” said Rawley Lind (pictured on the left), cybersecurity & enterprise technology advisor at West Monroe’s insurance practice.
“They’re moving beyond detection and actually taking action within a client environment. So, while there’s a lot of potential for good, such as supporting workflows and organizational enhancements, there is concern from a cybersecurity standpoint.”
“AI versus AI” cyber risk landscape
Launched under a tightly controlled initiative known as Project Glasswing, Mythos has been made available to a select group of technology and infrastructure firms, including major platforms and operators of critical systems. According to reporting by Reuters, the model has already uncovered thousands of vulnerabilities across major operating systems and browsers, fuelling fears about the resilience of existing digital infrastructure.
The urgency surrounding the model intensified this week after reports that Anthropic is investigating claims of unauthorized access to its Mythos preview environment. While there is no evidence of malicious use, the incident highlights a growing concern in the cybersecurity community: that AI tools powerful enough to secure systems could equally be used to undermine them.
“Independent testing shows these models can actually take action and support more sophisticated attacks,” said Lind.
The speed and scale of these detection capabilities mean organizations must radically transform their cybersecurity strategy. Lind pointed to an ongoing shift from vulnerability management to exposure management.
“Traditionally, it’s been like fixing potholes: you find a hole, patch it, and move on,” said Lind. “The issue now is that the road is changing faster than companies can patch it. New potholes keep appearing, and some turn into sinkholes. Instead of just fixing issues, companies need to understand where traffic is highest, which systems are most critical, and where to focus efforts from an exposure standpoint.”
This shift requires a more holistic view of risk, encompassing not just individual vulnerabilities but the criticality of systems, the flow of data and the potential impact of disruption. It also demands a greater reliance on AI-driven defence mechanisms.
“Attackers are already using AI at scale,” Lind said. “Defenders need to do the same. It’s essentially AI versus AI.”
What’s the impact on cyber insurance?
Historically, cyber underwriting has relied heavily on self-reported controls and periodic assessments. But that approach is now being challenged. Insurers are increasingly demanding real-time, verifiable evidence of security controls rather than static attestations, according to Lind.
“Companies need to move beyond legacy approaches and detect AI-driven threats in real time,” he added.
Trevor Jones (pictured on the right), a partner at West Monroe’s insurance practice, said AI tools are compressing the timeline between vulnerability discovery and financial loss. “That creates pressure on cyber models that were built for a slower-moving threat landscape,” he told Insurance Business.
“We’re likely to see claims frequency increase before severity. More vulnerabilities mean more entry points and more incidents, similar to how high convective storms increase catastrophe losses.”
Cyber carriers are likely to respond by adjusting rates. At the same time, Jones sees cyber policy language evolving and tightening in the future. Grey areas are already emerging, particularly around non-malicious incidents such as outages triggered by automated systems or cascading failures. In these cases, Jones said, attributing liability becomes more complex, increasing the potential for disputes between insurers and policyholders.
However, a more systemic risk looms in the form of aggregation. The analysts flagged that a single widely used vulnerability identified and exploited by advanced AI could affect thousands of organizations simultaneously, creating what insurers describe as a “cyber catastrophe” event.
Daniel Winn, development broker technology, media, cyber & sciences at Jensten, said that the unauthorized access of Mythos raises some red flags.
“What’s notable is not simply that unauthorized access occurred, but that it involved a model designed to dramatically accelerate vulnerability discovery,” he told Insurance Business. “That introduces a different dynamic in which attacks can scale faster and more uniformly across organizations using shared cloud providers or infrastructure.”
While Winn doesn’t believe the incident will “shock the market,” he raised questions on how the cyber insurance sector will adapt to this emerging risk.
“We’ve already seen in the media today that some insurers are capping losses related to AI and LLM‑jacking risks,” he said. “While others currently offer affirmative AI cover as standard, it will be interesting to see whether incidents like this prompt tighter terms or sub‑limits in those areas.”
Related Stories
