Europe is pressing frontier AI labs to show regulators what their cybersecurity models can really do. OpenAI is leaning in, while Anthropic is still being asked when oversight turns into access.
The European Commission has found a practical pressure point in the race to sell advanced AI: if a model can hunt software flaws, regulators want more than a polished safety statement. They want a look under the hood, or at least controlled access close enough to judge whether the technology is being handled responsibly.
That is why the Commission's latest comments about OpenAI and Anthropic matter. According to Reuters, Commission spokesperson Thomas Regnier said Brussels welcomed OpenAI's proactive engagement, including its intent to grant access to a new AI model, while talks with Anthropic had not yet reached the point of discussing possible access to its models. The contrast is blunt. One company is signaling that regulatory scrutiny can be part of the product rollout. The other is still in conversation.
This is not about ordinary chatbot moderation. The models at issue sit closer to cybersecurity, where the same capability that helps defenders find weak code can help attackers move faster. OpenAI has reportedly been briefing governments and vetted security users on GPT-5.4-Cyber, a defensive cybersecurity model offered on a limited basis. Anthropic has drawn attention for Mythos, a model designed to find flaws in computer code and powerful enough to worry banking and security officials.
For years, frontier AI companies have tried to reassure the market through public safety frameworks, model cards, external evaluations and carefully worded commitments. Those tools still matter, but Europe is now testing something more concrete. If a company says it can manage high-risk capabilities, regulators may increasingly expect to see the evidence before the product reaches critical customers.
That shift changes the business calculation for AI labs. Access does not mean publishing model weights or handing powerful tools to the public. In this context, it appears to mean controlled engagement with regulators or approved evaluators, giving them enough visibility to assess risks around deployment, misuse and safeguards. That is a narrower form of transparency, but it is still a meaningful concession in an industry where capability details are treated as competitive property.
OpenAI has a commercial reason to move first. Cybersecurity is a natural enterprise market for advanced reasoning models, because companies already spend heavily on threat detection, code review and incident response. A model that can find vulnerabilities before criminals do is easy to sell to banks, cloud providers and government agencies. But buyers in those sectors also care about liability, auditability and political risk. If Brussels sees OpenAI as cooperative, that posture becomes part of the product.
Anthropic faces a harder narrative problem because Mythos has become a symbol of the transparency dilemma. The company can argue that restricted access is responsible because the model is sensitive. Regulators can respond that sensitivity is exactly why they need stronger visibility. Neither side is making a trivial point. A cybersecurity model may reveal dangerous methods during evaluation, yet keeping it too closed can leave governments relying on company assurances about a tool that could affect critical infrastructure.
The EU Is Setting The Tempo
The European Commission is not acting in a vacuum. Its general purpose AI code of practice is meant to push providers toward risk assessment and mitigation, including for services that may not yet be offered in Europe. That detail matters for Anthropic, because Commission officials have previously said its cybersecurity models were not available in the EU, while still making clear that Brussels wanted to understand the risks before access becomes a market reality.
This is how voluntary cooperation can turn into a de facto requirement. No regulator has to say that a company must open every model for inspection tomorrow. The market can move there on its own once enterprise buyers, banks and public agencies start asking which vendors have been vetted and which are still negotiating. For startups building on top of frontier models, that distinction will matter. A thin wrapper around a powerful model is only as credible as the trust around the underlying system.
There is also a competitive lesson here for smaller AI companies. Performance alone is no longer enough, especially in sectors where mistakes carry regulatory, security or financial consequences. The companies that can explain their safeguards, document their evaluation process and work constructively with authorities will have an easier path into serious enterprise accounts. The companies that treat oversight as a communications problem may find that customers see it as a procurement risk.
The next question is whether Anthropic moves toward the same kind of access OpenAI is offering, and whether the Commission defines a clearer process for reviewing cyber-focused AI models. If Europe can make controlled oversight routine without forcing reckless disclosure, it may set the template for how high-risk AI is sold. If it cannot, the industry will keep facing the same uncomfortable choice: trust the lab, or slow the rollout.
Also read: An Optane home server makes trillion parameter AI feel almost practical • Meta's AI copyright fight now reaches Mark Zuckerberg personally • A Free NFT Exposed the Weak Link in AI Crypto Wallets
