Anthropic’s Mythos announcement set off exactly the reaction you would expect: if models can now find serious bugs at scale, software security must be about to get much worse.
I think that reaction mixes up two things.
A bug is not automatically a vulnerability.
And even a vulnerability is not automatically exploitable.
That distinction matters even more in the agent era. AI is getting better at surfacing weird behavior in code. It can push edge cases, strange paths, and awkward combinations much faster than most human teams. That is not bad news. That is visibility.
A bug means something is wrong. A vulnerability means that wrong thing can be turned into a security outcome like code execution, privilege escalation, data exposure, or unauthorized access.
Those are not the same thing.
Most bugs never become meaningful security issues. Some are correctness problems. Some are reliability issues. Some crash and go nowhere. Some only matter in very specific deployments, with very specific permissions, under very specific conditions.
Exploitability is architectural.
The same bug looks very different depending on the environment around it. A bug in a tightly constrained process is one thing. The same bug in a process that can read secrets, spawn shells, install packages, and connect anywhere on the network is something else entirely.
All the fundamentals still apply: least privilege, isolation, scoped credentials, and limited egress. If anything, they matter more now, because the thing touching those resources is moving at machine speed. That also means preferring temporary credentials and tightly scoped access over long-lived broad permissions whenever possible.
The worst case is not that models expose too many problems. The worst case is that those problems were always there and nobody noticed until the wrong person did.
But agents do introduce a second challenge.
Traditional protections are often built for software whose behavior is mostly known ahead of time. You define what the process should do, lock it down, and you are done.
That model breaks down with agents more often than people want to admit.
A useful agent may need to inspect a codebase, discover which tools are relevant, follow intermediate results, and adapt as it goes. You often cannot predict from the first second exactly what it should or should not do five minutes later. Static controls still matter, but static-only controls can be too rigid for dynamic systems.
That is where people get stuck arguing about the wrong layer.
Sometimes the bad action starts with a bug.
Sometimes it starts with prompt injection.
Sometimes it is a jailbreak, a poisoned dependency, a bad tool result, or a model making the wrong call.
At the execution boundary, those distinctions matter a lot less.
What matters is whether the process is allowed to do the thing it is trying to do right now.
That is the reason I built AgentSH.
AgentSH does not need to understand the bug. It does not need to interpret the prompt. It does not need to guess intent. It does not care whether the bad action started with a software defect, a prompt injection, or a confused model.
It cares about execution.
Can this process read that file?
Can it spawn that command?
Can it install that package?
Can it connect to that host?
Can it move outside the allowed workspace?
Agents are probabilistic. Their behavior is shaped by prompts, context, tools, model behavior, and whatever they encounter along the way. AgentSH adds determinism where it counts: at execution time, when probabilistic behavior turns into a real process, a real file access, a real network connection, or a real side effect.
The agent proposes. The policy decides.
But with dynamic agents, you do not always know the right policy upfront.
That is why Watchtower matters alongside AgentSH.
AgentSH gives you enforcement at the execution boundary. Watchtower gives you the dynamic policy control to adapt that enforcement as you learn what the agent actually needs to do. You can start with guardrails, observe behavior, tighten access, change rules, and shape policy over time without giving up runtime control.
So when people react to Mythos with fear, my reaction is different.
Good.
Find more bugs.
Then make sure the runtime does not let them matter.
That is a better security model for the agent era.