CEO Briefing – Impact of AI Frontier Models on the Telecommunications Industry in light of Mythos Preview

AI frontier models have significantly increased the capability of detecting and exploiting software vulnerabilities at unprecedented speed. On 7th April 2026, Anthropic announced their Claude Mythos, a non-public AI model capable of detecting and exploiting critical software vulnerabilities. At the same time, they announced Project Glasswing, an Anthropic-led working group granting exclusive access to twelve United States technology partners, to utilise the model for their defensive cybersecurity work.  The initiative brings together a coalition of major US technology companies, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, Intel, JPMorgan Chase, Microsoft, NVIDIA, and Palo Alto Networks, alongside the Linux Foundation. In the weeks since, AI frontier models such as ChatGPT 5.5, DeepSeek V4 and Opus 4.7 have accelerated rapidly, with capabilities to replicate and surpass Mythos.

These models significantly accelerate the discovery and exploitation of vulnerabilities. A year’s worth of vulnerabilities can be identified in as few as four weeks, highlighting the rapid pace of detection and breadth of coverage achieved. Furthermore, they enable the chaining of ostensibly low and medium-severity vulnerabilities into more critical attack paths. Vulnerabilities previously dismissed as low priority are now increasingly relevant, not least because they are more numerous than critical vulnerabilities. This matter has been raised in several conversations with you or your companies and is rapidly becoming a board level discussion item across corporations. This note aims to summarise high-level findings from our exploration with several key players in the industry.

The key issues for Mobile Network Operators (MNOs) to consider are:  

Previously Unknown Vulnerabilities – The use of AI models when investigating “Zero-Day Vulnerabilities” (such as security flaws in software, hardware, or firmware) unknown to the vendor or developer responsible for patching it, represent a real shift in capabilities.  These new models have autonomously discovered thousands of Zero-Day Vulnerabilities across every major operating system and browser, including flaws that persisted undiscovered for over two decades. This includes identification of a plethora of vulnerabilities which have the potential to impact our industry, creating a lot of initial pain as internal teams will need to manage the wave of updates. 

Legacy Equipment – The telecoms industry faces elevated exposures due to complex legacy infrastructure, extensive operational technology deployments, and critical interdependencies with national security infrastructure. Many vendors are unable to support updates for legacy systems, placing additional strain on internal teams to either implement compensating security controls or migrate these systems to alternative environments.  

Extended Fixes and Updates (Patching) Timelines – Patch timelines for fixed network elements are constrained, as taking systems offline to apply updates can result in unacceptable service disruption. Under current conditions, MNOs aim to apply fixes within the 24–72-hour window period between vulnerability disclosure and active exploitation. However as advanced model capabilities become accessible to adversaries, this window is expected to compress dramatically with the weaponization of vulnerabilities. This requires patching timelines to shrink from hours to minutes, which is currently an out-of-reach target for most MNOs.  

Omission of Telco and Telco Vendors – The omission of MNOs and equipment vendors from Project Glasswing creates an asymmetry in that major IT platforms will identify and remediate vulnerabilities while telco-specific systems remain exposed. This is particularly concerning given that telco networks are the foundational infrastructure on which AI systems themselves operate. This dependency should translate into active inclusion and not omission as is the present case.  

Third Party Dependency –  MNOs are reliant on vendors to effectively leverage these models to provide the necessary vulnerability patches. Vendors must securely distribute these updates in formats that enable rapid and reliable deployment. This must occur at speed and scale to keep pace with adversaries. This dependency creates a volatile environment as any delay, capability gap or failure within the vendor chain directly impacts the operator’s ability to respond to emerging threats. 

Regulatory Constraints – MNOs and their vendors must operate within strict regulatory frameworks governing data privacy, security and the use of advanced technologies. These factors may limit model access, constrain deployment, and require additional assurance, audit and compliance measures before use. As adversaries are not bound by the same regulatory obligations, they can adopt and operationalise these capabilities far more rapidly. Regulatory pressures can slow MNOs while attackers remain unrestricted, widening the defence gap against evolving threats.  

Financial Consequences – MNOs will face increased costs associated with risk mitigation, resilience and incident response. There is the trade-off between meeting increasingly stringent regulatory patching timelines (now reduced from months to days) and delaying updates to minimise the risk of service outages, which may result in regulatory penalties. For those MNOs and vendors with access to these models, there are notable financial implications, as token costs are approximately eight times higher than those of previous models. 

The key recommendations are as follows:   

Establish a GSMA Expert Group – GSMA proposes to establish an expert group of MNOs to share validated intelligence on model testing, vulnerabilities and exploit paths, supported by proven mitigations. MNOs would be encouraged to actively contribute by testing, validating and sharing their own findings to strengthen collective insight and response, and to propose mitigating actions where patches are not available. While patching remains essential, MNOs could also take immediate risk-reduction measures, such as isolating vulnerable systems and strengthening core security controls, to quickly contain threats identified by AI frontier models and minimise business impact.

Ensure vendor access to AI frontier models – It is essential for telecoms vendors to secure access to these AI frontier models in order to effectively protect and enhance the security of their own systems. MNOs should engage directly with telecoms vendors to understand their AI models’ access status, vulnerability assessment strategies and remediation timelines. By vendors effectively leveraging the latest versions of AI frontier models, sharing insights and taking timely action, the mobile ecosystem can remain ahead of emerging vulnerabilities and better protect against their exploitation. 

Engage in AI governance initiatives – The rapid development of new AI frontier models and use cases demonstrate the importance for MNOs to take part in AI governance initiatives and for their voice to be heard. AI governance is not the same as AI regulation, and regulatory routes will not move at the same pace as the AI models develop. Increasingly, a range of global and regional initiatives have emerged, both private and public sector led. This highlights the importance for companies to have the necessary internal governance processes and frameworks in place to manage risks and deploy AI responsibly. GSMA intends to assist the industry to be represented in the key AI initiatives.  The goal is not to ask for new regulation, but to make sure our sector’s voice is heard.