OpenAI's Restricted Cyber Model Follows the Same Playbook It Mocked in Others

Two weeks ago, Sam Altman called Anthropic's decision to gatekeep its Claude Mythos cyber model "fear-based marketing." Today, OpenAI confirmed it is doing exactly the same thing with GPT-5.5-Cyber — restricting access to vetted "critical cyber defenders" under a government-coordination framework, with an application process requiring professional credentials and planned use case disclosure. The speed of the reversal is not a coincidence. It is evidence that the entire frontier AI industry has reached the same uncomfortable conclusion in private, even as it competed publicly over who could sound the least alarmist about powerful offensive-security models.

The rollout mechanism matters more than the model itself. GPT-5.5-Cyber is not available via ChatGPT or the public API. Access requires submitting credentials through an application form on OpenAI's site, and the company says it is working with the U.S. government to expand "trusted access" over time. That is structurally identical to Anthropic's Project Glasswing consortium — the same coalition of major cloud vendors, infrastructure maintainers, and security firms that Anthropic assembled to be the first recipients of Mythos-class capability. The difference is that OpenAI spent two weeks publicly mocking the playbook before executing it.

The AISI benchmark data gives the story a more concrete edge than the governance narrative suggests. In evaluated expert-level advanced cyber tasks, GPT-5.5-Cyber scored 71.4% (±8.0%) versus Mythos Preview at 68.6% (±8.7%), GPT-5.4 at 52.4%, and Opus 4.7 at 48.6%. On a custom-VM reverse-engineering challenge, GPT-5.5 solved it in 10 minutes and 22 seconds at an API cost of $1.73 — a task that took a human expert approximately 12 hours. Those numbers, if they hold in broader evaluation, mean OpenAI is not merely copying Anthropic's restricted-access framework. It may be shipping a technically superior product through the same restricted channel. That raises the stakes considerably for whoever is watching this space from a defensive-security posture.

The application process itself is worth examining honestly. The form asks for professional credentials and planned use cases. OpenAI says it is working to scale access. But the practical reality is that most individual security researchers, small SOC teams, and independent bug bounty hunters will not clear the first hurdle — not because they lack legitimate need, but because navigating a government-coordination process designed for large enterprises is a skill set of its own. The organizations most likely to gain early access are the ones already embedded in procurement pipelines: major cloud vendors, large enterprises with compliance requirements, and established security firms. That is the same population Anthropic assembled for Glasswing. It is also, not coincidentally, the population that already has the most existing AI security tooling. The gap between who needs this most and who gets access first is real, and it is not obvious how OpenAI plans to close it.

There is also the question of whether the vetting-only access model actually works. An unauthorized group reportedly gained access to Claude Mythos despite Anthropic's restrictions, which raises a general question about whether professional credentialing is a durable chokepoint or merely an obstacle for legitimate researchers that sophisticated actors route around. OpenAI's TAC framework is more explicitly government-coordinated than Anthropic's approach, which may make it more durable — or may simply shift the attack surface from the application process to the government partners themselves.

For practitioners, the takeaway is not "which lab has the better cyber model." It is that the frontier AI cyber capability distribution model has been effectively standardized in the span of about two weeks. Both OpenAI and Anthropic have independently concluded that the correct answer to "this model is too powerful for broad release" is a vetted-access program with government input. That consensus is more significant than any individual benchmark score, because it defines the market structure for everyone building defensive security tools on top of frontier models. If you are a security team evaluating AI-powered vulnerability scanning, you are now working in a world where the most capable offensive tools are locked inside consortiums that your organization may never join. The practical implication is that the accessible tier — models like Opus 4.7 and GPT-5.4 in their standard API forms — is where most organizations will live for the foreseeable future, and the capability gap between that tier and the restricted cyber tier is not trivial.

What OpenAI's approach adds to Anthropic's is a more explicit democratization framing. The company's stated principles include KYC-based verification (rather than purely enterprise-focused access), iterative deployment that learns by putting systems in the world carefully, and ecosystem resilience via grants, open-source contributions, and Codex Security. Whether those principles survive contact with the actual government coordination process remains to be seen. But the rhetoric is different, even if the structure is the same. For builders watching this space, the question is whether the access gap between "vetted consortium member" and "legitimate independent researcher" closes or widens over the next six months. That will tell you more about where the cyber AI market is actually heading than any benchmark disclosure.

The irony of Altman's two-week reversal is real, but it is less interesting than the market signal underneath it. What the industry has collectively decided is that the correct response to a model too dangerous for broad release is controlled distribution to an in-group — and that decision was made so quickly and with so little internal conflict that it looks less like a policy choice and more like an inevitable conclusion both labs reached independently. That convergence is the actual story. The model capabilities, the benchmark scores, the access frameworks — they are all downstream of a more fundamental industry agreement about who should have access to powerful offensive AI, and that agreement was reached in the open, in public, via competing press releases.

Sources: TechCrunch, The Verge, OpenAI, AISI