In April 2026, Anthropic announced Claude Mythos Preview, an AI model able to autonomously discover thousands of previously unknown vulnerabilities — including a 27-year-old flaw in OpenBSD, a system renowned for its robustness. This is not a technical event reserved for IT teams. It is a governance event that concerns anyone responsible for other people's data.
What changed in April 2026 — in plain terms
For years, cybersecurity operated on an implicit assumption: between the moment a vulnerability is discovered and the moment it is exploited by an attacker, there exists a window for reaction — a few days, sometimes a few weeks — during which a patch can be applied. That window was the oxygen of security teams.
With Mythos, that window is closing. Anthropic's model — and it will not be the only one — can analyse a system, identify its flaws and build a working exploit in a fraction of the time a human expert once needed. Anthropic responded by launching Project Glasswing, a coalition of defensive partners (AWS, Apple, Microsoft, Google, Cisco, Palo Alto Networks, among others) to use this capability to protect critical infrastructure before it falls into the wrong hands.
As The Hacker News recently observed, we are entering an era where "patching faster" or "patching better" is no longer enough. The logic that now prevails is one of presumption of breach: assume that an intrusion will eventually occur, and build your defence to detect and contain it as quickly as possible.
From cybersecurity to the protection of personal information
Why raise this with executive directors of municipalities, CEOs of SMEs and board chairs of non-profits? Because cybersecurity is, for you, almost always a delegated file. The protection of personal information is not — and cannot be.
When ransomware encrypts your systems, it is an operational problem. When the personal information of your citizens, clients or beneficiaries ends up circulating on the dark web, it is a problem of:
- Trust — the relationship with the individuals concerned is lastingly damaged, often more so than the bottom line.
- Compliance — Law 25 imposes strict obligations (notification, register, mitigation measures) whose breach exposes you to severe penalties.
- Fiduciary responsibility — directors owe a duty of care toward the individuals whose information the organisation holds.
- Reputation — an incident that is publicly notified, as Law 25 requires when there is a serious risk of harm, becomes a media event.
The return of data from the Desjardins breach, several years after the initial incident, illustrates a reality that leaders must absorb: a data breach is not a one-off event. Stolen data circulates, is resold, is recombined with other breaches, and keeps causing harm for years.
Law 25 facing AI: a tightening net
The Act respecting the protection of personal information in the private sector (P-39.1) and the Act respecting access to documents held by public bodies (A-2.1) — the two pillars of what is commonly called "Law 25" — did not wait for Mythos to tighten. But their application becomes especially acute in the current context.
Three obligations that take on new meaning
The penalties provided for under Law 25 reach $25M or 4% of worldwide turnover, whichever is greater. Aggrieved individuals can also bring a civil action with minimum punitive damages of $1,000 per affected person.
The blind spot: shadow AI
One phenomenon deserves particular attention from senior management: shadow AI. According to the Cloud Security Alliance, recently quoted in La Presse, roughly four employees in five worldwide use AI in their work without IT management being aware of it. Every time an employee pastes a client email, an HR file or an internal report into a consumer AI tool, they potentially commit an act that does not comply with Law 25 — especially if the tool is hosted in the United States and therefore subject to the American CLOUD Act.
You cannot assess the risk of a practice you cannot see. That is precisely the role of an AI governance policy — and it is one of the priority projects we support among our clients.
Five concrete actions to put in place this quarter
To leaders wondering where to start, here are five priorities calibrated for mid-sized organisations — municipalities, SMEs, non-profits — that generally do not have a dedicated full-time CISO.
What personal information do you hold? Where is it stored? Who has access to it? How long do you keep it? This mapping is the foundation of everything else — and it is required by Law 25.
Instead of believing your defences will hold, organise yourself so that an intrusion is detected quickly and contained. This relies on logs, behavioural detection tools and documented, tested response processes.
An AI usage policy, a set of approved tools, basic training on what can and cannot be entered into a conversational agent. Without this, you leave your employees to navigate blindly within a legal framework they do not master.
Particularly for any transfer of data outside Quebec, any new IT system and any AI tool used in a process involving personal information. The PIA is no longer a formality — it is your main line of defence in the event of a CAI audit.
Who decides to notify the CAI? Who drafts the statement? Who speaks to the media? Who contacts the individuals concerned? These decisions are not made in a panic; they are documented in calm. A simulation exercise once a year, at the very least.
Senior leadership's role has never been so central
The Cloud Security Alliance white paper on Mythos insists on a point we share: governance can no longer be treated as a layer placed on top of the technology. It must be integrated into the organisation's strategy.
In practical terms, for a non-profit board chair, that means asking management questions — and demanding documented answers. For an SME CEO, it means formally appointing a person responsible for the protection of personal information (it is a legal obligation) and giving them the means to act. For a municipal executive director, it means putting the subject on the council's agenda and undertaking a structured compliance effort.
The classic mistake is to wait for the incident before asking these questions. With Mythos and the models that will follow, the gap between "nothing is happening" and "everything is happening" is compressing. Preparation, by contrast, takes time — a few months if it is done well. The math is simple.
Take stock of your Law 25 compliance and your AI posture
Synéra supports Quebec municipalities, SMEs and non-profits in their Law 25 compliance assessment, their PIAs and the implementation of AI governance suited to their size — without jargon and without overengineering.
Further reading
- Project Glasswing — Anthropic: the defensive coalition around Claude Mythos
- After Mythos: New Playbooks For a Zero-Window Era — The Hacker News
- Claude Mythos Preview — Anthropic Red Team: the original technical documentation
- Cloud Security Alliance — AI Vulnerability Discovery and Containment
- Commission d'accès à l'information — Main changes under Law 25
- La Presse — Shadow AI and Law 25
- Quebec Ministry of Cybersecurity and Digital Technology
Synéra packages mentioned in this article
- Synéra Conforme — Law 25 compliance and PIA support
- Synéra Vigile — ongoing monitoring and compliance
- Synéra 360 — full IT management and integrated compliance
- Synéra Check — point-in-time audit of your posture
Follow the author and Synéra
This article is written for general information and awareness purposes. It does not constitute legal advice. For any question regarding your specific situation, contact Synéra or your legal advisor.