the capability-access gap

Table of content

by Ray Svitla

on april 7th, anthropic announced a model called claude mythos. on april 8th, they announced project glasswing — the program under which you, me, and most of the companies that have spent the last two years paying anthropic for API access will not be allowed to use mythos.

glasswing is an invite-only program for “vetted security researchers.” the reasoning, per anthropic’s own post, per stratechery, per daniel miessler, per the ny post headline that took the story mainstream, is that mythos is simply too effective at finding and exploiting vulnerabilities to be safe for general release. the public gets a neutered version. fortune 500 companies get priority access to the gated one. governments presumably get whatever comes before that.

this is the first time a frontier lab has said the quiet part out loud.

we have a model. you can’t have it.

i want to be clear about what i think is happening here, because the discourse immediately polarized into two camps, and both are missing the point.

camp one: “responsible disclosure at scale”

the first camp is the camp of people who think this is good and correct. their argument is clean: if you have an AI that can find exploits faster than humans can patch them, dumping it on the open internet is equivalent to dropping a loaded gun in a crowded room. gating access to people who can use it to defend systems instead of break them is the only reasonable thing to do. simon willison wrote a post essentially endorsing the program. he’s not wrong on the security logic.

camp two: “this is a cartel”

the second camp lit up on r/artificial within hours. “project glasswing is inherently cartel behaviour.” the argument: if the model exists, and only some people can use it, then you have created a two-tier world. the haves (big companies, governments, vetted researchers) get the tool. the have-nots (everyone else) get the downstream consequences — their systems audited without their consent by the people who do have access, with no way to run the same audits themselves. they’re not wrong either.

both camps are arguing about the same thing from different sides of a wall. neither is looking at the wall itself.

what the wall actually is

the wall is what i’ve started calling the capability-access gap: the delta between what the most capable AI in the world can do, and what the AI you can actually run can do.

for the last three years, this gap has been small and shrinking. every time gpt-4 or claude 3 did something impressive, a smaller open model would reach 80% of that capability within a few months. llama, mistral, qwen, deepseek, gemma — the floor kept rising. the frontier pulled away at the top, but the baseline moved up fast enough that a single person with a good laptop and some weekends could build a real personal AI stack. the self.md thesis was built on this assumption: the gap is small enough and closing fast enough that sovereign personal AI is not a fantasy, it’s an engineering project.

mythos and glasswing are the first public signal that this trend just broke.

the gap, for the first time, isn’t a gap in raw capability that open models will eventually catch up to. it’s a gap in access that is explicitly designed to stay open. anthropic has no incentive to eventually release mythos to the public. the whole point of glasswing is that mythos is too dangerous to release. that’s not a temporary marketing story. that’s a structural commitment.

and it’s not just mythos. in the same week, anthropic also rolled out “claude managed agents” — a full stack for building and deploying agents inside anthropic’s own cloud, directly competing with every agent startup of the last two years. the personal AI thesis now faces a pincer: at the top, models you can’t download. at the bottom, a managed cloud that wants you to run your agents inside their walled garden instead of on your own box. both sides of the squeeze arrived in the same seven days.

carlini’s quote

the most important thing said about mythos this week came from nicholas carlini. carlini is one of the most careful, decorated AI security researchers alive. he’s been at google brain and anthropic. he doesn’t hype. he’s famously the guy who calls bullshit on other people’s threat models.

his quote, which landed on r/singularity with 954 upvotes and propagated through every glasswing writeup:

i’ve found more bugs in the last few weeks with mythos than in my entire 20-year career without it.

this is not marketing. this is carlini, stating a fact about his own work.

here’s what that means for anyone who’s been quietly building a personal AI stack — a self-hosted panel, a vault of markdown notes, a github repo of scripts and agents, a local llm behind an nginx proxy, whatever your version looks like. the attacker side of the equation just got a twenty-year head start compressed into six weeks. every weird endpoint you exposed, every token you left in a config file, every fast-and-loose shell script your agent has sudo access to — the speed at which someone (or something) can find those is now decoupled from the speed at which humans can patch them.

the shield and the sword are the same model now. the sword shipped first.

what this does to the personal AI argument

before this week, the argument for personal AI was primarily about agency. own your data, own your memory, own your loop. don’t let openai or anthropic become the janitor of your life. it was an argument rooted in values — privacy, sovereignty, control — and it was a good argument, but it was one you could brush off if you didn’t share the values.

glasswing changes the argument. it’s no longer just values. it’s topology.

watch what the stack looks like after mythos:

the personal AI move is to maximize your surface area in the bottom tier, not because it’s the coolest, but because it’s the only tier that isn’t rented. the middle tier makes you a tenant. the top tier makes you a subject. the bottom tier makes you a landlord of exactly one property — yours.

this isn’t a romantic argument anymore. it’s a positioning argument. if you’re not in the top tier and you can’t compete with it, you should at least make sure you own the ground you’re standing on.

the harness engineering turn

on the same day that carlini’s quote went viral, martin fowler published an article titled “harness engineering for coding agent users.” fowler argues that what the community has been fumbling around for the last six months — agent configs, skills, permissions, sandboxing, context management — is actually one emerging discipline. he put a name on it. harness engineering: the practice of designing the structure around an agent so that the agent does the right thing for the right reasons with the right guardrails.

this is the other half of the picture, and it’s the half that actually gives personal AI people something to do this week. the capability-access gap is a structural problem you can’t solve by yourself. but the harness around whatever model you do have access to — that’s a problem you can absolutely solve. and it’s the problem that’s going to matter most, for the simple reason that the difference between “a good agent on a small model” and “a sloppy agent on a great model” is now smaller than the difference between “a good harness” and “no harness.”

fowler’s post is boring on purpose. it’s the kind of post that signals a technology has reached the textbook phase. which is exactly what personal AI needs. all the wild experimentation of the last twelve months is about to be compressed into shared vocabulary, best practices, and yes, textbooks. the people who get fluent in harness engineering over the next six months are going to look, in hindsight, like the people who got fluent in devops in 2014.

what to actually do this week

three concrete things:

  1. audit your own stack like carlini would. don’t wait for someone with mythos to do it for you. the fact that you can’t run mythos doesn’t mean nothing else can. look at every token, every exposed endpoint, every permission an agent has that it doesn’t need. treat the possibility of automated exploitation as real, not theoretical, because carlini just told us it is.

  2. invest in your harness, not your model. if you’re still obsessively shopping for the next big model release, stop. the capability-access gap means the best model isn’t available to you anyway. spend the same energy on sandboxing, permissions, skill files, recovery paths, observability. fowler’s post is a good starting point.

  3. double down on bottom-tier ownership. if something you use lives in someone else’s cloud and could live on your disk, move it. not because it’s urgent today, but because the direction of travel is now clear: the top will keep more, the middle will absorb more, and the only place that’s safe by construction is the layer you fully own.

the question

the deep question for anyone building a personal AI stack right now is this: do you want to be a tenant of anthropic’s future, a subject of the mythos-tier future, or a landlord of your own one-property domain?

the question used to be romantic. after this week, it’s practical.

the thing about a capability-access gap is that it makes the middle hollow. you’re either inside the circle with the best tools, or you’re outside it owning the ground you stand on. trying to split the difference — renting a sliver of anthropic’s best, buying your way into a managed agent tier, half-trusting that the walled garden will stay open — is the worst of all three positions. you lose the ownership of the bottom tier without gaining the capability of the top.

self.md has always been an argument about the middle being hollow. this week, anthropic agreed.

Ray Svitla stay evolving 🐌