On April 21, Sam Altman called Anthropic’s restricted distribution of Mythos “fear-based marketing” designed to “keep AI in the hands of a smaller group of people.” On May 1, OpenAI announced GPT-5.5-Cyber under restricted distribution to a handpicked group of cyber defenders. The gap between those two statements: ten days.

The Agent-First Retrain

GPT-5.5 launched April 23 as OpenAI’s first ground-up base model retrain since GPT-4.5. Every intervening 5.x version had layered post-training on the same foundation. OpenAI positions GPT-5.5 as agent-first: a system that plans, uses tools, checks its own work, and continues through ambiguity without step-by-step prompting.

On the Artificial Analysis Intelligence Index, it scored 60, three points ahead of Claude Opus 4.7 and Gemini 3.1 Pro Preview, though the composite flattens a mixed picture (Gemini placed first on three of the ten evaluations). API pricing doubled to $5 per million input tokens and $30 per million output, per Fortune. OpenAI argues that GPT-5.5 generates roughly 40% fewer tokens than 5.4 on equivalent tasks, making net costs around 20% higher rather than double.

The Restricted-Access Reversal

GPT-5.5-Cyber is available only to vetted organizations through what amounts to the same “Project Glasswing” framework Altman had publicly mocked. The UK’s AI Security Institute called the model one of the strongest it has tested on cyber tasks, noting it completed one of the Institute’s multi-step attack simulations end to end. Only the second system to do so.

Altman wrote that OpenAI would “work with the entire ecosystem and the government to figure out trusted access for cyber.” That sentence could have come from Anthropic’s Mythos announcement verbatim.

The Pattern

According to AI Central’s May landscape analysis, the convergence is structural, not coincidental. Both labs are positioning for enterprise buyers who want frontier capabilities but need to demonstrate governance. Restricted access serves two functions: it creates scarcity (driving enterprise contract negotiations) and it provides regulatory cover (demonstrating “responsible deployment” to policymakers). The commercial and safety rationales are now indistinguishable.

Who Benefits

The restricted-access model favors large organizations with existing vendor relationships and compliance teams equipped to navigate access applications. Startups, independent security researchers, and smaller agent builders get pushed to general-availability tiers that are one generation behind. The question for the agent ecosystem is whether this becomes the permanent distribution model for frontier capabilities, or whether competitive pressure from open-weight alternatives (DeepSeek V4, Gemma 4) forces the labs back toward broader access.

If every frontier model ships with a restricted tier for “sensitive” use cases, the definition of “sensitive” will expand until it covers anything commercially valuable. That is the incentive gradient, and ten days is all it took for the market to prove it.