KQED published its update on the Mythos breach Friday afternoon, 18:31 UTC. [1] The investigation continues; no evidence, Anthropic's spokesperson said, of impact on core systems. The piece, by every other measure, was a routine Day-4 status read. What the same article disclosed in its later paragraphs is what the paper's Friday sidebar had been listening for: the National Security Agency and U.S. Cyber Command are running Mythos in Amazon Bedrock's top-secret cloud — meaning Anthropic employees who do not hold a TS clearance cannot see the logs, cannot see the prompts, and cannot see the outputs. The architecture is not Anthropic's. It is AWS GovCloud's. The supply-chain-risk paradox the Pentagon designation appeared to create is now resolved by routing the IC integration through a cloud Anthropic does not operate.

The breach itself, broken by Bloomberg on April 21, was supply-chain in the most familiar sense. A third-party vendor's environment was compromised; a Discord channel's URLs were enumerable; an attacker, by Anthropic's accounting, gained limited access to information about beta-program participants. [2] No model weights moved. No customer data is known to have left. The investigation, KQED says, has not produced evidence of broader compromise. What the breach exposed was the granularity question: an attacker with URL-guessing capability could glance into a structure Anthropic had treated as private. URL-guessing is a 1996-vintage mistake. That a frontier AI lab made it in 2026 is the kind of detail Anthropic's Day-1 silence — Friday's posture — was designed to manage.

The NSA's access to Mythos was first reported by Axios on April 19; Reuters confirmed it the same day. [3] About forty organizations, by Anthropic's accounting, are part of Project Glasswing — the limited-distribution program that includes Mythos Preview. The U.K.'s AI Security Institute is publicly named. The NSA was not. Reuters' confirmation, and Bitcoin World's exclusive write-up Sunday, established that the NSA is using Mythos primarily for vulnerability scanning — exactly the cybersecurity use case Anthropic has been arguing the model is too capable to release publicly. The simultaneous reality, that the Department of Defense has labeled Anthropic a "supply-chain risk" and ordered agencies to stop using its technology, would seem to contradict the NSA's continued access. The Bedrock cloud is what makes both true.

The architecture works because Bedrock-Top-Secret is a separate AWS environment, certified for Sensitive Compartmented Information, with logs and audit trails accessible only to cleared personnel. Anthropic, in this arrangement, ships the model weights and operational support; it does not see what the cleared users do with the model. That construction satisfies, at least technically, the Pentagon's supply-chain-risk designation: the Pentagon does not have to trust Anthropic with operational visibility, because Anthropic does not have it. It also satisfies the NSA's threshold for accepting commercial AI: cleared cloud, cleared logs, cleared evaluators. The litigation Anthropic has filed against the Pentagon — challenging the supply-chain designation — argues a different point about access to the company's full capabilities. Saturday's tape says the litigation and the operational reality describe two different things.

Day 4 of the breach closes, then, with two facts the paper has been waiting for. The breach itself was a supply-chain failure of the unglamorous kind: third-party vendor, enumerable URLs, attacker probably opportunistic. The Bedrock disclosure is the structural fact: the U.S. intelligence community has resolved the Pentagon-Anthropic dispute by buying the model and running it in a place the company cannot see. That is not a transition window closing without an announcement. It is a transition window that has already closed, in a cloud Anthropic delivered the model into, with controls a different agency owns. The Friday Wiles-Amodei-Bessent meeting at the White House — the federal-relations track now confirmed by Reuters and Axios — has been negotiating over civilian-agency access. The military-intelligence side already has it.

-- MAYA CALLOWAY, New York