Written by Dr Ismini Vasileiou, Founder, East Midlands Cyber Security Cluster

When the UK AI Security Institute published its evaluation of Anthropic’s Claude Mythos Preview earlier this year, it caught my attention – not because it signals imminent catastrophe, but because it tells us something important about the direction of travel.

The evaluation found significant improvement in Mythos’s ability to support multi-step cyber-attack simulations and autonomous cyber performance. Anthropic has also linked the model to Project Glasswing, an initiative using advanced AI to help identify and fix vulnerabilities in critical software systems. Reuters reported that Mythos has already attracted attention from business, political and financial-sector leaders because of its potential cyber security implications.

It is important not to overstate what this means for most organisations. Mythos is not a publicly available tool that SMEs are likely to use directly. Nor should we assume that every organisation is now facing a completely new category of AI-enabled attack overnight.

However, the direction of travel matters.

If frontier AI models can increasingly support vulnerability discovery, testing and exploitation in controlled environments, then organisations may face greater pressure to identify, prioritise and remediate weaknesses more quickly. This is particularly relevant for software suppliers, critical infrastructure, financial services, public bodies and organisations in complex supply chains.

It also matters for SMEs. Many smaller organisations do not develop frontier AI systems or advanced software products, but they do rely on software, cloud services, managed IT providers, digital platforms and third-party suppliers. Their resilience depends not only on their own internal controls, but also on the security practices of the organisations they buy from and work with.

This is where existing UK cyber guidance remains highly relevant.

The Department for Science, Innovation and Technology has developed a growing set of cyber security codes of practice, including the Cyber Governance Code of Practice, the Software Security Code of Practice and the AI Cyber Security Code of Practice. These codes provide baseline expectations for different aspects of cyber security: how boards and directors govern cyber risk, how software should be developed and maintained securely, and how AI systems should be secured across their lifecycle.

Frontier AI does not make these codes obsolete. It makes their implementation more urgent.

The Cyber Governance Code of Practice is particularly important because it positions cyber security as a board-level and leadership responsibility. It sets out how directors and senior leaders should govern cyber risk, rather than treating it solely as a technical issue. That distinction matters. As cyber capability becomes more advanced, organisations need clear accountability, informed decision-making and proportionate oversight.

The Software Security Code of Practice is also highly relevant. If AI can help identify software vulnerabilities faster, then secure software development, vulnerability management, update processes, supplier communication and assurance become even more important. For software suppliers, secure-by-design is not simply a technical aspiration; it is becoming part of organisational trust.

The AI Cyber Security Code of Practice adds a further dimension. Organisations are increasingly adopting AI tools, often through third-party platforms and embedded services. The code provides baseline principles for securing AI systems and the organisations that develop and deploy them. For businesses, this means AI adoption should not be treated only as an innovation or productivity issue. It is also a cyber governance issue.

The challenge is that guidance alone does not create resilience.

Many organisations, especially SMEs, struggle with the practical questions that sit between national guidance and day-to-day action. Who owns cyber risk? What should senior leaders be asking? What should be expected from software suppliers? How should cyber security be written into procurement? What does secure AI adoption look like in practice? What internal skills are needed when IT is outsourced? How can smaller organisations evidence that they are taking proportionate and meaningful steps?

This is the missing middle.

National policy can set direction. Codes of practice can define good practice. Technical experts can identify vulnerabilities. But many organisations still need help translating that guidance into practical decisions, processes and behaviours.

This is where place-based cyber resilience becomes important.

Through the East Midlands Cyber Security Cluster, and through regional programmes such as CyberSprint and CyberGrowth, we have seen that organisations do not simply need more information. They need translation, confidence and practical pathways from guidance to action. They need trusted spaces where they can understand what good looks like, assess where they are now, and take realistic steps towards stronger resilience.

For SMEs, this often means making cyber security more practical and less abstract. It means connecting cyber to leadership, procurement, workforce development, supplier assurance, customer trust and growth. It also means recognising that cyber resilience is not achieved through one intervention. It requires an ongoing process of governance, skills development, implementation and review.

Mythos should therefore be understood as part of a wider shift. It is a reminder that cyber capability is advancing, and that organisations cannot rely on awareness alone. They need the ability to act on the guidance that already exists.

The UK has strong cyber policy direction and an increasingly coherent set of codes of practice. The next challenge is delivery. How do we support organisations, particularly SMEs and regional supply chains, to turn those principles into practical cyber resilience?

That is where universities, cyber clusters, industry partners and public bodies have an important role to play. They can help close the gap between national ambition and organisational reality. They can support businesses to understand the codes, assess their risks, develop skills, engage suppliers and make cyber security part of everyday decision-making.

The significance of Mythos is not that every organisation needs access to frontier AI. The significance is that the pace of cyber capability is changing, and organisational readiness needs to keep pace.

The DSIT codes help define the baseline.

The work now is to close the missing middle between knowing what good looks like and making it happen in practice.