Advancing America’s Cyber Strategy with Differential Access
This policy memo was co-authored by Jam Kraprayoon & Matthew Mittelsteadt.
Rapid advances in AI-enabled cyber capabilities risk outpacing U.S. defenses. Differential access is a strategy that shapes who can use cyber-capable models, with the aim of advantaging defenders over attackers. Industry-led initiatives such as Anthropic's Project Glasswing and OpenAI's Trusted Access for Cyber (TAC) program are important steps but limited in scope, underscoring the need for government leadership to expand the scale and impact of these efforts. To address these gaps and advance the White House's Cyber Strategy, the administration should lead three initiatives to enhance private sector efforts:
Establish a federal differential access strategy that ensures federal agencies, contractors, and critical infrastructure operators have access to leading-edge and cost-effective cyber-capable models.
Leverage differential access and automation to secure critical government software by finding and fixing vulnerabilities in critical off-the-shelf software and integrating AI into the secure software development lifecycle.
Develop defensive automation standards and systems that help both federal agencies and critical infrastructure turn model access into defensive outcomes at scale.
AI Cyber Capabilities and Differential Access
The cyber capabilities of AI models are advancing rapidly and will proliferate. Throughout 2025, models already demonstrated sophisticated capabilities, with Anthropic’s Claude Opus 4.6 marking a notable jump at its release in February 2026 and Claude Mythos Preview representing another leap just two months later. The UK government assesses that capabilities are doubling every four months, up from eight months previously. These capabilities will not remain exclusive to Anthropic or the United States. Within weeks of Mythos’ announcement, OpenAI released a model, GPT-5.5, that scored close to Mythos-level performance on cybersecurity capability benchmarks. Chinese model capabilities are estimated to be between three and seven months behind American models. Foreign or criminal actors could gain access to these capabilities through model weight theft, distillation attacks, or unauthorized access.
The national security risk is that attackers can leverage these capabilities before defenders. Compared with most defenders, threat actors have direct strategic and financial incentives and fewer barriers to employing AI for offensive operations. An attacker can use this advantage to discover vulnerabilities before patches are developed, rapidly generate exploits, and even automate attacks. This will pressure already strained defenders to find and remediate vulnerabilities first, secure systems, and improve threat detection and response. Automating defensive operations with AI is an opportunity to close these gaps, but adoption faces real obstacles. Many defenders, especially in critical infrastructure, lack the resources, expertise, incentive structures, or trust in current systems to deploy AI for cyber defense.
By managing access to advanced AI cyber capabilities, differential access can help address this imbalance and buy defenders time to prepare. AI developers are using differential access initiatives to provide frontier cyber-capable models to key defenders. Anthropic's Project Glasswing, for example, provides Mythos to major technology companies, security vendors, and critical software maintainers to find and fix vulnerabilities in widely used software. OpenAI's TAC provides specially tuned cyber models to a broader group of vetted security vendors, organizations, and researchers.
Gaps in Developers’ Differential Access Approaches
Anthropic's and OpenAI's efforts will help tip the balance toward cyber defense. But AI developers have limited insight into national security risks, and their current approaches to differential access focus too narrowly on managing model access rather than driving deployment. A more complete approach would lay the groundwork for longer-term resilience by actively promoting wider adoption and the automation of cyber defenses at scale.
1) Access to advanced models does not guarantee impactful defensive innovation or outcomes. Project Glasswing and TAC provide access to cyber-capable models, but access is only the starting point. Translating access into meaningful defensive outcomes requires integrating these models into systems, environments, and operational workflows. The goal is to automate complex cybersecurity tasks like vulnerability discovery, penetration testing, and threat detection and response, not simpler assistive tasks like report writing or basic data analysis. This demands expertise, resources, and a willingness to experiment and iterate that many critical defenders lack. Cybersecurity service providers can help scale these capabilities, but still need to translate access into effective and affordable delivery, which may be difficult if running these models proves prohibitively expensive. While developer initiatives can provide some support, like usage grants from Glasswing and TAC, the government is in the best position to address these deployment challenges.
2) Developer-led differential access initiatives are limited by scope and threat visibility. Glasswing's launch partners include 12 major tech firms, among them AWS, Microsoft, Google, Apple, and Cisco. OpenAI's TAC is less restricted, extending access to vetted companies and independent security professionals. These programs deliver broad benefits for all defenders, given how widely partner systems are deployed. However, federal agencies and critical infrastructure stakeholders appear less involved, leaving gaps for complementary initiatives. Developers also design these programs without full visibility into the threat landscape. The U.S. government, with its access to classified intelligence and understanding of dependencies that underpin federal missions and critical infrastructure, is uniquely suited to develop and lead complementary initiatives.
3) Current differential access initiatives are focused primarily on vulnerability discovery, but do not address critical infrastructure's remediation challenges. Finding and fixing vulnerabilities in widely used software delivers widespread benefits, but accelerated discovery creates more opportunities for attackers if downstream deployers cannot remediate them. This is especially difficult for critical infrastructure operators. Hospitals and utilities need systems running all day, and patching every vulnerability is disruptive and often unnecessary. As discovery accelerates, these operators will need support to implement risk-based vulnerability management that is informed by threat intelligence and leverages alternative security measures when patching is infeasible.
4) Developer initiatives focus on access to high-cost, high-capability models, not cost-effective cyber-capable models. Glasswing and TAC provide access to frontier cyber-capable models such as Mythos and GPT-5.5. These models are capable but expensive, with Mythos costing roughly 25 times as much to run as smaller models. High deployment costs will make widespread defensive automation difficult, especially for critical defenders with large attack surfaces. Overreliance on high-cost models risks mirroring battlefield cost asymmetries, where multi-million-dollar missiles shoot down inexpensive drones.
5) Managed access only works if the models themselves can be secured. Limiting frontier cyber-capable models to select defenders creates a high-value target for adversaries seeking to acquire or misuse those same capabilities. The security of these programs depends on the AI developer's own infrastructure, the contractors supporting deployment, and each partner organization's ability to safeguard model access.
Policy Recommendations
The administration can address these gaps by securing access to advanced cyber-capable models and driving deployment to achieve cyber resilience at scale through the following actions:
1) Establish a Federal Differential Access Strategy: The federal government should develop a coordinated strategy for accessing and deploying advanced cyber-capable models to advance national security.
Lead an interagency task force: The Office of the National Cyber Director (ONCD) and the National Security Council (NSC) should convene an interagency task force, including the Intelligence Community, to identify differential access opportunities for securing federal networks and critical infrastructure. The task force should consider how federal agencies, contractors, and non-federal entities can leverage advanced model access in support of the White House Cyber Strategy, prioritizing the systems most critical to national security.
Identify high-impact cyber missions and programs: The Office of Management and Budget (OMB) should direct agencies to identify cyber missions and programs that would benefit from differential access, prioritizing efforts that scale services to secure mission-critical federal systems and critical infrastructure. Key programs to consider include the Department of Energy’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) and Cybersecurity Risk Information Sharing Program (CRISP), the Cybersecurity and Infrastructure Security Agency (CISA)’s CyberSentry and Continuous Diagnostics and Mitigation programs, and NIST’s National Vulnerability Database. Agencies should develop implementation plans that consider both frontier and cost-effective models and focus on high-impact use cases.
Negotiate differential access agreements: Informed by the task force and agency findings, OMB and ONCD should negotiate differential access agreements with frontier AI developers that cover both current and future leading-edge and cost-effective cyber-capable models, ensuring priority federal agencies, contractors, and non-federal entities maintain access as capabilities advance. These agreements should also address the security of the differential access ecosystem itself, including government support for securing model weights and protecting sensitive data generated through the program, such as vulnerabilities discovered in federal networks.
2) Leverage Differential Access and Automation to Secure Critical Government Software: Glasswing partners work with major commercial software vendors and open-source maintainers to secure widely deployed code, but government off-the-shelf (GOTS) software sits outside that scope. For GOTS, unlike commercial and open-source software, the federal government holds primary responsibility for identifying vulnerabilities, developing patches, and securing the development lifecycle, making it the only entity positioned to secure this code. The federal government should launch a parallel effort to find and fix vulnerabilities in existing GOTS and integrate AI into future GOTS development.
Direct agencies to use AI to defend critical government software: OMB should direct agencies to use AI to both find and fix vulnerabilities in existing GOTS and integrate it into the secure software development lifecycle for future GOTS, prioritizing software defined as critical by NIST and identified by agencies under EO 14028.
Identify AI systems for vulnerability discovery and patching: CISA, working with the Center for AI Standards and Innovation (CAISI) and other relevant agencies, should identify AI systems and services that enhance models’ ability to discover vulnerabilities, develop patches, and automate code review during development. CISA should include both commercial and open-source options, such as the Cyber Reasoning Systems developed for DARPA's AIxCC challenge.
Update secure development standards: NIST should update the Secure Software Development Framework (SSDF) to incorporate the use of AI across the secure software development lifecycle, including testing and analyzing source code during development and after deployment.
3) Drive Defensive Automation with Standards and Systems: The federal government should invest in developing the AI tools, systems, and standards needed to deploy models defensively at scale.
Launch a federal initiative to scale autonomous penetration testing: The White House should establish an interagency initiative, led by CISA and NSA in collaboration with CAISI and other relevant agencies, to scale the use of autonomous penetration testing systems on federal networks. The initiative should pilot these systems on federal networks and develop standards and best practices for deployment. It should consider open-source and commercial penetration testing agents and identify use cases for both frontier and cost-effective models. Success here could allow CISA to scale assessments for non-federal entities, including critical infrastructure and state and local government.
Establish defensive automation standards and guidance: NIST, in collaboration with CISA and industry, should develop technical standards and guidance for developing and deploying defensive AI systems in information technology and critical infrastructure environments. These standards should include guidance on training data, system design, and operational integration.
Develop and test AI systems for risk-based vulnerability management in critical infrastructure: Patching every vulnerability in critical infrastructure is disruptive and often infeasible, and operators lack the resources, expertise, and incentives to deploy AI systems on their own. National labs, AI developers, and critical infrastructure operators should partner to build and test AI systems that recommend security measures operators can take when patching is not feasible, drawing on threat intelligence and operator environment data. ONCD should negotiate differential access agreements between frontier AI developers and critical infrastructure operators, and CISA should publish mitigation guidance for entries in its Known Exploited Vulnerabilities catalog to support these AI systems.