Key facts
- Darktrace supports Anthropic's temporary restriction of its advanced AI models.
- The pause was attributed to ensuring sufficient security mitigations for highly weaponizable AI.
- Concerns were raised about potential misuse of AI for identifying and exploiting software weaknesses.
- The incident has amplified discussions on AI sovereignty and the UK's reliance on foreign AI systems.
- Experts advise diversifying AI models and building resilience into AI supply chains.
Darktrace has endorsed Anthropic's decision to temporarily restrict its most advanced AI models, viewing the move as a necessary step for security and safety rather than a competitive maneuver. Nicole Carignan, Darktrace's SVP of AI and security strategy, told City AM that the brief curb on Anthropic's Mythos and Fable models should not be interpreted as a power play over AI sovereignty.
Carignan stated, "I do not think it was a competitive advantage move. I think a good healthy pause to think through the security mitigations and strategy to ensure that it’s done safely is always a good thing." This perspective contrasts with fears that US export controls might disadvantage UK firms reliant on American AI systems. Anthropic's models were temporarily restricted due to concerns they could be used to identify and exploit software weaknesses, but access was later restored.
Carignan elaborated that the decision seemed driven by whether "the security guardrails around this model [were] sufficient for something that could be so highly weaponised." She expressed appreciation for the "pump the brakes for a hot second" approach to ensure appropriate defenses are in place before re-releasing the model. Anthropic's Mythos model is specifically designed for advanced cybersecurity tasks, including vulnerability identification.
US officials had briefly imposed export restrictions citing national security concerns over potential misuse, but restored access after Anthropic committed to additional safeguards. While Darktrace emphasizes security as the primary motivation, the incident has intensified concerns in the UK about the nation's dependence on AI tools it does not control. The government's Science, Innovation and Technology Committee has cautioned ministers against relying on allies for critical technologies, highlighting the Anthropic restrictions as an example of potential single points of failure with overseas providers.
Carignan advised organizations to manage frontier AI similarly to cloud infrastructure or other critical suppliers, advocating for diversification across multiple models and building resilience into AI supply chains. She noted Darktrace's own integrations with various AI providers, including OpenAI, Anthropic, Gemini, and Microsoft, as an example of balancing resilience with third-party risk. She also anticipates a rise in sovereign AI approaches, such as the adoption of open-source models and domestic data centers to enhance control over sensitive information.
John Harms, head of government solutions at Quantexa, echoed these sentiments, stating the Anthropic episode underscores the need for governments to have "control under distress"—the capacity to maintain operations during geopolitical or regulatory disruptions. "The lesson is clear: resilience depends on sovereignty," he remarked. Legal experts, including Caroline Ramsay, partner and head of international trade at TLT, believe the temporary restrictions represent a significant shift in US export controls, extending beyond semiconductor chips to AI models themselves. Ramsay warned organizations using frontier AI to incorporate export controls and potential service interruptions into their risk planning, as governments increasingly view advanced AI as a national security concern. Carignan, however, argued that AI has narrowed the window between vulnerability emergence and exploitation, rendering traditional patch-first cybersecurity less effective. She posited that "behavioural-based detection and autonomous response" will become crucial for security teams, enabling them to detect abnormal activity rather than solely relying on vulnerability disclosures and patches.
