The US Government Just Got Pre-Release Vetting Rights Over Google, Microsoft, and xAI's Frontier Models — and Nobody Else's

The U.S. government just drew a line through the frontier AI landscape, and Anthropic is on the wrong side of it.

On May 5, the Center for AI Standards and Innovation — CAISI, the Commerce Department's AI evaluation arm — signed binding pre-deployment testing agreements with Google DeepMind, Microsoft, and xAI. The agreements give the federal government the right to evaluate new frontier models before they ship publicly: to probe them with safety guardrails stripped back, run them in classified environments, and assess national security risks before anyone outside the lab knows what the model can actually do. CAISI Director Chris Fall called it "independent, rigorous measurement science" essential to understanding frontier AI's national security implications.

Anthropic was not at the table. Neither was OpenAI, for that matter — though the omission of Anthropic is the part that should be keeping enterprise procurement teams awake tonight.

The story behind the story is Anthropic's Mythos model. Previewed on April 7, Mythos demonstrated cyber-exploit capabilities that spooked policymakers and corporate America simultaneously. It found a 27-year-old OpenBSD bug. A 16-year-old FFmpeg vulnerability that automated tests had exercised five million times without triggering a detection. An exploit chain that escalated Linux kernel access from ordinary user to full machine control. Across Firefox alone, Mythos found nearly 300 vulnerabilities; prior-generation models found roughly 20. CEO Dario Amodei's explicit warning at a May 5 joint appearance with JPMorgan CEO Jamie Dimon: Chinese frontier AI is "roughly six to 12 months" behind Mythos, meaning the current period represents a narrow window for organizations to fix what AI-accelerated vulnerability research has uncovered before adversarial actors can deploy the same capability.

The CAISI agreements are the government's response to that warning. Google, Microsoft, and xAI — the three labs that collectively represent the infrastructure layer of Western AI — have agreed to let evaluators see their models before the public does. "Developers frequently hand over versions of their models with safety guardrails stripped back so the center can probe for national security risks," CAISI's press release notes, in a sentence that should get more attention than it has. The guardrails are coming off in government labs. That is what pre-release testing means in practice.

Anthropic was invited to participate in these agreements and declined. The reason, per reporting from Nextgov/FCW and corroborated by multiple sources: a dispute over guardrails on military use. Anthropic's position — that its models should not be modified to remove safety constraints for any deployment, including classified government use — was apparently incompatible with what the Pentagon and CAISI required. The result is that the lab most associated with safety-conscious frontier AI development is now the one most excluded from the government channels that are rapidly becoming the de facto signal of enterprise trustworthiness.

Separately, a concurrent Pentagon deal covering classified-network AI deployment also excluded Anthropic. Seven AI companies signed agreements for classified deployment; Anthropic did not. The implication is not subtle: "refusing to remove safety measures" is now being treated as a barrier to government partnership, not a feature. The lab that has built its brand on the argument that safety constraints make models better for deployment is being locked out of the most sensitive deployment environments precisely because of those constraints.

For builders and operators, the immediate implication is supply chain. If government evaluators are receiving model weights with reduced safeguards — as CAISI's language implies — those same weights could theoretically leak. CAISI's press release says nothing about what happens to evaluated models afterward. No disclosure about retention, about what happens if an evaluated model is subpoenaed, about whether the weights are returned or archived. That is a material question for any organization whose model deployments might eventually intersect with government evaluation, and the press release does not address it.

The deeper implication is vendor risk. Anthropic's exclusion from CAISI and the Pentagon deal means that the lab's flagship cyber capability — Mythos, the model that found tens of thousands of unpatched vulnerabilities — is now accessible only through a consortium called Project Glasswing. Glasswing includes AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and 40+ additional organizations. It distributes Mythos-class defensive scanning through a vetted defensive network rather than a public API, explicitly because of what criminals or adversarial nations could do with open access to the capability. That means the most powerful AI vulnerability scanner built to date is locked inside a partnership program that most organizations cannot join.

The Dario Amodei "six to 12 months" number deserves serious treatment as a technical claim, not just PR. The specific estimate — that Chinese frontier AI is roughly that far behind Mythos in vulnerability discovery capability — is an empirical assertion with real implications. If it is accurate, the next two quarters are a unique vulnerability window: Western organizations can use AI-accelerated discovery faster than adversarial actors can deploy the same capability. If it is pessimistic, organizations may be over-investing in emergency remediation. If it is optimistic, the window may already be closing. Practitioners should treat it as a directional signal warranting serious attention to SDLC security hygiene, not as a calendar invitation to panic.

CAISI has completed 40+ evaluations already, including on unreleased state-of-the-art models. The problem is that 40 evaluations have produced zero public reports. The accountability question — if the government is vetting models before release, where are the public findings? — is the most legitimate criticism of this arrangement, and it has not been answered. The security community broadly supports pre-release testing in principle. The lack of transparency about what those tests have found is a real gap between the policy structure and the public interest.

The exclusion of Anthropic from both deals while Google's lab — which also has extensive Pentagon relationships — made the cut looks like politics to many observers. That perception matters. If the CAISI agreements are meant to establish a neutral safety standard for frontier AI, the exclusion of the lab that has been most aggressive about safety constraints undermines that framing. If they are meant to ensure government access to AI capabilities regardless of a lab's safety policies, then the framing was always misaligned with the reality.

What comes next is a test of whether frontier AI governance can operationalize faster than frontier AI capabilities. CAISI has contracts, not just principles. The labs have signed. The testing infrastructure exists. For the first time, there is a real pre-release vetting mechanism for frontier models — one that goes beyond what any voluntary commitment has achieved. Whether that mechanism produces outcomes that actually reduce national security risk, or whether it produces accountability theater dressed up as action, is the question the next 12 months will answer.

For practitioners: your SDLC is now the front line of a window that Amodei estimates is 6-12 months long. AI-accelerated vulnerability discovery is real, it is happening now, and the question is not whether your organization will be affected but whether your patch pipeline can move faster than adversarial AI catches up. The CAISI agreements are the policy response to that reality. Whether the policy response is adequate is a question for policymakers. The operational reality for engineers is the same regardless: find the vulnerabilities, fix them faster.

Sources: Reuters, NIST/CAISI, CNBC, Nextgov/FCW