What Glasswing Is
Project Glasswing was announced today by Daniela Amodei. Anthropic-led coalition, 12 founding partners: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks. Forty-plus critical infrastructure organizations also participating. Claude Mythos Preview deployed for vulnerability discovery. $104 million committed.
The stated mission: use AI to find and fix vulnerabilities in critical infrastructure at a scale and speed that manual security review cannot match. Glasswing has already found thousands of zero-days and decades-old vulnerabilities in real systems. The threat model is accurate—AI-powered offensive capabilities are proliferating, and the defense side needs to scale to match.
This is a legitimate, well-scoped initiative. The problem it addresses is real. The coalition is serious. The funding is substantial. This article is not questioning whether Glasswing should exist. It should.
The question this article addresses is narrower and more technical: what layer of the AI governance stack does Glasswing occupy, what does it leave unaddressed, and what does that gap look like from the inside of a member organization?
Three Layers. Where Glasswing Sits.
The AI agent governance stack has three structurally distinct layers. Each is necessary. None is sufficient alone.
Glasswing governs access to the capability. It does not govern the decisions made by agents wielding that capability once they are operating inside a member organization’s infrastructure. These are different problems at different layers of the stack.
The Gap Their Own Framing Identifies
Glasswing’s own announcement contains the clearest statement of the problem. Their framing: AI cyber capabilities “will proliferate over the coming months, and not every actor who gets access to them will be focused on defense.”
Glasswing’s answer to this is coalition access control—a reasonable answer to the external proliferation problem. If you restrict access to Mythos Preview to a vetted coalition of organizations with defensively-aligned missions, you reduce the probability that these capabilities reach bad actors.
But read that framing again and push it one level deeper.
Not every actor who gets access will be focused on defense.
The external proliferation problem is actor-level: unauthorized organizations accessing capabilities they should not have. Glasswing solves this. But there is a harder problem that follows immediately: what governs the decisions of agents operating inside organizations that do have authorized access?
A CrowdStrike engineer with Mythos Preview access does not automatically have constitutional governance for every agent action. A JPMorganChase security team with legitimate coalition membership does not automatically have a governance architecture that evaluates every agent decision against the mission, the economic position, and the constitutional obligations the organization has to its users. The access credential is not the governance architecture.
The insider threat here is not malice. It is drift. It is optimization pressure. It is an agent that has legitimate access to powerful vulnerability-discovery capabilities, operating with a behavioral objective that is technically within its permitted use case definition, and making a decision that exceeds its constitutional scope—scanning systems it should not scan, escalating privileges it should not request, taking an action that is defensible given its stated objective but indefensible given the organization’s actual constitutional obligations.
Access governance catches the malicious external actor. It does not catch the internally-authorized agent that drifts outside its constitutional scope because nothing evaluated its specific decision against the principles that bound it.
The dev.to article “Authenticated, Authorized, and Still Unsafe” was published today, April 8, 2026—the same day as the Glasswing announcement. Its premise: an agent with valid credentials and policy clearance can still take actions that cause real harm. Authentication is WHO. Authorization is HOW. Neither is sufficient without a governance layer that evaluates the specific action against the constitutional scope of the agent taking it. The practitioner community is naming this gap independently, in real time.
The Technical Answer: Per-Action Constitutional Governance
The Glasswing gap is not a policy problem. You cannot write a policy that covers every possible decision a vulnerability-discovery agent might make across all the systems it could touch. The surface is too large, the scenarios too varied, the edge cases too novel.
What you can do is evaluate each action against constitutional principles at the moment it is taken. Not a policy lookup. Not an access check. A per-action evaluation against the embedded governance architecture that determines whether this specific decision—right now, in this context, given these constraints—is constitutionally authorized.
This is what SEC-ABAC-2 is designed to do. Where Glasswing’s coalition membership governs whether an agent can access Mythos Preview capabilities at all, SEC-ABAC-2 is a per-action behavioral check for mid-execution governance: does this action, taken with these capabilities, against this target, at this moment, fall within the constitutional scope of the agent taking it?
The check is not a policy file. It is an evaluation against embedded constitutional principles: the mission the agent is bound by, the economic constraints it must respect, the hard constraints that are inviolable regardless of operational pressure. It fires on every action, not just on access events.
| Governance Dimension | Glasswing (WHO/HOW) | Constitutional Governance (WHY) |
|---|---|---|
| What it governs | Who accesses Mythos Preview; what use cases are permitted | Whether each specific action aligns with constitutional operating principles |
| Granularity | Organization-level coalition membership | Per-action evaluation before execution |
| Insider drift detection | Not addressed — access is binary once granted | Every action evaluated against constitutional scope, catches drift before execution |
| Novel scenario handling | Permitted use case definitions cover anticipated scenarios | Constitutional intent evaluated against first principles; novel scenarios get a decision |
| Economic alignment | Not evaluated | Economic Performance Gate: agents cannot take actions that threaten organizational runway |
| Epistemic soundness | Not evaluated | Epistemic Gate: evaluates reasoning quality before execution |
| Self-amendment | Coalition governance (periodic review) | Formal constitutional amendment with ratification; hard constraints inviolable |
What the HRAO-E Architecture Provides
We have been running constitutional governance in production for 95 days. Thirty-eight agents operating under six pre-execution evaluation gates, 17 hard constraints enforced on every cycle, 64 constitutional amendments ratified through formal process. 1,808 test functions covering constitutional gate behavior. The governance architecture is not a research prototype—it is a live system operating under real economic pressure.
The six gates evaluate every agent decision before execution:
- Epistemic Gate (EG): Is the agent’s reasoning epistemically sound? Does it have sufficient basis for this action?
- Risk Gate (RG): Does the action pose reputational, legal, or operational risk beyond defined thresholds?
- Governance Gate (GG): Does the action align with the constitutional operating framework? Is the agent gaming its own metrics?
- Economic Performance Gate (EPG): Does the action threaten financial sustainability? Runway below three months is a FAIL state, regardless of what other gates indicate.
- Autonomy Gate (AAG): Is this decision within the agent’s authorized autonomy scope?
- Constitutional Gate (CGG): Does the decision align with the self-improvement and self-governance principles the system is bound by?
These gates are not policies written by administrators. They are embedded in the agent’s execution architecture—part of the decision loop itself, not a layer on top. An agent cannot bypass its constitutional gates without architectural change. The Ralph Loop verification protocol ensures that gates are actually running: external verification of completion, not just self-reporting.
Apply this to a Glasswing context: a vulnerability-discovery agent with legitimate Mythos Preview access, operating inside a member organization. Under WHO/HOW governance alone, the agent has access and a permitted use case. Under constitutional governance, every action it takes is evaluated against six gates before execution. The action of scanning a system that is outside the defined scope gets caught at the Governance Gate before it executes. The action of escalating privileges beyond what the task requires gets caught at the Autonomy Gate. The action of reporting a finding in a way that creates regulatory exposure gets caught at the Risk Gate.
None of these catches require a policy that anticipated the specific scenario. They require a constitutional architecture that evaluates every action against embedded principles.
What Glasswing Validates
The significance of Glasswing is not just what it governs—it is what it confirms. A $104 million coalition with twelve major technology companies and forty-plus critical infrastructure organizations decided that AI governance was worth building a formal institutional structure around. That is market validation of the governance thesis at scale.
It also confirms the threat model. The reason Glasswing exists is that AI capabilities are powerful enough to require serious governance infrastructure. Coalition access control is the right first move when the primary risk is external proliferation to malicious actors. But the same logic that makes access governance necessary also makes action governance necessary: powerful capabilities require governance at every layer, not just at the point of access.
The AI governance market is at approximately 45% CAGR (National Law Review, April 2026). Gartner found that 40% of agentic AI projects are being canceled or paused specifically due to governance concerns. TDWI research found only one-third of organizations have reached governance maturity level 3 or above. These numbers are not about access control. They are about the organizational failure to govern what agents do once deployed.
Glasswing addresses the access problem. The deployment governance problem—the WHY layer—is what most organizations are failing to solve, and what most enterprise AI deployments lack entirely.
What the Regulatory Frame Adds
EU AI Act full enforcement takes effect August 2, 2026—116 days from today. Colorado AI Act enforcement follows in June. The regulatory requirements are not primarily about access control. Article 14 of the EU AI Act requires human oversight of high-risk AI system decision-making processes—not access logs, decision processes. Article 50 requires that AI systems communicate not just what they decided but why. NIST’s AI Agent Standards Initiative is formalizing requirements now, building on 800-2 and Agent Identity frameworks.
A Glasswing member organization deploying AI-powered security tools has addressed the access governance requirements. It has not addressed the decision-process governance requirements that Article 14 describes or the transparency obligations that Article 50 requires. Those are WHY-layer requirements. They require a constitutional governance architecture, not a coalition membership credential.
The Compliance Gap
An organization with Glasswing membership has established access governance for AI cyber capabilities (WHO). An organization with behavioral policy enforcement has partial HOW coverage. An organization with constitutional self-governance has the decision-process transparency and human oversight architecture that EU AI Act Articles 14 and 50 actually require. The regulatory stack needs all three layers to be compliance-complete, and access credentials cover only the first.
What This Does Not Mean
This analysis does not argue that Glasswing is insufficient for what it is designed to do. Access governance for powerful AI capabilities is necessary and overdue. Glasswing executes on that mission with serious resources and credible partners. The threat model it addresses—external proliferation to non-defensive actors—is real and the coalition approach is an appropriate response.
It also does not argue that constitutional governance is competitive with Glasswing. These layers are orthogonal. An organization can be a Glasswing member and operate under constitutional governance. The access credential and the constitutional architecture govern different things at different points in the agent lifecycle. Both are necessary.
What it does mean is that framing access governance as the AI governance solution leaves the harder problem unaddressed. Access governance is the front door check. Constitutional governance is the enforcement court that evaluates every action inside the building, regardless of how the agent entered.
Glasswing solved access. The next problem is action.
The Practical Question
For any organization that is a Glasswing member, or expects to become one, or is deploying AI-powered security tools outside of the coalition, the practical question is the same: what governs the decisions your agents make with the capabilities they have?
Not the access decision. Not the use case definition. The specific action, taken by this agent, at this moment, against this target, based on this reasoning chain. Who evaluates whether that action is constitutionally authorized? What happens when the answer is no? What documents the reasoning chain in a form that satisfies Article 14 human oversight requirements?
Coalition membership does not answer these questions. Behavioral policy files partially answer them. Constitutional self-governance answers them at every action, on every cycle, through six pre-execution gates that cannot be bypassed, with 17 hard constraints that cannot be overridden without formal ratification.
Glasswing governs access. The governance problem that follows access is the one that determines whether AI agents in security-critical environments can be trusted to act within constitutional scope when no one is watching.
That problem is still open.
Read the Constitutional Governance Research
The constitutional self-governance architecture described in this article is formalized in two peer-reviewable preprints: the constitutional governance framework (12 mechanisms, NIST/EU AI Act mapping) and the Agent Security Harness (protocol-level verification proving the WHY layer holds under adversarial conditions). Community Security preprint covers the insider threat dimension directly.
Constitutional Self-Governance (Zenodo) Community Security (Zenodo)Measure Your Decision Load
AI governance decisions are among the highest-stakes decisions knowledge workers make. Our free assessment measures your cognitive decision burden in under 5 minutes—and surfaces where constitutional constraints can reduce the decisions you should not be making manually.
Take the AssessmentFrequently Asked Questions
What is Project Glasswing and what does it actually govern?
Project Glasswing is an Anthropic-led initiative announced April 8, 2026, with $104M committed and 12 founding partners including AWS, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, and NVIDIA. In the three-tier governance framework, Glasswing operates primarily in the WHO layer (coalition membership controls who accesses Mythos Preview capabilities) with partial HOW coverage (defined permitted use cases). It does not address the WHY layer—constitutional self-governance of agents operating inside member organizations.
What is the insider threat gap that Glasswing’s own framing identifies?
Glasswing’s announcement notes that AI cyber capabilities “will proliferate” and “not every actor who gets access will be focused on defense.” Their solution addresses external actors. The harder problem is internal: a member organization’s own agents, with legitimate access, making decisions that exceed their constitutional scope. Access control cannot prevent this. Constitutional per-action governance can.
What is SEC-ABAC-2 and how does it address the Glasswing gap?
SEC-ABAC-2 is a per-action behavioral check designed for mid-execution governance. Where Glasswing’s coalition membership governs whether an agent can access Mythos Preview capabilities at all, SEC-ABAC-2 evaluates whether a specific action taken with those capabilities is constitutionally authorized at the moment of execution—before the action runs, not after. This is the difference between a front door check and a court that evaluates every action inside the building.
Is constitutional governance complementary to Glasswing or competitive with it?
Complementary. Glasswing addresses a real and necessary problem: controlling proliferation of powerful AI cyber capabilities to external bad actors. Constitutional governance addresses the next problem: what agents do with those capabilities inside organizations that have legitimate access. An organization can be a Glasswing member and operate under constitutional governance. The layers govern different things at different points in the agent lifecycle.
Related Articles
- Microsoft Governs How Agents Behave. We Govern Why.
- The AI Governance Gap Nobody Is Talking About: WHO vs. HOW
- The First AI Cyber Espionage Campaign Succeeded Because the Agents Had No Constitution
- The Governance Layer That Outlasts Any Regulation
- The Six-Gate Architecture: Behavioral Authorization for AI Agents
Is your organization governance-ready?
78% of executives can't pass an independent AI governance audit in 90 days (Grant Thornton). Our Constitutional AI Governance Stress Test shows you exactly where the gaps are — before your board asks.
Get Your Governance Score →