Anthropic and Industry Partners Launch Akrites for AI-Era Open Source Security
In this article
Anthropic and a group of major technology, cloud, finance, and security organizations have launched Akrites, a new open source security coordination body designed for the AI era.
Hosted under the Linux Foundation, Akrites is meant to handle vulnerability discovery, remediation, and disclosure for critical open source software. The launch arrives shortly after US authorities suspended access to Anthropic's Fable 5 and Mythos 5 models, underscoring how quickly AI-assisted vulnerability discovery has become a policy and infrastructure issue.
The founding group includes roughly 20 organizations across AI labs, cloud providers, software vendors, banks, telecoms, and security companies. Participants include Anthropic, AWS, Google, Microsoft, GitHub, OpenAI, Cisco, Red Hat, NVIDIA, Chainguard, Sonatype, Ericsson, Vodafone, Citi, and JPMorganChase.
Why Open Source Security Needs a New Coordination Layer
Open source security has traditionally depended on a loose network of maintainers, researchers, vendors, and security teams. That model worked reasonably well when discovering serious vulnerabilities required specialized manual effort and long investigation cycles.
AI changes the tempo. Frontier models can scan large codebases, correlate patterns, and surface multiple plausible vulnerabilities far faster than traditional review processes. That is useful for defenders, but it also increases pressure on maintainers who may suddenly receive duplicate reports from many organizations at once.
The risk is not just inbox overload. If several companies independently discover the same flaw and keep it in separate queues, more people know about an unpatched vulnerability before a fix exists. That widens the window for leaks, confusion, and inconsistent disclosure.
Akrites is designed to reduce that fragmentation. Instead of every organization sending separate findings to maintainers, the new body will coordinate reports, validate which issues are real, and help move fixes upstream through a more predictable process.
Patch First, Publish Second
The core operating model centers on a shared Security Incident Response Team. The team acts as a single coordination point for vulnerability intake, validation, remediation, and disclosure.
When a vulnerability is found, Akrites can consolidate duplicate findings, determine whether the issue is exploitable, and work with maintainers on a proposed fix. The process is expected to use established security standards such as CVE identifiers and CVSS scoring while keeping sensitive details confidential until a patch is ready.
That “patch first, publish second” model matters because AI compresses the time between discovery and potential exploitation. If discovery becomes near-instant but patching remains slow and fragmented, attackers benefit from the imbalance.
For open source maintainers, the promise is a cleaner signal: fewer duplicate reports, better-tested fixes, and one trusted coordination path instead of a flood of competing disclosures.
A Response to AI-Powered Vulnerability Discovery
Akrites is also a sign that the industry expects AI-assisted vulnerability research to become normal, not exceptional. The same class of models that can help security teams find weaknesses in major projects can also be misused to accelerate offensive work.
That tension was visible in the suspension of Anthropic's Fable 5 and Mythos 5 access. These models were positioned as advanced systems for cybersecurity work, but concerns about misuse quickly pushed them into the center of the export-control and AI safety debate.
The broader lesson is that model capability is only one part of the problem. Once AI makes vulnerability discovery faster, the bottleneck shifts to coordination, triage, patch development, and deployment. Akrites is aimed squarely at that downstream bottleneck.
How Akrites Will Be Structured
The initiative will be open to different kinds of participants. Critical infrastructure operators and major vendors can join at a higher commitment level, while other organizations can contribute without the same engineering burden. Open source foundations and projects are expected to have a no-cost participation path.
Seed funding is tied to Alpha-Omega, an Open Source Security Foundation project under the Linux Foundation. That connection gives Akrites a base inside the existing open source security ecosystem rather than starting as a standalone industry consortium.
The structure suggests a practical goal: make vulnerability coordination less dependent on ad hoc relationships and more like shared infrastructure for the software supply chain.
What This Means for AI and Software Teams
For engineering teams, Akrites is another signal that AI security is moving beyond model evaluations and red-team demos. The operational question is becoming: what happens after AI finds the flaw?
Organizations using AI for code review, dependency scanning, or security research should think carefully about disclosure workflows, maintainer burden, and patch delivery. Finding more vulnerabilities is not enough if the fix pipeline cannot absorb them.
The same principle applies to enterprise AI governance. Teams should treat AI-assisted security tools as part of a full remediation system, not just as scanners. That includes clear ownership, exploitability validation, coordinated disclosure, and deployment tracking.
For a broader framework, see our AI risk management guide. For the related market impact of Anthropic model restrictions, see our coverage of Asian AI startups moving into Mythos-like models.