New era of compliance in the EU for large general-purpose AI models
by Jeremiasz Kuśmierz
Two years after its adoption on 01 August 2024, the European Union (EU) Artificial Intelligence Act is nearing full application, with key provisions taking effect in August 2026. Two years can feel like a decade in AI. Leading providers of general-purpose AI models, including OpenAI, Anthropic, Google, and Meta, have been racing towards increasingly capable systems.
Future-proof AI regulation framework
The AI Act was designed for precisely this kind of technological acceleration. Rather than regulating a fixed list of technologies, it adopts a risk- and objective-oriented framework intended to remain relevant as AI capabilities evolve. This is reflected in the distinction between high-risk AI systems, which are classified by their intended use, and general-purpose AI (GPAI) models with systemic risk, which are assessed on their capabilities, level of advancement and potential impact.
Two types of AI risk
A high-risk AI system may be risky because it is used in education, credit scoring, or critical infrastructure. A GPAI model with systemic risk may be risky even before its downstream use is known. It can become the foundation for many different systems and applications. In that sense, a high-risk AI system may be compared to a supersonic aircraft, whereas a GPAI model with systemic risk is more like a powerful jet engine capable of being integrated into various applications, both civilian and military.
Systemic risks in AI models
The AI Act expressly recognises that the most powerful GPAI models may generate systemic risks. These risks increase with model capabilities and model reach, and may be influenced by autonomy, access to tools, release and distribution strategies, the possibility of removing safeguards, and other factors. Importantly, the AI Act also refers to their offensive cyber capabilities, including vulnerability discovery and exploitation.
Claude Mythos as case study
Recent developments around Anthropic’s Claude Mythos show why this type of AI is becoming increasingly relevant. Anthropic describes Mythos as a general-purpose frontier model and its most capable system for coding and agentic tasks. Its strength in cybersecurity appears to stem from broader capabilities: a model that can understand and modify complex software can also find and fix vulnerabilities. It has been asserted that even users without formal security training were able to use it to detect vulnerabilities and build effective exploits.
Controlled access and security rationale
According to Anthropic, access to the model will be restricted to selected and vetted partners under Project Glasswing. Until recently, such restrictions were typically driven by commercial strategy, with more advanced models offered as premium products to paying users or strategic clients. In this case, however, Anthropic points to a different rationale: limiting access is intended to reduce the risk of misuse (particularly in cybercrime), and give cybersecurity systems time to adapt to emerging threats.
Voluntary compliance and the AI Act
In the current legal environment, such an approach is not simply a matter of corporate responsibility. In July 2025, the General-Purpose AI (GPAI) Code of Practice was published as a voluntary tool to help providers comply with the AI Act obligations on transparency, copyright, safety, and security. The European Commission has confirmed that the Code is an adequate voluntary tool for GPAI providers to demonstrate compliance with the AI Act. Anthropic is among the listed signatories.
Practical risk mitigation measures
This is exactly what Anthropic appears to be doing with Mythos. The guidance on systemic risk mitigation suggests precisely such strategies as staged access, vetted users, API-only deployment, monitoring of misuse, and restrictions on the public release of model parameters.
From framework to enforcement
The timing of the release also matters. For much of the last two years, the AI Act was treated as a developing compliance framework, supported by emerging standards and guidance. That phase is ending. While general obligations for providers of GPAI models started applying in August 2025, the European Commission’s enforcement powers will apply from 02 August 2026, including the ability to enforce GPAI obligations with fines of up to 3% of the provider’s annual total worldwide turnover.
Trade-off: Access vs safety
Controlled access to Mythos may signal the compliance approach that other frontier model providers will soon need to adopt: delaying general public access of their most advanced systems until they are properly evaluated, monitored, and deemed safe. This shift is likely to reduce the openness that has characterised AI development in recent years. At the same time, it may be the necessary price of limiting serious risks to society, cybersecurity, and digital markets.
Jeremiasz heads the Penteris compliance department. His work spans compliance, employment, corporate, M&A, and risk management, with a particular focus on AI.
/https://storage.googleapis.com/ggi-backend-prod/public/media/7762/Untitled-design-(2).png)
/https://storage.googleapis.com/ggi-backend-prod/public/media/429/imageIfHECc.png)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7739/72286612-cdab-4395-80b5-b3bcf9e13f95.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7492/3e269cd3-233c-497b-89a9-2b204e91afc3.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7363/958e03d0-8ed4-49de-a8d1-688cdea836cc.jpg)
/https://storage.googleapis.com/ggi-backend-prod/public/media/7134/cdf3ffcf-a435-4fe9-8985-a4be2a4da597.jpg)