AI companies have discovered the perfect marketing formula: announce a model so powerful it's too dangerous to release, watch the headlines write themselves, and maintain complete control over verification. This strategy has become so effective that it's reshaping how the industry communicates about its most advanced systems, from OpenAI's o-series reasoning models to Anthropic's recently announced Mythos vulnerability-hunting system .

Why Are AI Labs Keeping Their Most Powerful Models Secret?

The pattern started years ago. In February 2019, OpenAI announced GPT-2, a text-generation model, and refused to release it, claiming its capabilities could "automate the mass-production of propaganda." The media ran with it. Headlines warned about an "infopocalypse." The story became so dominant that GPT-2 put OpenAI on the map as the company building things so powerful they required restraint .

What actually happened? Independent researchers replicated GPT-2 within months. OpenAI eventually released the full model in November 2019. By then, The Verge was already questioning whether the fears were justified. OpenAI itself later confirmed: "no strong evidence of misuse." The predicted catastrophe never materialized, but the marketing worked perfectly .

The same script played out in November 2023 when Reuters reported that OpenAI was working on a model called Q* that was "so powerful it alarmed staff." The story broke alongside Sam Altman's brief firing, and the implication was clear: this model was so dangerous it may have contributed to a boardroom crisis. Every news outlet in the world picked it up. Again, nobody outside OpenAI had seen Q*. The claims were based on anonymous sources with no benchmarks, no demonstrations, and no independent verification .

What Happened When Researchers Actually Checked the Claims?

Anthropic's recent announcement about Mythos follows the exact same playbook. The company claims the unreleased model found "thousands of zero-day vulnerabilities" across operating systems and browsers, including bugs that had been hiding for 27 years. The model supposedly "surpassed all but the most skilled humans" at finding and exploiting security flaws. The response was predictable: fear-based headlines, warnings about what happens when such power falls into the wrong hands, and a coalition of major tech companies, including AWS, Apple, Google, Microsoft, and NVIDIA, rallying around a new defensive initiative .

There's just one problem: the only people who have tested Mythos are Anthropic and the coalition partners who signed on to the initiative. No independent researcher had verified the claims until someone actually did the work .

AISLE, an AI-native application security platform and a competitor to Anthropic, ran Mythos's headline findings through existing models. The results challenged the narrative significantly:

• FreeBSD Exploit Detection: Eight out of eight models detected Mythos's headline FreeBSD exploit, including models you can run on a laptop
• Small Model Performance: Small open models with only 3.6 billion parameters outperformed most frontier models at data-flow tracing with fewer false positives
• Vulnerability Chain Recovery: A 5.1 billion-parameter open model recovered the core vulnerability chain that Anthropic presented as requiring Mythos-level reasoning

AISLE's conclusion was direct: "The moat in AI cybersecurity is the system, not the model." The real advantage isn't having a secret, all-powerful model. It's building the orchestration, the expert scaffolding, and the relationships with software maintainers. This doesn't mean Mythos isn't impressive, but the gap between "Mythos found these bugs" and "only Mythos could have found these bugs" is enormous. Most coverage has collapsed the two claims into one .

How to Evaluate AI Capability Claims Without Falling for Marketing

• Demand Independent Verification: When a company says their model found a 27-year-old bug, ask whether existing models could have found it too. Request benchmarks run by researchers outside the company, not self-reported metrics
• Question the Benchmark Design: When a company claims their model "surpasses all but elite humans," ask what the actual benchmark is, who ran it, and whether others can replicate the results independently
• Understand the Access Terms: When a coalition of tech giants signs onto a defensive initiative, ask what exactly the terms are, who gets access, what it costs, and whether the arrangement is designed to prevent public scrutiny
• Distinguish Between Capability and Necessity: Ask whether the company is claiming the model is powerful or claiming it's the only tool that can do the job. These are very different assertions

The pattern is elegant and effective. "Too powerful to release" simultaneously achieves three things: it positions the company as safety-conscious, it generates massive free press, and it makes independent verification impossible by design. You don't need to buy ads when you can get coverage about how your product might be too powerful for society to handle .

Meanwhile, OpenAI is preparing its own restricted release. The company is finalizing a cybersecurity product called the "Trusted Access for Cyber" pilot program, which provides vetted organizations with high-capability models designed specifically to accelerate defensive research. OpenAI committed 10 million dollars in API credits to participants. The strategy mirrors Anthropic's approach: walled gardens, handpicked partners, and no public access .

However, many experts argue the genie is already out of the bottle. Wendi Whitmore, chief security intelligence officer at Palo Alto Networks, warns that similar capabilities will inevitably leak or be replicated in open-source models within weeks. Rob T. Lee of the SANS Institute notes that the ability to find flaws in aging codebases is a fundamental feature of modern large language models, or LLMs, that cannot be easily "unlearned" .

The current strategy mirrors the decades-old practice of responsible disclosure in the cybersecurity world, giving defenders a head start before vulnerabilities become public knowledge. But the marketing layer, the emphasis on how dangerous these models are, and the emphasis on how only the company can be trusted with them, is something different. It's not just security practice. It's communication strategy .

The thing is, "too powerful to release" and "not ready to release" are very different claims. Security researchers doing their work, with all their expertise, is one thing. Layering it in marketing messages is a different one. But they generate the same headlines. The appropriate response isn't cynicism. It's caution. Until someone outside the building gets to verify the claims, the appropriate response isn't fear. It's asking the same questions you'd ask about any other product launch in any other industry .