Gatekeeping by AI Frontier Labs Could Leave Critical Infrastructure Exposed
Experts warned Wednesday that AI is accelerating cyberattacks faster than most organizations can defend against them.
WASHINGTON, June 4, 2026 – A debate over who should control access to the most powerful AI cybersecurity tools dominated a Broadband Breakfast panel Wednesday, with experts warning that narrow gatekeeping could leave critical infrastructure operators exposed even as adversaries race to exploit the same capabilities.
The central tension is straightforward: Frontier AI models like Anthropic's Claude Mythos can find and exploit vulnerabilities at speeds no human team can match, but those same capabilities can defend against attacks if the right organizations get access in time.
Stephen Lilley
Panelists broadly agreed the current system, which leaves access decisions to the internal deliberations of AI companies, is insufficient for a challenge of national security scale.
The 30-day window and who gets in
The executive order issued by the Trump administration on Tuesday requires a 30-day government review before frontier AI labs can share new models with trusted partners — a window panelists said was meaningful for initial triage but far too short to remediate what gets discovered.
"Thirty days may be enough to identify some of the worst problems," said Amy Robertson, chief engineer for cyber intelligence at defense contractor MITRE, "but it is not going to be enough to mature any type of cyber defense ecosystem to respond to them."
Defenders need validated findings, prioritized remediations and time to coordinate patching across providers, none of which fits within a month, she and others said.
The deeper question is who gets access at all. Vaibhav Garg, executive director of cybersecurity research at internet service provider Comcast, argued that access decisions carry public interest implications that private companies alone should not resolve.
Drawing a parallel to coordinated vulnerability disclosure in the 1990s, Garg said the industry needs "a public and transparent and well-coordinated process" for scaling access. "If we don't do that, we might leave out parties that are critical to ensuring the security of critical infrastructure," he said.
Daniel Castro, president of the Information Technology and Innovation Foundation think tank, warned that the U.S. risks squandering a narrow lead over adversaries.
"No matter what the U.S. does, our adversaries will have access to this technology in months," he said, estimating China is three to six months behind. He also flagged a longer-term risk embedded in the order: While it explicitly rejects an approval process akin to the Food and Drug Administration for AI models, a future administration could repurpose that scaffolding.
Small providers face big exposure
Garg noted that scanning for vulnerabilities using frontier models requires running the models, validating findings, prioritizing remediations and patching at scale, capabilities many organizations simply lack.
That constraint hits hardest among rural and small telecom providers. Jay Harmon, CEO of consultancy BorderHawk, warned those operators face compounding risk, since AI-powered attackers need not breach a network perimeter to cause damage. "The AI doesn't even have to be inside the organization," he said. "The speed at which those vulnerabilities are going to be identified and exploited, that's a real concern."
Harmon also cautioned that AI capabilities would spread beyond any controlled group, with actors developing offshoots of existing models "plenty powerful enough to wreak havoc," even if less capable than frontier models.
The Mythos moment is also reshaping professional practice. Attorney Steven Lilley of firm Mayer Brown said cybersecurity lawyers can no longer rely on process checklists alone.
"The demands for technical understanding are definitely higher," he said. "You have to be able to understand things at a sufficiently granular level to provide sound legal advice," including recognizing when a technical answer needs probing.
AI, Robertson said, echoing others on the panel, is not introducing novel attack methods. It is instead making familiar ones faster, cheaper and more scalable.
"AI is not replacing any malicious tradecrafts," she said. "It's just providing that acceleration, that force multiplier." Her advice: Ensure whoever receives early access is positioned to act on findings and share learnings broadly. "The answer is to not panic, not buy into all the hype, and stay grounded in the operational reality."
