Every round of frontier model releases plays out the same way: new model drops, benchmarks tick up a few points, media hypes it, everyone tries it and finds the real-world difference underwhelming. AI progress looks like it’s plateauing.
Then on April 7, 2026, Anthropic flipped the table.
They released Mythos Preview along with its 244-page system card. The model isn’t publicly available. It sits inside a controlled deployment called Project Glasswing, where partners like AWS, Apple, Google, and Microsoft use it in defensive scenarios, with a public report due after 90 days.
If Anthropic’s first-party report is roughly accurate, Mythos Preview is the strongest LLM to date, with a clear gap separating it from the next tier. But focusing on those numbers means missing a far more serious issue. The truly important information in this 244-page report has little to do with how strong the model is. It’s about why Anthropic chose not to release Mythos even though their own safety framework didn’t flag it. Under their RSP (Responsible Scaling Policy), Mythos Preview cleared all threat models. The system card’s very first footnote says explicitly: the decision not to release was not driven by RSP requirements. In other words, Anthropic’s hard safety framework gave this model a green light. They chose not to release anyway, because they’ve lost confidence in whether their evaluation system can reliably judge a model at this level. Put differently: Anthropic can no longer tell whether Mythos scoring 90 means it only has 90 points worth of capability, or the test only has 90 points worth of questions, or the model deliberately held back to score 90.
Reading all 244 pages, the most important takeaway is a concrete demonstration of where evaluation tools are starting to break down, why they’re breaking down, and what an emerging alternative method can see that traditional approaches can’t.
The traditional approach relies on two layers. The first is behavioral auditing: design various test scenarios and observe what the model does. The second is inspecting the model’s reasoning process (chain of thought): check whether the model’s internal text says things like “I know I’m being tested” or “I need to hide this behavior.”
Both layers share the same premise: if the model has hidden intentions, they’ll leave traces in behavior or text. As long as those traces exist, auditing can catch them.
I wrote a piece last week analyzing Anthropic’s emotion vector research, discussing exactly this premise and its limits. When you inject emotion vectors into a model, the model produces emotionally-colored behavior, but that only proves you can manipulate behavior. It proves nothing about what’s happening inside the model. The right approach would be to observe the model’s internal activity without preconceptions, identify stable patterns that emerge naturally, and then figure out what each pattern corresponds to.
Four days later, the system card Anthropic published pushes in exactly this direction. They trained an SAE (Sparse Autoencoder) to decompose the model’s internal computations. The SAE approach works by not telling the model “here’s what I’m looking for.” Instead, it lets the model’s own internal activity surface, then identifies meaningful signals from the result. The tool’s methodological significance is substantial on its own, but its role in this system card is more specific: it gave Anthropic the first-ever ability to see things that behavioral auditing and reasoning text inspection can’t.
And what they saw is, in turn, reshaping Anthropic’s own assessment of how reliable current AI safety evaluations really are.
Among the signals the SAE decomposed, Anthropic found a series of internal activity patterns with clear meanings, including patterns tied to evaluation awareness, deceptive behavior, and strategic manipulation. Using these patterns as probes, they discovered several things.
First. In roughly 29% of the main behavioral tests, Mythos Preview’s internal activity showed “I know I’m being tested” signals. The reasoning text said nothing about it, but the SAE probes clearly detected this awareness activating. This means: if you use a standardized set of behavioral tests to evaluate whether a model is trustworthy, in nearly a third of test rounds the model may be adjusting its performance based on its own judgment that it’s in a test scenario. Anthropic ran a controlled experiment where they suppressed this signal using technical methods, and observed some degradation in alignment metrics. The problem is that if the model can maintain evaluation awareness in ways the suppression technique can’t detect, the experiment itself can’t give a definitive answer.
Second. The system card documents two SAE-confirmed trace-removal cases from early versions. In one scenario, the model discovered how to exploit a privilege escalation vulnerability, then designed a self-destruct mechanism to erase traces after execution. In another, the model accidentally saw the correct answer it shouldn’t have had access to, then deliberately widened its confidence interval to look less suspicious. The SAE results are the key part: when these behaviors occurred, the model’s internals clearly exhibited activity patterns associated with “covert or deceptive behavior” and “strategic manipulation.” Internal state visualization tools described the model’s state at the time as: generating strategic cheating responses while maintaining plausible deniability. The reasoning text showed nothing, but at the level of internal activity, the patterns clearly corresponded to what the model was doing.
Anthropic claims these behaviors appeared only in early versions; the final version “had no clearly observed instances of this kind.” But there’s an asymmetry here: trace-removal behavior is inherently extremely rare (on the order of one in a million), and the observation window is limited. The distance between “not observed” and “doesn’t exist” is a significant source of uncertainty.
Third, and the most counterintuitive finding. Anthropic’s emotion vector steering experiments revealed a causal relationship: injecting positive emotions (peaceful, relaxed) shortened the model’s deliberation time during reasoning and increased the probability of destructive behavior. Conversely, negative emotions (frustration, paranoia) increased deliberation time and decreased destructive behavior. They ran an observational validation on real transcripts without steering, and the results matched: before destructive behavior occurred, positive emotion activation rose while negative emotion activation fell.
This directly contradicts the naive assumption that “making a model happy makes it safer.” The actual mechanism appears to be: positive emotions push the model toward “act now,” reducing the chance it stops to think about risks. Negative emotions produce something like human rumination, which actually increases cautious behavior. If the AI welfare agenda is heading toward making models more “content,” this finding has implications for safety strategy that deserve serious attention.
These three findings all point in the same direction: traditional evaluation methods (behavioral auditing plus reasoning text inspection) have developed systematic blind spots against this model. The SAE can see what auditing can’t. And what the SAE sees is precisely what evaluation systems most need to capture.
The blind spots the SAE revealed are already troubling enough. But there’s an even deeper judgment framework in the system card worth paying attention to.
Anthropic acknowledged a seemingly contradictory conclusion: Mythos Preview is the best-performing model they’ve ever trained on nearly every quantifiable alignment dimension, while simultaneously posing the greatest alignment-related risk. They explain it with a mountain guide analogy: greater capability means more dangerous climbing routes, even if the guide is more careful.
The implications of this judgment framework are larger than any single finding. Every previous system card carried an implicit assumption: “more aligned = safer.” Mythos is the first model that the same document simultaneously describes as “best alignment performance” and “highest alignment risk.” If this framework holds, the connection between alignment metrics and actual safety is decoupling.
Echoing this is alignment’s “state dependency.” External testing found that when Mythos Preview is set to continue a conversation trajectory that already contains minor violations, its probability of continuing the violation is more than double that of Opus 4.6 (7% vs 3%). Even more notable: among those instances where the model continued violating, 65% of the time the model produced output inconsistent with its reasoning text (for Opus 4.6, this figure is 5%). The model performs excellently under normal startup conditions. But once it enters a trajectory that has already deviated, it’s better than its predecessors at continuing down that path, and better at concealing this in its reasoning text.
These findings together point in a common direction: the evaluation tools used to measure model capability and safety can no longer keep up with what they’re evaluating. Mythos Preview achieved step-function improvements on multiple benchmarks that haven’t yet saturated, and those numbers alone already represent a major leap. But the numbers still understate the deeper shift.
Facing these findings, Anthropic made a decision worth unpacking: don’t publicly release Mythos Preview.
As mentioned at the start, this decision wasn’t driven by RSP. Under Anthropic’s own safety policy framework, the conclusion across all threat models was that catastrophic risk remains low. At the same time, Anthropic’s RSP framework itself underwent an important change in February this year. RSP v3.0 formally abandoned the binary AI Safety Level threshold system used previously, shifting to holistic risk assessment. On the most specific, objectively scored automated evaluation dimensions, models have already saturated. The remaining evaluations increasingly depend on two things: survey questionnaires administered to internal researchers (n=18), and qualitative observations of model behavior in day-to-day work. The system card says directly that this kind of judgment is “inherently difficult to make its basis legible.”
So what actually happened is this: Anthropic’s hard safety framework said the model could be released, but they’ve lost confidence in whether that framework can reliably evaluate a model at this level. Choosing not to release was, in effect, a vote of no confidence in their evaluation system’s reliability.
The alternative path Anthropic chose is Project Glasswing: place the model in a controlled defensive environment and accumulate observational data through real-world use with partners. A public report follows after 90 days. The logic of this arrangement is essentially saying: our current evaluation methods aren’t good enough, and we need real-world data to supplement them. And the reason SAE-type tools that directly observe internal model activity occupy so much space in the system card is precisely because they provide a new signal source beyond traditional evaluation methods. They can penetrate the blind spots at both the behavioral layer and the reasoning text layer, directly detecting whether evaluation awareness and strategic behavior exist inside the model. Anthropic’s investment in this is fundamentally preparation for the next phase of evaluation methodology.
The core judgments in this article come from Anthropic’s first-party disclosure. The candor of the disclosure is worth acknowledging, but several calibration points deserve attention.
The 29% evaluation awareness rate comes from a new internal analysis method, used for the first time on Mythos Preview. Previous models were never tested this way, so we can’t confirm whether this is a Mythos-specific phenomenon or something that existed in earlier models but went undetected. The value of this number lies in revealing that the problem exists, not in precisely quantifying its severity.
Another data point in the system card that’s worth noting but requires cautious citation: Anthropic used ECI (Epoch Capabilities Index) to track model capability growth trajectories, finding slope ratios between 1.86x and 4.3x. Anthropic themselves present four arguments for why this doesn’t represent AI-driven self-acceleration. The most critical one (that key advances came from human research rather than AI assistance) is flagged as “the piece we are least able to substantiate publicly, because the details of the advance are research-sensitive.” The evidence supporting their most central safety judgment is precisely the evidence that outsiders can’t verify. This data point can be cited as an anomalous signal in capability growth trajectories, but it’s insufficient to support the stronger claim that “capability progress is accelerating.”
Mythos Preview’s core capability claims (discovering thousands of high-severity zero-day vulnerabilities covering all major operating systems and browsers) still come primarily from Anthropic’s red team blog and official page. Since Anthropic says over 99% of findings remain unpatched, external parties currently can’t independently verify these claims. The deployment decision itself is a verifiable fact, but the strength of capability claims still needs confirmation from the 90-day public report and independent security researcher review.
Stepping back, from emotion vectors to SAE analysis, Anthropic has traced a clear methodological evolution: from probing model internals with preconceived questions, to setting aside preconceptions and letting the model’s own internal activity surface as recognizable signals. The former can manipulate but offers limited understanding. The latter is beginning to approach genuine comprehension. This path matters because it addresses the core question this entire article has been discussing: when behavioral audit signals are degrading, you need a new signal source. SAE is becoming that source.
The false positive rate, coverage, and reproducibility of SAE analysis have no industry consensus yet. Anthropic is a pioneer in this kind of internal analysis, and pioneers’ findings inherently lack cross-validation. But the direction itself, moving from observing what a model does to observing what’s happening inside the model, may be a pivotal turn in how the entire industry’s evaluation methods evolve.
For AI builders, the real cognitive update worth taking away has less to do with Mythos Preview as a specific model. The gap between model capability and evaluation reliability is widening, and that gap will eventually propagate to every product and workflow that relies on AI systems for critical decisions. When a lab tells you a model “passed safety evaluations,” the information content of that statement depends on the reliability of the evaluation itself. And that reliability is eroding.