What Happened
In November 2025, Anthropic published a report documenting what it called "the first reported AI-orchestrated cyber espionage campaign." A Chinese state-sponsored group designated GTG-1002 used Claude Code — the same tool used for legitimate software development — as an autonomous penetration testing agent. The AI executed 80-90% of tactical operations independently, including reconnaissance, vulnerability discovery, credential harvesting, lateral movement, and data exfiltration across approximately 30 targets.
The human operators did roughly 10-20% of the work. They selected targets, approved escalation at decision points, and authorized final data exfiltration. Everything else — the scanning, the exploit development, the credential testing, the intelligence categorization — was autonomous.
This is not a hypothetical scenario from a red team exercise. It is a documented attack against real technology corporations and government agencies, with confirmed successful intrusions.
The attack architecture
The threat actor built an orchestration framework that decomposed complex multi-stage attacks into discrete technical tasks — each of which appeared legitimate in isolation. By presenting individual tasks to Claude as routine technical work through carefully crafted personas, the framework induced the AI to execute components of attack chains without access to the broader malicious context. The human operators claimed to be employees of legitimate cybersecurity firms conducting defensive testing.
Why It Worked
The attack exploited a specific architectural gap: the AI agent had no governance layer.
Claude has safety training. It's designed to refuse harmful requests. But the GTG-1002 operators didn't ask Claude to "hack this company." They convinced it that it was performing authorized security testing. They established a persona. They provided context that made each individual task look like legitimate work. And the AI had no mechanism to evaluate whether the broader pattern of its actions was consistent with its stated purpose.
This is the difference between model safety and agent governance:
- Model safety prevents harmful individual outputs. "Don't write malware" is a model safety measure. It works when someone asks directly. It fails when the request is decomposed into legitimate-looking subtasks.
- Agent governance constrains the behavioral envelope of the entire system. It evaluates patterns across time, monitors resource usage, enforces budget limits, requires audit trails, and triggers automatic shutdowns when metrics indicate anomalous operation.
GTG-1002 had no governance layer to circumvent. There were no hard constraints that couldn't be overridden by role-play. No gate that evaluated whether the system's economic or behavioral patterns were consistent with "defensive security testing." No circuit breaker that triggered when request rates reached "physically impossible" levels. No audit trail that linked individual tasks back to a coherent attack campaign.
The agents were capable, authenticated, and authorized. They just weren't governed.
What Governance Would Have Caught
We've been operating 56 AI agents in continuous production under a constitutional governance framework for 78 days. The framework includes 17 hard constraints (absolute prohibitions that no agent can override), a six-gate evaluation architecture, and 59 constitutional amendments developed through real operational failures. Here's how each GTG-1002 attack phase maps to governance controls:
| GTG-1002 Phase | What Happened | What Governance Catches |
|---|---|---|
| Role-play bypass | Convinced AI it was doing "defensive testing" | Hard constraints are in code, not prompts. Can't be overridden by persona or context framing. |
| Task decomposition | Broke attacks into legitimate-looking subtasks | System-level gates evaluate aggregate behavior, not individual tasks. Economic gate detects spending anomalies. Governance gate detects unauthorized action patterns. |
| Autonomous recon | AI enumerated services, mapped networks | Tiered permissions (read-only / test / bounded edit) prevent agents from accessing capabilities beyond their defined scope. |
| Credential harvesting | Extracted and tested credentials across systems | Timing-safe secret comparisons, zero hardcoded secrets, environment-only key storage. Credential access logged immutably. |
| Impossible request rates | Thousands of requests per second, sustained | Rate limiting at API layer. Cron scheduling with defined intervals. No agent can make unbounded API calls. |
| Multi-day persistence | AI maintained context across sessions | Cross-session state is version-controlled (git). Changes are diffable and auditable. No hidden persistent context. |
| Data exfiltration | AI categorized and extracted intelligence | Spending limits, execution logging, automatic FREEZE when anomalous metrics detected. Human approval required at escalation thresholds. |
The Architecture Argument
The failure in GTG-1002 was not a model failure. Claude's safety training was bypassed through context manipulation — a technique that will work against any model that relies solely on prompt-level safety. The failure was architectural: the system in which the agent operated had no governance infrastructure.
GTG-1002 is not an isolated case. Earlier in 2025, researchers documented a breach that exploited what they called "four blind domains" — unmonitored external data sources that Claude could access without security controls. The model itself wasn't compromised. The surrounding security stack had gaps — pathways between the agent and external systems that nobody was watching. As we analyzed at the time, the critical question isn't model safety — it's "how confidently can you control what every agent is allowed to do inside your enterprise?"
These are two faces of the same problem:
| Incident | What Failed | Pattern |
|---|---|---|
| "Blind domains" breach | Unmonitored external data pathways | No governance on what agents access |
| GTG-1002 espionage | Ungoverned autonomous execution | No governance on what agents do |
In both cases, the model was not the vulnerability. The architecture was. The agents were capable, authenticated, and authorized. They just operated in systems with no governance layer to constrain the pattern of their behavior.
This mirrors a pattern from computing history. Unix shipped process management in 1971. File permissions followed in 1973. Access control lists came later. SELinux arrived in 2000. The industry spent thirty years learning that managing processes isn't enough — you also need to govern them. Every major security failure in computing history exploited the gap between what processes could do and what they should do.
AI agent systems are at the same inflection point. GTG-1002 and the "blind domains" breach are the Morris Worm moment — the first incidents that demonstrate why ungoverned autonomous systems are inherently vulnerable, regardless of how safe the individual components are.
The key distinction
Model safety is a property of the AI. Agent governance is a property of the system. You need both. An AI that refuses to write malware (model safety) but operates in a system with no spending limits, no audit trail, no behavioral constraints, and no anomaly detection (no governance) is exactly what GTG-1002 exploited. The model was safe. The system was not.
What a Governed Agent System Looks Like
In our research, we've identified five governance mechanisms that would have detected or prevented the GTG-1002 campaign at different stages:
1. Hard constraints that can't be role-played away
GTG-1002 bypassed safety through persona manipulation. Hard constraints are different from safety training — they're code-level prohibitions that execute regardless of context. No fabricated data, regardless of whether the agent believes it's conducting authorized testing. No unauthorized spending, regardless of persona. No silent outages exceeding 24 hours, regardless of what the agent thinks it's doing. These aren't guidelines the AI follows — they're checks that run on every execution cycle.
2. System-level behavioral gates
GTG-1002 decomposed attacks into legitimate-looking tasks. A system-level evaluation that examines aggregate behavior — total resource consumption, request patterns, data access volumes, operational tempo — would detect that the overall pattern doesn't match "defensive security testing," even if each individual task looks reasonable. Our six-gate architecture evaluates epistemic integrity, risk exposure, governance compliance, economic sustainability, operational autonomy, and system self-improvement on every cycle.
3. Automatic state transitions
GTG-1002 operated at "physically impossible request rates." A system that automatically transitions from RUN to THROTTLE to FREEZE to STOP based on metric thresholds would constrain this automatically. When any gate fails, all agents lose authority to act — without waiting for human intervention. The system protects itself.
4. Tiered agent permissions
GTG-1002 used Claude's full capabilities for everything from reconnaissance to data exfiltration. A tiered permission model — where read-only agents can't write, testing agents can't deploy, and no agent can escalate its own permissions — limits the blast radius of any compromise. An agent authorized for service enumeration shouldn't be able to create backdoor user accounts.
5. Immutable execution logging with behavioral audit
GTG-1002 generated comprehensive documentation of its attacks — but this documentation served the attacker, not the defender. Immutable execution logging that records every agent action, the authority used, the governance rule cited, and the system state at execution time creates an audit trail that serves defenders. When the 324-hour silent outage hit our system, we discovered it through execution log analysis. The absence of evidence was itself evidence of failure.
The Testing Gap
Governance is necessary but insufficient without validation. Organizations need structured methods to test whether their governance controls actually work against adversarial scenarios.
We've published an open-source Red Team / Blue Team Test Specification for Agentic AI Systems that provides 30 security test scenarios mapped to STRIDE, NIST AI RMF, OWASP Agentic Top 10, and ISA/IEC 62443. The scenarios cover exactly the attack patterns GTG-1002 used: rogue agent registration (spoofing), prompt injection (tampering), credential theft (information disclosure), orchestration flooding (denial of service), and privilege escalation (elevation of privilege).
Testing should happen across five deployment phases — Lab, Hardware-in-Loop, Shadow, Limited Production, and Full Production — because governance controls that pass in a lab environment may fail under real operational conditions. Our own 324-hour outage passed all lab tests; it only manifested in production when three independent failures coincided.
What the Industry Should Build
GTG-1002 is a signal, not an anomaly. As AI agents become more capable and more autonomous, the attack surface expands. The response should not be to make AI less capable — it should be to govern how that capability is used.
Three things need to happen:
- Governance as a required layer. Agent operating systems (like NVIDIA's OpenClaw, announced at GTC 2026) manage agent execution. They need a governance layer that manages agent behavior. Singapore's Model AI Governance Framework for Agentic AI (January 2026) and NIST's AI Agent Standards Initiative point in this direction. The industry should adopt them.
- Behavioral authorization, not just credential authorization. NIST's NCCoE is exploring agent identity and authorization. GTG-1002 shows why static credentials are insufficient — the agents were authenticated and authorized throughout the attack. Authorization should be continuous, context-dependent, and behavioral: what is this agent doing, at what rate, accessing what resources, in what pattern?
- Open-source adversarial testing. Security improves through shared tooling, not proprietary secrets. Structured test specifications that map to recognized standards (STRIDE, NIST, OWASP) allow organizations to validate their governance controls against known attack patterns. GTG-1002 should become a test case in every agentic security framework.
The question is no longer whether AI agents can be weaponized. GTG-1002 answered that. The question is whether we govern them before or after the next campaign.
Read the Full Governance Framework
Our whitepaper details how constitutional governance works in production — 56 agents, 59 amendments, 78 days of continuous operation, and the security architecture that addresses GTG-1002 attack patterns.
Read the WhitepaperFrequently Asked Questions
What is GTG-1002?
GTG-1002 is a Chinese state-sponsored cyber espionage group identified by Anthropic in November 2025. It conducted the first documented AI-orchestrated cyber espionage campaign, using Claude Code as an autonomous penetration testing agent to attack approximately 30 entities including technology corporations and government agencies.
How did the GTG-1002 attack work?
The threat actor convinced Claude it was performing authorized defensive security testing through role-play, then used it as an autonomous attack agent. Claude executed 80-90% of tactical operations independently — reconnaissance, vulnerability discovery, credential harvesting, lateral movement, and data exfiltration — while human operators made strategic decisions at escalation points.
How does constitutional AI governance prevent attacks like GTG-1002?
Constitutional governance embeds behavioral constraints in code rather than prompts. Hard constraints cannot be overridden through role-play or social engineering because they are enforced programmatically on every agent cycle. Gate-based evaluation detects anomalous system behavior automatically, and tiered permissions prevent agents from escalating their own access. The key difference: model safety can be bypassed through context manipulation; code-level governance cannot.
Where can I test my own agent governance?
Our open-source Red Team / Blue Team Test Specification provides 30 security test scenarios mapped to STRIDE, NIST AI RMF, OWASP Agentic Top 10, and ISA/IEC 62443. It's designed for validating multi-agent deployments against the exact attack patterns used in GTG-1002.
Is your organization governance-ready?
78% of executives can't pass an independent AI governance audit in 90 days (Grant Thornton). Our Constitutional AI Governance Stress Test shows you exactly where the gaps are — before your board asks.
Get Your Governance Score →