In early 2026, an AI model found a vulnerability in OpenBSD that had been sitting in the codebase, undetected, for 27 years. It found it overnight. Without human assistance. Without a specialist security researcher involved in the analysis.

The model was Claude Mythos Preview, developed by Anthropic. And this wasn't an isolated finding.

What the research actually showed

Anthropic published technical research in April 2026 describing what Mythos is capable of in the area of vulnerability discovery. Given access to software, the model can autonomously identify and develop working exploits for zero-day vulnerabilities across major operating systems, browsers, and closed-source enterprise software.

The scale is the part that matters. This isn't a model that occasionally replicates what a human researcher does. Mythos found thousands of severe security flaws. The researchers who tested it described pointing the model at software overnight and waking up to working exploits.

The findings were significant enough that Anthropic has since been asked to brief the Financial Stability Board - the global coordinating body for G20 finance ministries and central banks - on the systemic implications. The IMF has separately described this class of AI capability as a potential trigger for a "macro-financial shock." These are not the reactions you'd expect to routine security research.

The IMF has described this class of AI capability as a potential trigger for a "macro-financial shock." These are not the reactions you'd expect to routine security research.

Why closed-source enterprise software is particularly exposed

Open-source software benefits from a form of distributed security scrutiny that closed-source software doesn't. Researchers, developers, and security professionals can inspect the code directly, and findings often surface through coordinated disclosure programmes before they're weaponised.

Closed-source enterprise software doesn't have this. Historically, the opacity of the codebase provided a measure of protection through obscurity - it's hard to find vulnerabilities in code you can't see. AI models that can analyse compiled binaries and infer code structure change that calculus. The obscurity that historically provided incidental protection no longer does.

The OpenText-specific exposure

For OpenText customers, there are two layers to consider.

The first is unsupported product versions. When an OpenText product version falls outside active support, security patches cease permanently. Any vulnerability found in that version - by any means - represents permanent exposure. The patch window doesn't narrow; it closes.

The second is the compliance-patch link. OpenText's support framework conditions patch access on active licence compliance. Customers who are non-compliant may find that patch access is restricted at renewal - meaning they're in effectively the same position as unsupported users, even on current product versions, without necessarily knowing it.

What this means practically

A licence review isn't just about avoiding an audit bill. It's about understanding whether your software estate is in a position to be defended when a vulnerability is found in a product you're running.

If something is found tomorrow in a product you use, can you get the patch? That question has a specific answer that depends on your current compliance status and support entitlements. A review tells you what that answer is - and, if it's the wrong answer, what it takes to change it.

The threat landscape changed in 2026. Whether licence reviews are a routine part of your IT governance should change with it.