← Back to Blog
Policy Updates
4 min read20 April 2026

The EU AI Office Cannot Access Anthropic's Most Powerful Model. That Is a Problem for Enforcement.

Anthropic's Mythos model, described as potentially the most powerful AI system yet announced, is off-limits to the EU AI Office. Eight AI safety groups are now demanding the EU grow its safety unit from 36 to 160 staff by 2030. Here is why this matters for the enforcement capacity the AI Act was supposed to have.

A Frontier Model the EU Cannot Evaluate

On April 16, Anthropic released Claude Opus 4.7 — a strong production model with improved agentic coding, sharper reasoning, and high-resolution image support up to 3.75 megapixels. Pricing unchanged from Opus 4.6. A solid upgrade.[3]

But the more significant story running in parallel is what Anthropic has not released publicly: Mythos. Described internally as the model that outperformed Opus 4.7 on key benchmarks, Mythos is being shared with a limited group of around 40 organisations — and the European Commission is not among them. A Commission spokesperson confirmed this directly to POLITICO.[1]

The UK's AI Security Institute, by contrast, was granted access and published a technical risk analysis within a week of Mythos's announcement. The gap between what the EU and UK can do with the same model is now a published fact — and it is raising uncomfortable questions about whether the EU AI Act's enforcement architecture has the technical capacity it needs to function as designed.

Eight Safety Groups Write to Brussels

The response from the AI safety community has been direct. Eight AI safety organisations — including the Centre for Human-Compatible AI, the Future of Life Institute, and the Foundational Model Accountability project — sent a letter to the European Commission demanding that the EU AI Office's safety unit grow from 36 staff to 160 by 2030.[1] The letter, first reported by POLITICO, argues that the AI Office's current safety team is too small to evaluate frontier models at the pace the industry is releasing them — and that this is not a theoretical concern but a present operational gap.

The numbers in the letter are specific. The AI Office currently has approximately 140 staff total, with 36 in the division responsible for evaluating the most capable models. Anthropic has granted access to Mythos to 40 organisations. The UK AISI — which has no regulatory enforcement powers, just evaluation and advisory capacity — has access and used it. The EU AI Office, the body the AI Act charges with supervising frontier AI models and GPAI compliance, does not.

The safety groups' argument is structural: if you cannot evaluate the model, you cannot supervise it. If you cannot supervise it, the GPAI obligations that are supposed to kick in when a model crosses the systemic risk threshold are effectively unenforceable against that specific model. Mythos is not yet publicly released, so the enforcement gap is prospective — but the clock starts running the moment a model this capable enters the European market.

Why the UK Has an Advantage the EU Does Not

The Resultsense analysis identifies something that POLITICO's reporting has confirmed from multiple angles: a regulatory body without enforcement powers can often get better cooperation from AI labs than one that carries a €35 million maximum fine.[1]

Ciaran Martin, former head of the UK's National Cyber Security Centre, put it directly to POLITICO: a non-regulatory state body — one that cannot fine, cannot mandate, cannot formally sanction — can engage more fluidly with labs that are concerned about having their most sensitive technology examined by a body with enforcement powers.[1] The fine is real; the relationship is also real. Labs tend to share more with the evaluator they trust not to use the information punitively.

The UK AISI's positioning — inside government, close to political leadership, advisor rather than regulator — gives it a different kind of access than the AI Office has. Prime Minister Keir Starmer has a dedicated AI adviser, Jade Leung, who is a former OpenAI lobbyist.[1] The EU's AI Office sits several management layers below Commission political operatives. The structural difference in proximity to decision-making is real.

This is not just about optics. The AI Act's GPAI obligations — adversarial testing requirements, incident reporting, model registration — are supposed to apply to the most capable models regardless of who built them. If the EU cannot evaluate a model, it cannot verify whether it crosses the 1025 FLOPs systemic risk threshold. It cannot assess whether the model's reported capabilities match what it actually does. And it cannot produce the technical evidence that would justify enforcement action if the model behaves in ways that pose systemic risk.

What Anthropic Is Doing About It

Anthropic is not ignoring the EU. The company met with EU officials on April 15 to discuss concerns about Mythos's cybersecurity profile, with further meetings planned.[3] The company's position is that Mythos has capabilities that raise dual-use risk concerns — it could, in the wrong hands, be used for advanced cybersecurity research or for activities that cross into harmful hacking. The company is being selective about who gets access precisely because it wants to manage those risks carefully.

This selective approach is not unprecedented — Anthropic's Mythos release model is becoming a template in the industry: vetted operator access, technical evaluations, phased release. The question the EU AI Office faces is whether it can credibly join that template as a recognised evaluator, or whether it is permanently locked out by the same enforcement architecture that was designed to protect European citizens from the risks these models pose.

Claude Opus 4.7, released alongside the Mythos discussions, functions in part as a "testbed" for the governance protocols Anthropic is developing to address exactly these concerns. The model's autoregressive protections against malicious hacking prompts — reduced cybersecurity capabilities as a deliberate design choice — are a direct response to the dual-use risk profile that Mythos is designed around.[4] By the time the EU AI Act comes into full effect in August 2026, the norms around how frontier model access and evaluation work will be substantially established — and the AI Office's current position relative to those norms will determine how much influence it has over them.

The Hiring Problem and the Salary Gap

The Commission is pushing to hire 38 additional AI Office staff as part of the Digital Omnibus package launched in November 2025, but those negotiations are unresolved.[1] A further half-dozen safety, regulation, and compliance hires are planned by the end of June. The bottleneck is salaries: the EU pays civil service rates that cannot compete with the compensation Anthropic, Google, and DeepMind offer to the exact technical talent — ML engineers, security researchers, evaluators — that an AI safety unit needs.

Anthropic's simultaneous announcement of an 800-person London office deepens the problem. London's AI talent cluster already attracts people who might otherwise consider public sector work. A major AI lab planting an 800-person flag in the city makes the EU's recruitment challenge materially harder.

The safety groups' demand for 160 staff in the AI Office's safety unit by 2030 is not an arbitrary number. It is a recognition that the evaluation challenge frontier models pose requires the same kind of concentrated technical expertise that the labs themselves employ — and that expertise is scarce, expensive, and not compatible with standard civil service hiring processes.

Why This Matters for SMEs

For small and medium European businesses that are building on top of foundation models — using Claude, GPT-4, Gemini, or their open-source equivalents — this story has a practical downstream effect that is easy to miss.

The EU AI Act's GPAI obligations apply to the providers of those models, not directly to the SMEs using them. But those obligations include incident reporting (serious AI incidents must be reported to the AI Office within days), adversarial testing documentation, and cybersecurity measures. If the AI Office cannot effectively evaluate the models it is supposed to supervise, the incident reporting and testing obligations become harder to enforce in practice — which means the compliance assurance downstream businesses rely on is weaker than the regulation implies.

More specifically: if you are using Claude Opus 4.7 or planning to integrate future Anthropic models into your product, the question of whether the EU AI Office has the capacity to evaluate those models and require compliance is not irrelevant. It is the regulatory backstop that ensures the model provider's obligations to you are meaningful. A regulator that cannot evaluate the model cannot enforce the model provider's obligations — and the downstream compliance chain depends on that enforcement.

The 105-day countdown to August 2 is not just a deadline for high-risk deployers. It is a deadline for the entire regulatory infrastructure the AI Act depends on — including the AI Office's ability to actually do its job. Right now, that ability is being questioned by eight AI safety groups and documented as a gap by the UK's demonstrated advantage in the same evaluation tasks.

The Bottom Line

Mythos is not yet on the market. The AI Office's access gap is a prospective problem, not a present enforcement failure. But the window for the EU to establish itself as a credible evaluator of frontier AI models — and to do so before the norms around model access and evaluation become locked in — is closing.

The safety groups' letter and the UK's demonstrated advantage give the EU a clear benchmark: 160 staff in the safety unit, credible evaluation relationships with frontier labs, and the technical capacity to publish assessments that carry weight. Whether Brussels gets there — and whether the Omnibus negotiations include the resources to make it possible — is one of the more consequential questions the AI Act's implementation raises for the next two years.

For SMEs: watch the AI Office's staffing and evaluation activity closely as August approaches. The enforcement infrastructure your compliance depends on is only as strong as the body that operates it — and right now, that body has a documented capacity gap that the AI safety community is not letting Brussels ignore.

This article is for informational purposes only and does not constitute legal advice.

Sources

  1. [1]Resultsense / POLITICO Europe — EU AI Office locked out of Mythos as UK AISI leads (April 17, 2026)
  2. [2]POLITICO — Anthropic's hacking tech exposes EU AI Office weaknesses (April 13, 2026)
  3. [3]PYMNTS — Anthropic briefs EU regulators on Mythos cybersecurity concerns (April 16, 2026)
  4. [4]Crypto Briefing — EU unable to review Anthropic's Mythos model (April 2026)

Know your EU AI Act risk level in 10 minutes

Our free audit walks you through the exact questions to classify your AI systems and identify what you need to do before August 2, 2026.

Start Free Audit →
← Back to Blog

⚠️ Not legal advice — for guidance purposes only