AI in the news: week of May 10, 2026

What this week actually changed: Anthropic shipped a security-research model that finds working zero-days faster than vendors can patch them, gave it only to defenders, and set a new bar for what responsible frontier disclosure looks like.

Week ending Sunday May 10. The story I expected to lead with (Meta's revised 2026 capex print at $125–145B and the market punishing the stock) got displaced by a much bigger one: Anthropic actually shipping Claude Mythos Preview to a closed partner list through Project Glasswing, and disclosing thousands of zero-day findings across every major OS and browser. The EU AI Omnibus deal landing at 4:30 in the morning on May 7 ran a close second. Let me walk through it.

Project Glasswing and Claude Mythos Preview

Anthropic launched Project Glasswing this week, a closed program that gives a small set of partners access to Claude Mythos Preview, an unreleased frontier model with security-research capabilities well beyond anything Anthropic has previously shipped. The partner list is the headline by itself: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. The framing is "give defenders the model first so the critical software gets patched before the same capability leaks to attackers."

The disclosure that came with it is the part that should make every infrastructure team sit up. In internal use, Mythos Preview identified thousands of zero-days across every major operating system and every major web browser. Most arresting single example: a 17-year-old unauthenticated RCE in FreeBSD's NFS path (CVE-2026-4747) that Mythos found and exploited autonomously, going from unauthenticated-on-the-internet to root. That's not "model wrote a fuzzer harness." That's the model owning the box.

I think the Glasswing shape is the right call. Holding the model back from broad release while feeding it to defenders is the rare frontier-lab decision where the safety framing matches the actual policy. The Mythos capability is asymmetric the wrong way the moment it's outside the partner list, defenders need months of patching; attackers need an afternoon. Anthropic keeping Mythos Preview off the commercial roadmap for now is the move I'd want them to make.

What I'll watch: how fast the Glasswing partners actually ship patches (the FreeBSD CVE is the test case), whether smaller open-source projects without a seat at the partner table get the Mythos pass anyway, and whether any of the partner companies leak capability through their own products before the patch wave finishes. The 17-year-old bug also raises the obvious uncomfortable question, how many other dormant vulnerabilities are sitting in the same kind of code path, and what happens when the next lab ships a comparable capability without the Glasswing discipline.

EU AI Omnibus: deal at 4:30am, hard ban on nudifiers

Council and Parliament negotiators reached provisional agreement on the Digital Omnibus on AI at 4:30 in the morning on May 7. The package does two things at once: postpones the AI Act's high-risk system obligations (regulatory sandboxes pushed to August 2, 2027) and adds a new Article 5 prohibition on AI systems that generate CSAM or non-consensual intimate imagery, images, video, or audio. Synthetic-content transparency grace period also shortens from 6 months to 3, with the new deadline December 2, 2026.

The nudifier ban is the part that will move first. It applies in three configurations: placing such systems on the EU market with the purpose of generating that content, placing systems on the market without reasonable safety measures against that generation, and deployers using systems for that purpose. Companies have until December 2, 2026 to comply.

This is the right policy and overdue. The nudifier app ecosystem has been a known problem for two years. The Renew amendment that got this in the final text is one of the cleaner pieces of AI legislation I've seen, narrow scope, real prohibition, deployer liability included. I'd want this in US law tomorrow.

The high-risk delay is the harder read. Companies absolutely need more time on the technical conformity work; the standards aren't finished. But every month the high-risk obligations push out is a month the firms shipping high-risk systems get to ship them under the lighter regime. SB 53's first-year reports out of California will start landing right around when EU high-risk obligations were originally supposed to bite, and the comparison will be instructive. Governance is the work and "we'll do governance in 2027" is a position with a cost.

CAISI signs pre-release evaluation deals with the rest of the labs

May 5. The Center for AI Standards and Innovation, the federal eval body that used to be the AI Safety Institute before Commerce restructured it, announced agreements with Google DeepMind, Microsoft, and xAI that let the US government evaluate frontier models before public release. Builds on the existing OpenAI and Anthropic deals from 2024, which were renegotiated under Commerce Secretary Lutnick to reflect the America's AI Action Plan.

I'm cautiously positive on this even though I'm cynical about most of how this administration has handled AI policy. Pre-release evaluation by a credentialed federal body is one of the moves that's worth doing regardless of who's in the White House, and the fact that all five major US frontier labs are now in the program is a structural win. The labs get to point at "we evaluated with CAISI before shipping" as a defense the next time something breaks; CAISI gets enough volume to actually build evaluation expertise instead of being a paper office.

What I'm watching: whether the CAISI evals produce anything publishable, whether the labs treat the evals as a real gate or a rubber stamp, and whether the program survives the next political turn intact. The risk on a voluntary eval scheme is that it converges to whatever the labs were already going to do. SB 53's mandatory disclosures will be the real stress test.

OpenAI's TDC and Anthropic's Blackstone vehicle

May 4 through 7. Both frontier labs spun up enterprise-services vehicles backed by major PE. OpenAI raised $4B+ for The Deployment Company at a $10B pre-money, with TPG, Brookfield, Advent, Bain, Dragoneer, and SoftBank in. OpenAI retains majority and governance control. Anthropic ran the parallel play with Blackstone. The pitch on both: instant access to 2000+ portfolio companies as ready-made deployment surface.

This is the move I've been waiting for and it's worse than I expected. The lab+PE consulting vehicle solves the labs' "we sell tokens, but enterprises won't ship without integration help" problem by buying the integration-help business directly. It also creates the structural concentration I keep writing about: the model vendor, the integration partner, and the capital allocator are now the same three-party transaction, with the lab on the inside of every PE portfolio's AI strategy.

If you sit on a PE-backed company that's about to get the deployment-services pitch from TDC or its Anthropic-Blackstone equivalent, read the integration carefully. The data-flow lines are the ones to push back on. "Your customer data trains our next model" should not be the default term, and the PII problem gets a lot worse when the integrator and the model vendor are the same balance sheet. The on-prem case gets stronger every time one of these vehicles ships.

The capex print and the layoff print

Meta's late-April earnings revised 2026 AI capex up to $125–145B, stock dropped 8.6% the next day. Stacked against the rest of the cohort (Amazon ~$200B, Alphabet $175–185B, Microsoft $120B+, Oracle $50B) the 2026 hyperscaler AI capex total sits around $690B. That's the spend side.

The cost side landed this week too. 37,000+ US layoffs in the first 10 days of May. Cloudflare cut 1,100 (about 20% of headcount) with internal AI usage up 600% in three months. Coinbase 700 (14%). PayPal staged at 4,760 (20%) over two-to-three years targeting $1.5B in cost savings. Marketplace's reporting on the April print had nearly half of tech layoffs explicitly AI-attributed.

This is where I keep landing. The displacement is real and it's accelerating faster than I expected. The pace is what I keep coming back to, companies aren't cutting because the AI is ready, they're cutting because the AI narrative is convenient and the markets reward the cuts. The Cloudflare 600% internal-AI-usage stat is the cleanest example of the week: the productivity gain is real, the headcount cut is real, and the timing of one against the other is where executive judgment is doing the work. Human+AI collaboration is the sustainable model, the headcount still shrinks, but it shrinks less and shrinks well. I'd rather be wrong about the pace than be caught off guard.

Smaller items worth tracking

• Google Gemini 3.1 Flash-Lite shipped, priced at $0.25/M input tokens with 2.5x faster response times. The efficiency-tier price war keeps tightening; Flash-Lite is the new floor.
• Gemma 4 released under Apache 2.0, the most capable fully permissive open-weights model currently available. The open-weights gap continues to close.
• Novo Nordisk + OpenAI announced a full-stack partnership covering drug discovery, clinical trials, manufacturing, and commercial ops. Watch the data-flow terms, pharma-grade clinical data is a different threat surface than the typical enterprise deal.
• Sanders-AOC introduced the AI Data Center Moratorium Act on May 4, pauses new large-scale AI data center construction until national standards on energy, water, and worker protections pass. Symbolic for now given the calendar; the energy-and-water frame will be the one that matters in 2027.

What to watch next week

Three things. The capability ceiling moved and the disclosure shape was good. Mythos Preview is the most capable security-research model anyone has shipped and Anthropic actually held the line on broad release. The Glasswing structure is what responsible disclosure at frontier scale looks like. The next lab to ship comparable capability will be measured against this bar.

Governance keeps showing up where it matters. EU Omnibus, CAISI evals, the prospect of SB 53's first reports in 2027, the regulatory shape of AI is now visible enough to plan against. Firms still operating like governance is optional will be the ones with the painful 2027.

And the labor frame keeps consolidating. The displacement is real, the pace is wrong, the capex-vs-layoffs split tells you what the boards are optimizing for. Plan for it being faster than the realistic view says.

Next Sunday: the first patches out of Glasswing partners, whatever the Mythos disclosure flushes out across smaller projects, and the Omnibus deal text once it surfaces in full.

Sources

• Project Glasswing. Anthropic
• Claude Mythos Preview. Anthropic Red
• Mythos finds thousands of zero-days. The Hacker News
• Council and Parliament agree to simplify AI rules. Consilium
• EU reaches AI Act omnibus deal. IEU Monitoring
• Trump admin moves further into AI oversight. CNBC
• Anthropic and OpenAI launch enterprise AI services. BeBeez
• Meta Q1 earnings (2026 AI capex raised to $125–145B) Yahoo Finance
• AI Capex 2026: The $690B Infrastructure Sprint. Futurum
• US layoffs in first 10 days of May 2026. American Bazaar
• Layoffs Accelerate in May 2026. Yahoo Finance
• Tech industry shedding jobs, citing AI. Marketplace
• Latest AI News and Updates. Crescendo