A private company just discovered that its artificial intelligence model can crack the software protecting America's banks, power grids, and government systems — and Congress found out through a press release.

Anthropic, a San Francisco-based AI company, recently built a model called Mythos that can identify and exploit hidden flaws in the software running critical infrastructure worldwide. The company has acknowledged the threat is serious enough that it limited who can access the model. But Anthropic — not Congress, not the Department of Homeland Security, not the American public — made that call alone.

This shouldn't be legal.

When a private company builds technology powerful enough to threaten national security, elected officials need to know immediately. Not through news coverage. Not after the fact. Right away.

We're calling on Congress to pass legislation requiring AI companies to notify relevant congressional committees and federal security agencies the moment their models demonstrate the ability to compromise critical infrastructure or pose a national security threat. The decision about how to respond to dangers like this belongs to the American people — through their elected representatives — not to a corporation's leadership team.

Other countries are already scrambling to respond to Mythos. The Bank of England has raised alarms. The European Central Bank is quietly surveying banks about their defenses. America's allies are being left in the dark while a single company controls access to one of the most consequential technologies ever built.

That's not a technology problem. It's a governance problem. And Congress can fix it.