A bipartisan group of House lawmakers is urging the White House Office of the National Cyber Director (ONCD) to develop a federal-industry strategy for handling what they say could soon be a flood of software vulnerabilities discovered by advanced artificial intelligence (AI) systems.
In a May 13 letter to National Cyber Director Sean Cairncross, the group of 35 House members led by Reps. Bob Latta, R-Ohio, and Doris Matsui, D-Calif., asked ONCD to convene government agencies and private-sector stakeholders to prepare for “a large increase in vulnerability disclosures discovered by advanced artificial intelligence (AI) systems.”
The lawmakers said the immediate catalyst for the request was Anthropic’s recently announced Claude Mythos Preview. The company said Mythos uncovered thousands of high-severity zero-day vulnerabilities in every major operating system and web browser, many of which had eluded years of human review and automated testing.
According to the lawmakers, more than 99% of those vulnerabilities remained unpatched as of Anthropic’s April 7 announcement.
“America’s adversaries are not waiting for us to figure this out,” Latta said in a statement released with the letter, adding, “If AI can find serious vulnerabilities in widely used software, China and other bad actors will look for ways to use similar tools against us.”
“We need to make sure trusted American defenders have the coordination, access, and support required to stay ahead,” the congressman said.
Matsui said AI offers a powerful new capability for cyber defense, but only if government and industry can respond quickly enough to validate findings and deploy fixes.
“Advanced AI is rapidly changing the cybersecurity landscape,” she said. “These tools have enormous potential to help us find and fix dangerous software vulnerabilities before our adversaries use them against us, but we must prepare now.”
“We need a coordinated strategy that brings the federal government, industry and trusted defenders together to manage disclosures, speed up patching and protect the systems Americans rely on every day, from hospitals and banks to utilities, schools and basic communications,” she said.
In the letter, the lawmakers warned that frontier AI systems can “discover, analyze, and exploit software vulnerabilities at a scale that existing public and private processes are not equipped to handle.” They said AI can help defenders uncover serious flaws, but “the corresponding disclosure, validation, patching, and deployment efforts may struggle to keep pace.”
The lawmakers asked ONCD to coordinate with the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology and its Center for AI Standards and Innovation, and the Office of Management and Budget to develop a plan for receiving, verifying, deduplicating, and prioritizing large volumes of AI-generated vulnerability reports while protecting sensitive exploit information and coordinating responsible disclosure.
They also asked the Trump administration to assess existing efforts to identify critical software dependencies; support software vendors, open-source maintainers, and infrastructure operators in finding and fixing vulnerabilities; and assist critical infrastructure owners in deploying and verifying patches, particularly where legacy systems and staffing shortages slow remediation.
Another major request from the lawmakers is for a framework to govern highly sensitive dual-use findings. These include exploit code, vulnerability chains, and cyber and CBRN [chemical, biological, radiological, and nuclear]-related discoveries, determining what information can be made public, what should be shared only with trusted defenders, and what should remain restricted within government channels.
The lawmakers further called for a voluntary trusted-access framework under which leading AI developers would provide early access to advanced models for vetted defenders, software companies, and security organizations.
They also proposed a formal process for monitoring sudden jumps in frontier AI capabilities and for planning contingencies such as model theft, unauthorized access, and adversarial distillation by foreign competitors.
The letter further requests that ONCD identify any legal, liability, antitrust, or confidentiality barriers that could impede cooperation among AI developers, software vendors, open-source maintainers, and federal agencies. It also asks the office to recommend any statutory changes Congress should consider to improve information sharing and support trusted defenders.
The lawmakers requested a staff-level briefing within 30 days and a written response within 45 days outlining the administration’s plan, the agencies responsible for implementation, a timeline for an initial federal-industry convening, and any additional legislation needed.