The gap is not theoretical anymore
When Anthropic released Claude Mythos to controlled partners earlier this year, it did not just demonstrate a faster chatbot. The model discovered over 10,000 high and critical cybersecurity vulnerabilities in its first month of deployment. Palo Alto Networks issued roughly two dozen security alerts in a single day after running Mythos tests, against a normal rate of about five per month. Mozilla fixed 271 vulnerabilities in Firefox 150 that earlier AI models had completely missed.
This is not an incremental upgrade. It is a capability that previously required elite human specialists, now operating at machine speed and scale. Cato Networks co-founder Shlomo Kramer called it a coming “tsunami of exploiting known and unknown vulnerabilities”. CrowdStrike’s Adam Meyers said the “massive influx of new vulnerabilities” found by AI is what keeps him up at night.
For New Zealand businesses, the question is not whether this technology matters. It is whether they are on the right side of the access divide.
Inside the perimeter or outside it
Anthropic distributed Mythos through Project Glasswing, a controlled-access programme launched in April 2026. The initial partners included AWS, Apple, Cisco, Cloudflare, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, and the Linux Foundation. No New Zealand organisation made the first tier.
As of today, New Zealand’s NCSC has been given access as part of a wider distribution to 150 organisations worldwide. NCSC Deputy Director-General Cyber Security Catriona Robinson confirmed the agency will use Mythos for cyber defence, noting that “the rise in models like Mythos really changed the cyber threat landscape”.
That is a meaningful step for government security. It does nothing for the business owner running an unpatched system while Glasswing partners receive advance vulnerability warnings.
The financial system already got a preview
The Reserve Bank flagged the risk directly in its May 2026 Financial Stability Report, warning that heavy reliance on a small handful of overseas AI providers amplifies both cyber threats and borrower harm risks. This was not hypothetical. The Reserve Bank’s own ESAS payment rail, the high-value system processing the bulk of interbank settlements, experienced a material cyber incident affecting roughly $4.5 billion of transactions, about 15% of the daily average, before cascading across three additional financial market infrastructure providers.
New Zealand ranks 49th on the National Cyber Security Index, the lowest of Five Eyes partners. New Zealanders already lose more than $1.6 billion annually to cybercrime. The NCSC briefed 300 local cybersecurity specialists in late May, warning that frontier AI models will enable malicious actors to find and exploit vulnerabilities at unprecedented speed.
The productivity gap is worse than the security gap
Cyber risk is urgent but the slower-burning problem may be more damaging. According to MBIE data published in 2025, 68% of New Zealand SMEs have no plans to evaluate or invest in AI technology, compared to 38% of Australian SMEs in the same position. Nearly double the rate of non-adoption.
The economic stakes are large. MBIE’s 2025 AI strategy estimated that generative AI could add $76 billion to the New Zealand economy by 2038, representing over 15% of GDP, and free up 275 hours per worker annually. Those gains are not distributed evenly. They accrue to the businesses that actually adopt the tools.
Anthropic director Chris Liddell, writing in the NZ Herald, was blunt about the pattern: “We largely missed the Knowledge Wave”. He described AI as “not a knowledge wave. It is a tsunami” and argued that New Zealand’s size need not be a barrier, but inaction would be.
Voluntary rules, involuntary consequences
New Zealand’s regulatory approach to AI remains principle-based and voluntary. University of Auckland academics Alex Sims and Dulani Jayasuriya raised the structural problem in April: “When even the most safety-focused AI companies face commercial and geopolitical pressure to adjust their governance frameworks, this raises questions for smaller markets like New Zealand about whether voluntary reliance on US company policies is a sufficient long-term strategy.”
The Reserve Bank has made clear it expects regulated entities to manage AI risks themselves rather than waiting for prescriptive rules. For business owners, the message is unambiguous: nobody is coming to manage this risk for you.
The companies inside Glasswing are not just finding vulnerabilities. They are building Mythos-level capability into their commercial products. Every model release widens the distance between businesses using those products and businesses pretending the shift is optional. Two-thirds of New Zealand’s SMEs are on the wrong side of that line, and the compounding has already started.
Sources
- AI found 10,000 cyber vulnerabilities in a month, NZ left out (2026-06-05)
- NZ gets access to hacking Mythos AI as Trump shores up national security on AI (2026-06-09)
- Mythos AI alarm bells: Fair warning or marketing hype? (2026-05-20)
- NZ at wild frontier of AI superhacking (2026-05-28)
- Reserve Bank warns concentrated AI providers and frontier models like Anthropic’s Mythos could test New Zealand’s financial system (2026-05-10)
- Anthropic director Chris Liddell’s warning for New Zealand: Don’t miss the AI tsunami (2026-06-01)
- AI clash raises important questions for New Zealand (2026-04-01)