Every CISO conversation I'm having opens the same way these days.

"Have you seen what Claude Mythos can do?"

Yes. I have. And I'm not going to tell you it's overhyped, because it isn't.

Anthropic was straightforward about the capability. Mythos Preview can outperform all but the most skilled humans at finding and exploiting software vulnerabilities. Thousands of zero-days. Every major operating system. Every major browser. A 27-year-old OpenBSD bug. A 16-year-old FFmpeg flaw — both missed by every fuzzer and every human reviewer for years.

The skill floor for serious exploitation just dropped through the basement.

And speed has fundamentally changed. The window between a vulnerability being disclosed and being weaponised, once measured in days or weeks, is now measured in hours. Criminal actors are pre-staging environments and striking in seconds. Nation-state actors are sitting inside enterprises for months, exploiting log retention blind spots that have been there for a decade.

This is the Mythos era. It's not coming — it's here.

So the threat is real. I want to be clear about that before I say anything else.

But here's where the conversation goes wrong

The panic narrative says we need a fundamentally new security paradigm. New tools. New teams. A separate AI defense.

I don't agree with that. And I've thought about it a lot.

Here's what the evidence actually shows. The vulnerabilities Mythos finds aren't exotic. They're conventional flaws that survived decades because finding them required expertise held by very few people. AI has democratised that expertise — at scale, at speed, at low cost.

AI makes attackers fast. It doesn't make them magic.

That's an important distinction. Speed demands discipline. It doesn't demand reinvention.

There's another speed problem nobody's talking about enough

Even when an enterprise has its act together — strong DevSecOps, mature patching, real velocity in its own environment — there's a part of the picture it can't control.

Vendors. Third parties. SaaS providers. The supply chain.

Your patch velocity is your patch velocity. Your vendor's patch velocity is theirs. And in the Mythos era, an attacker doesn't care which one is slower — they're going through whichever path opens first.

This is why the response can't just be "patch faster." Most enterprises are already pushing patch velocity as hard as they reasonably can on their own environment. The harder problem is that the attack surface extends well beyond what you directly operate. Third-party software, vendor APIs, partner integrations, cloud platforms — all moving at their own pace, all part of your blast radius.

You can't fix their speed. You can't even reliably see it.

What you can do is build an architecture that doesn't assume everything will get patched in time. That's exactly what defense-in-depth was always for.

Defense-in-depth. And detection-in-depth.

These two ideas, taken seriously, are how enterprises actually manage the Mythos era.

Defense-in-depth is the doctrine that no single control will hold. So you layer them. Identity controls in case the perimeter fails. Segmentation in case identity is compromised. Data security in case segmentation is bypassed. Each layer assumes the one before it will eventually fail — because it will. That's not pessimism, it's realism. And it's precisely the posture you want when a vendor you don't control is two months behind on patches and an attacker has automated the discovery.

Detection-in-depth is the partner discipline that doesn't get talked about enough. The idea is the same — no single detection layer will catch everything. So you build redundant detection logic across surfaces. Endpoint behavior, identity behavior, network anomalies, cloud API patterns, application-level signals. Five surfaces. Five chances to see what's going wrong. And critically, they correlate — one signal from one surface is ambiguous, but the same signal showing up across three surfaces is high-confidence.

When criminal actors strike in seconds and APT actors dwell for months, detection-in-depth is what gives you a fighting chance against both.

These two disciplines together are what the architecture is really built around. Everything else is structure to make them work at enterprise scale.

The architecture I keep coming back to

I've been working through what an enterprise security architecture actually needs to look like in this era. Not as a marketing exercise — as something a CISO can defend in a board meeting and an architect can build against.

What kept emerging was that three things, properly integrated, give you everything you need:

NIST CSF 2.0 — but treated as more than a framework. Govern, Identify, Protect, Detect, Respond, Recover. It's not just a compliance vocabulary. It's a way of organising how an enterprise actually defends itself. The six functions describe the operational reality of security work, not a paperwork exercise. Governance shapes everything. You can't protect what you haven't identified. Detection only matters if it leads to response. Response only matters if it leads to recovery. Recovery only matters if it teaches governance something new. That's the loop. NIST gives us the structure to talk about it consistently — but the architecture is in the doing, not the labelling.

Defense-in-depth and detection-in-depth as the doctrine. Layered controls that assume failure. Layered detection that assumes blind spots. Together, they're what stops a fast-moving attacker from cascading into a catastrophic event.

Compliance, security, and privacy as one integrated theme. Not three programs sharing infrastructure. Three lenses on the same controls. Identity governance simultaneously satisfies access control mandates, threat detection requirements, and purpose-bound data access. Asset visibility maps regulatory scope, attack surface, and data flow at the same time. Forensic readiness serves audit trails, incident reconstruction, and breach notification — all from the same logging substrate.

When you stop running these as parallel programs and start running them as one fabric, three things happen. Total cost of program ownership drops substantially. The auditor, the CISO, and the DPO finally have a single source of truth. And the architecture becomes coherent enough to actually defend.

The interlocks are what make it architecture

Boxes and arrows aren't architecture. Interlocks are.

Three sets of interlocks turn the layered model into a living system.

Vertical — between the functions. Each one feeds the next. Identify enables Protect. Protect reduces what Detect must catch. Detect feeds Respond at machine speed. Respond preserves the conditions for clean Recover. And Recover writes lessons back to Govern, completing the loop. The architecture learns from every incident.

Horizontal — across the threads. A single control event simultaneously updates compliance posture, security telemetry, and privacy governance. An anomalous identity action: compliance logs a control deviation, security raises a threat signal, privacy reviews data access. One event. Three thread updates. One fabric. This is what kills the duplication that plagues most enterprise security programs.

Upward — to the executive view. Every operational metric rolls up into three indices the board actually understands. A Compliance Index, a Security Index, a Privacy Index, plus an outcome metric — return on security investment. Three numbers in the boardroom. Full traceability down to the originating control. The CISO walks in with one consistent story. The auditor, the regulator, the DPO, and the board are all looking at the same picture.

That's what makes it architecture, and not a checklist.

What about agentic AI?

This is the question every BFSI client asks me right now. Where does AI agent governance fit?

Inside the architecture. Not alongside it.

The Five Eyes guidance on agentic AI is unambiguous on this — AI security belongs within established cyber security frameworks, not as a parallel discipline. Which is exactly right. Agent identity is governed through identity management. Agent behaviour is monitored through behavioural detection. Agent tools are tracked through asset visibility. Agent privileges are bounded through segmentation. Agent incidents are handled through the same response workflow as everything else.

The controls extend. The architecture doesn't fork.

That's the right answer for two reasons. It matches how agentic AI actually shows up in the enterprise — woven into business processes, not isolated. And it prevents the specialist silo that always emerges when organisations treat new technology as fundamentally different. AI agents are privileged actors. We already know how to govern privileged actors.

What this means for enterprises right now

Three things, in order of priority.

Stop running compliance, security, and privacy as parallel programs. Every duplicated control, every separate dashboard, every redundant audit cycle is cost without benefit. Integration isn't a future-state aspiration — it's available to any organisation willing to demand it.

Rebalance investment, don't expand it. Annual pentests, signature-only detection, traditional correlation, static vendor questionnaires, annual compliance training — these are losing value. Phishing-resistant authentication, segmentation on critical assets, behavioural analytics, continuous exposure/adversarial validation, automated containment, rebuildable infrastructure — these are gaining it. The Mythos era doesn't demand more spending. It demands smarter spending.

Accept what you can't control, and harden what you can. You'll never make your vendors patch as fast as you do. You'll never have full visibility into every third-party dependency. But you can build an environment around them that doesn't fall over when they're slow. That's what defense-in-depth and detection-in-depth deliver — resilience that doesn't depend on perfect upstream hygiene.

We don't need to outpace Mythos. We need to be deep enough that no single failure cascades, fast enough that no detection is wasted, integrated enough that one incident doesn't trigger three siloed responses, and prepared enough that even a successful breach becomes a contained event rather than a catastrophic one.

Defense-in-depth, done right, was always the answer.

The Mythos era just raised the cost of doing it poorly.