By Jen Evans, Principal, Pattern Pulse AI; co-founder, Tech Reset Canada; publisher, B2BNN

Paper 7 in the “Whose AI Runs the Government?” series.

Anthropic announced Project Glasswing on April 8, 2026 with a fact most of the coverage absorbed and moved past. The frontier model anchoring the project, Claude Mythos Preview, is gated specifically because Anthropic considers it too dangerous to release. In Anthropic’s own framing, Mythos-class capabilities will proliferate to actors not committed to deploying them safely, and the window before that happens is measured in roughly two years. The model that found thousands of zero-days across every major operating system and web browser in pre-announcement testing is the same capability that will reach hostile actors within that window. Glasswing is not a defensive AI fighting a separate offensive AI. It is the temporary defensive deployment of an offensive capability whose release date has been disclosed by the company that built it.

Industry practitioners working on grid-edge security are reading the same curve as a 12 to 18 month window of maximum exposure for North American grid infrastructure. The two timelines describe one event from two angles: the moment Mythos-class capability reaches actors who intend to use it against critical infrastructure. The architectural question for Canada is what defensive AI runs on Canadian compute on the day that happens, and the current answer is none.

The architectural exposure analyzed here extends beyond electricity. The same pattern of deterministic edge controllers, foreign-vendor security tooling, and foreign-owned compute recurs across water and wastewater systems, transit and rail networks, telecommunications, pipelines, and dam controls. Each is named, in some form, in Bill C-8’s vital systems schedule. This paper takes the electricity grid as its case for three reasons: the cascade physics are the fastest documented (the Iberian event resolved in 30 seconds), the Canada-US grid is the most deeply integrated cross-border critical infrastructure North America operates, and C-8 names interprovincial and international power line systems explicitly. The framework applies to the other vital systems with adjustments for the cascade dynamics and jurisdictional structures specific to each.

One Capability, Two Deployment Windows

The convergence between Anthropic’s published proliferation horizon and the practitioner read on grid attack windows is not coincidence. Both describe the same capability curve. Anthropic published the offensive curve to justify the defensive coalition. Industry reads the same curve in the specific case of grid edge controllers without adequate cyber defenses against the agentic adversary the curve produces.

The defender’s deployment window opened on April 8, 2026 with controlled access to Mythos Preview for Glasswing partners. The attacker’s deployment window will open within roughly 24 months as comparable capability becomes available outside the coalition. The attacker’s deployment requires no coalition, no $100 million credit allocation, and no contractual gating. It requires only the capability, which other frontier labs are advancing on similar curves and which Anthropic itself has said will proliferate.

For Canadian grid infrastructure, the timing question reduces to two facts. Canadian utilities have no domestic Mythos-class capability available for defensive deployment today. No public Canadian program comparable to Glasswing exists. When the proliferation window closes, Canadian utilities will be defending against Mythos-class adversaries with deterministic controllers and whatever foreign-vendor security tooling they have procured under existing rules. (Note: Access to Mythos is still tightly restricted so this assessment is based on public statements by Anthropic and those companies whose software has been assessed to date).

(This paper extends the architecture established in Paper 1 on the Sovereign AI Maturity Model, Paper 2 on the inverted AI bubble, Paper 3 on dependency triggers and cost layers, Paper 4 on Palantir exposure, Paper 5 on safety drift, and Paper 6, the May 2026 update on architecture restructuring across technology, funding, partnerships, and labour. The grid is the case where the cascade from AI sovereignty to data center sovereignty becomes the cascade to electricity sovereignty.)

The Iberian Demonstration

On April 28, 2025 at 12:33 CEST, the Iberian Peninsula went dark. A 47.7 millihertz frequency drop registered in 100 milliseconds. The full cascade unfolded in approximately 30 seconds. Forty-seven million people across Spain, Portugal, and a strip of southern France lost power. Restoration took roughly ten hours.

The technical lesson is the speed. The cascade window is short enough that human decision-making cannot intervene in time. By the time an operator sees the disturbance, the system has already crossed the threshold the operator was watching for. A hostile actor with a working exploit chain would not need to defeat human reaction time. The reaction time is already too long.

AI is already embedded in North American grid operations at scale. Itron’s 2025 Resourcefulness Report found that 41 percent of North American utilities have fully integrated AI, data analytics, and grid edge intelligence into their operations, ahead of their own five-year projections. National Grid Partners surveyed utilities in late 2025 and found a further 42 percent planning targeted AI deployments over the next two years. Current applications include outage and storm forecasting, predictive maintenance, distributed energy resource management, congestion and voltage management, interconnection studies, and field workforce coordination. PJM Interconnection, the largest regional transmission organization in the United States, has announced AI tooling to streamline interconnection studies and planning workflows. The deployment is overwhelmingly third-party: major systems integrators including Accenture, Capgemini, Deloitte, IBM, Infosys, TCS, and Wipro lead the North American utility AI services market. The grid is already running AI it does not own, did not build, and cannot easily replace.

The Threat Anthropic Disclosed

Mythos Preview is the public artifact of a capability shift. Anthropic’s Frontier Red Team published the model’s findings against critical software in pre-announcement testing: thousands of high-severity zero-day vulnerabilities, including a previously unknown flaw in OpenBSD that had survived 27 years of expert human review. The model can chain independent bugs into working exploit sequences that bypass renderer and OS sandboxing autonomously. According to Anthropic’s own characterization, Mythos surpasses all but the most skilled human security experts at finding and exploiting software vulnerabilities.

Anthropic has explicitly declined to release the model generally. The reason given is the offensive cybersecurity capability of the model itself. The Glasswing coalition gives twelve launch partners and more than 40 additional organizations gated access at $25 per million input tokens and $125 per million output tokens, distributed via the Claude API, Amazon Bedrock, Google Cloud Vertex AI, and Microsoft Foundry. The defensive deployment is the controlled use of a capability whose general release Anthropic has determined is unsafe.

The published proliferation framing is direct. Mythos Preview-class capabilities will eventually proliferate, including to actors not committed to deploying them safely. The work of defending the world’s cyber infrastructure might take years. Frontier AI capabilities are likely to advance substantially over just the next few months. Reporting on Anthropic’s broader assessment, including the security guidance published alongside Glasswing, places the proliferation horizon at within two years.

One disclosed metric carries the weight of the analytical case. Fewer than 1 percent of the vulnerabilities found by Mythos had been patched at the time of the announcement, on Anthropic’s own reporting. Discovery is running ahead of remediation by roughly two orders of magnitude. The defender who has Mythos can find the vulnerabilities. The defender who has Mythos and the patching capacity to act on them is rarer than the model itself.

The Grid Edge as the Target

Laszlo Lakatos-Hayward, an industry practitioner working on grid-edge AI security, frames the structural exposure on the receiving side. Nodes in the North American grid today are vulnerable to a sophisticated rogue-agent attack. The controllers running grid edge equipment are deterministic. They lack cyber security capabilities adequate against a sophisticated attacker. His operational read of the next 12 to 18 months is that an attack on North American grid infrastructure with some degree of success is a foregone conclusion.

The “sophisticated attacker” in Lakatos-Hayward’s framing is the same agent Anthropic is describing in its proliferation window. A deterministic controller cannot recognize an agentic adversary. It executes the instructions it receives if they pass syntactic validation. A Mythos-class agent operating against grid edge equipment would find the implementation flaws Mythos has already found in widely deployed software, chain them into working exploits at machine speed, and propagate across the deterministic substrate before any human-readable signal reached an operator.

The defensive response Lakatos-Hayward describes has three components. First, unique local decision-making at the edge with strong cyber security functionality, so each node can detect and refuse instructions consistent with rogue-agent behavior. Second, federated learning that uses a sovereign data center for aggregation and long-term learning, so the edge nodes improve from collective experience without centralizing telemetry in a foreign jurisdiction. Third, protection of the IP behind the grid edge operating system itself, because the OS is the asset whose compromise propagates to every node running it.

The conclusion compresses to one sentence. Without a sovereign data center stack, there is no sovereign electricity grid. The defense against a Mythos-class adversary is itself a Mythos-class capability deployed at the edge with sovereign aggregation behind it. Canada does not have the compute layer that capability would run on. The sophisticated attacker could be a hacker or it could be a rogue state, or even more likely a complex combination and permutation of the two.

The Dependency Triggers Applied to the Grid

Paper 3 established four dependency triggers: ownership, pricing, security and operational temperature, and capability degradation. Defensive AI deployed on foreign-controlled compute exposes Canadian critical infrastructure on all four, across the layers that make up the grid AI stack: the security software running on grid operations technology, the AI capability used for vulnerability discovery and edge decision-making, the compute infrastructure those models run on, the legal jurisdiction governing the data and the models, and the grid telemetry itself. Each layer is a sovereignty decision. Each is currently being made by procurement default.

Ownership exposure is the foreign control of both the model layer and the compute layer. A change in vendor ownership, in capital structure, or in regulatory posture in the home jurisdiction can change the terms under which Canadian utilities access the defensive capability they depend on. Anthropic is reportedly evaluating an IPO as early as October 2026. Post-IPO governance, shareholder pressure, and acquisition exposure are all material to the durability of the Glasswing terms Canadian-adjacent organizations may now be relying on.

Pricing exposure is the token-based pricing of the model itself. At $25 per million input tokens and $125 per million output tokens, sustained operational use at utility scale becomes a budget line item subject to vendor pricing decisions. The CoreWeave debt position documented in Paper 6 shows what happens when the infrastructure layer is repricing under capital stress. Glasswing-class defensive AI sits on the same infrastructure layer.

Security and operational temperature exposure is the most acute trigger in this case. During a national security event affecting Canadian grid infrastructure, the Canadian government’s access to defensive AI capability would be governed by the policies of the US-headquartered vendor and, in the limit, by US executive decisions about export, access, or model availability. The current architecture has no Canadian fallback at the model layer.

Capability degradation exposure is the risk that the defensive model is updated, replaced, or restricted in a way that reduces its effectiveness against the threats Canadian utilities are facing. Mythos Preview is explicitly an interim research artifact. The successor model’s capability profile, availability, and pricing are vendor decisions. The utilities depending on the current capability have no contractual instrument that travels to the next model.

Compute and jurisdiction sit underneath all four triggers. Mythos Preview is being delivered through AWS Bedrock, Google Vertex, Microsoft Foundry, and the Claude API. Each runs on US-owned hyperscale infrastructure subject to the CLOUD Act. Vulnerability findings from a Canadian utility processed on a US-owned compute platform are accessible to US authorities under existing legal authorities. Whether that access is exercised is a policy question. Whether the access exists is a contractual and architectural fact.

The Canadian Stack

The Canada-US grid operates as an integrated synchronous system under NERC reliability standards. A cascading event on either side of the border propagates across it. The August 2003 Northeast blackout, which originated in Ohio and propagated to Ontario, Québec, and the US Northeast within minutes, is the historical case the entire reliability framework is built to prevent from recurring. The same physics governs an AI-driven attack scenario.

Bill C-8, which replaces Bill C-26 after the predecessor died on the order paper at the end of the previous Parliament, passed Third Reading in the House of Commons on March 26, 2026 and is now before the Senate. It enacts the Critical Cyber Systems Protection Act, which names interprovincial and international power line systems explicitly as vital systems and gives the federal government authority to direct designated operators on cybersecurity practices upon Royal Assent. The grid is named in the statute. The AI infrastructure that defends it is not.

Provincial utilities, including IESO, AESO, BC Hydro, Hydro-Québec, Manitoba Hydro, and SaskPower, operate under provincial jurisdiction. Each is making procurement decisions about AI tooling for grid operations under existing rules that predate the sovereignty framework Paper 3 proposed. The provincial sovereignty backstop named in Paper 3 was developed for health records. The same instrument applies, with even higher stakes, to grid AI.

The compute layer that would host Canadian grid-defensive AI is the layer documented in Paper 6: the Cambridge data centre operated by CoreWeave, Bell’s Saskatchewan facility built around CoreWeave and Cerebras compute, and the Canadian-headquartered Cohere now merging with Aleph Alpha and absorbing $600 million in German capital. The publicly mappable Canadian sovereign compute footprint runs on US-owned infrastructure with documented debt exposure and a recapitalized model layer answering to a German lead investor. A Canadian utility that wants to deploy Mythos-class defensive AI today will procure it from a US vendor, run it on US-owned compute, and accept jurisdictional terms it does not control.

The Sovereign Data Center Stack

Lakatos-Hayward’s framing returns at this point with sharper force. Without a sovereign data center stack, there is no sovereign federated learning. Without sovereign federated learning, there is no sovereign grid edge AI. Without sovereign grid edge AI, the deterministic controllers stay vulnerable to the agentic adversary Anthropic has now publicly characterized. The cascading dependency is one-directional. Each layer depends on the layer beneath it. The compute layer is the foundation.

The IP layer is the second-order point. The grid edge operating system itself is an asset that requires protection. If the OS is developed and maintained outside Canadian jurisdiction, the IP travels with the developer’s home country, the patch cycle answers to the developer’s regulatory environment, and the supply chain for grid edge intelligence is governed by another country’s industrial policy. The same logic that applies to compute applies to the OS that orchestrates the edge nodes.

The federated learning architecture closes the loop. Each node trains locally on its own telemetry. The aggregated model is built in the data center. The aggregated model is then redistributed to the edge. If the aggregation runs on foreign compute, the model that defends every Canadian grid node was trained, in effect, in another country. Sovereign aggregation requires sovereign compute. Sovereign compute requires the data center stack Canada has not yet built. The grid fails at control-system speed. Not at committee speed.

The CUSMA Window

CUSMA Article 19.12 prohibits any Party from requiring a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business. Article 19.16 prohibits requiring transfer of or access to source code as a condition of import or use. Together, the digital trade chapter constrains the most direct policy instruments through which Canada could mandate domestic compute or model transparency for grid-defensive AI in privately operated utilities.

Article 32.2 preserves a national security exception that permits a Party to take action it considers necessary for the protection of its essential security interests. The grid case is the strongest available argument for invoking this exception in the AI sovereignty context. Critical infrastructure protection, NERC reliability standards already operating cross-border, and the explicit cyber-defense framing of Bill C-8 give Canada a defensible national security predicate. The same predicate is harder to construct for general AI procurement. Grid-defensive AI is the case where the exception holds with the least argumentative reach.

The structured review is itself partly bypassed. As of late April 2026, US negotiations with Canada and Mexico are running on separate bilateral tracks, with Mexico at the table and Canada treated separately. Deputy USTR Rick Switzer’s public characterization of Canadian leadership and USTR Jamieson Greer’s congressional testimony naming Canada and the People’s Republic of China as the two countries that retaliated economically against the United States in the past year are the visible surface of a procedural shift. The trilateral review framework still exists on paper. The decisions that determine its scope are being made elsewhere.

The political reception space for the argument has narrowed in the past month. A Canadian invocation of Article 32.2 now lands in a US political environment where the public framing positions Canada as an economic adversary alongside the People’s Republic of China. The exception holds on the merits. The diplomatic cost of invoking it has risen. Canadian policy work on grid AI sovereignty has to account for both the legal availability of the predicate and the negotiating environment in which it would be exercised.

The six-year joint review of CUSMA opens July 1, 2026. The review is the structured opportunity for Parties to raise concerns, propose amendments, and put markers down on the interpretation of disputed provisions. Canada’s position on grid-defensive AI sovereignty is one of the questions the review will absorb whether Canada raises it explicitly or not. Bill C-8’s authority to direct telecommunications service providers to remove specified products from their networks is itself a CUSMA-relevant provision whose exposure has not been tested. The bilateral track is already setting the default. A Canadian position on sovereign compute for critical infrastructure cyber defense before July is what determines whether the review absorbs that default or revises it. The July review is the first decision point, not the only one. CUSMA’s renewal architecture and the ten-year extended review window that follows are addressed in Paper 8.

What the Five Instruments Have to Address

The five operational instruments proposed in Paper 3, applied to the grid case:

A Sovereign Exposure Registry that records, for every Canadian utility AI deployment, the model in use, the compute owner, the governing jurisdiction, the pricing exposure, the replacement path, and the institution responsible for monitoring it. The Glasswing partner list and the 40-plus extended access organizations are the natural starting point for the inventory. Whether any of those extended-access organizations are Canadian utilities is itself an unanswered question that the registry would force into the public record.

A Sovereignty Trigger Framework that defines thresholds for review when changes in foreign-vendor model availability, pricing, or terms affect Canadian critical infrastructure. The retirement of Mythos Preview into a successor model, the change in usage-credit terms after the $100 million commitment is exhausted, an Anthropic IPO that changes corporate governance, or any change in US export policy affecting frontier model access would trigger automatic review under this framework.

A Contingency Architecture Requirement specific to grid-defensive AI: no Canadian utility AI deployment for security-critical functions should be permitted without a documented, tested fallback to a domestic or alternative-jurisdiction capability, even at lower performance. The fallback does not need to match frontier capability. It needs to exist before the proliferation window closes.

A Tempo-Matched Monitoring Function operating at the speed of grid events. Quarterly committee reports are inadequate when cascade windows are 30 seconds and frontier model capability advances over months. The monitoring function for grid-defensive AI needs to operate at incident-response speed, with dedicated analytical capacity tracking model availability, vendor decisions, and capability evolution in real time.

A Provincial Sovereignty Backstop that prevents provincial utilities from procuring grid AI without infrastructure sovereignty requirements, data portability mandates, contingency architecture, and tested migration paths embedded in design. The provincial-jurisdiction question for grid AI is the same question Ontario raised for health records, with the additional factor that grid cascades are interprovincial in nature.

The Strategy Question

The federal AI strategy is now nine months delayed. The pillars released in the April 28 spring economic update name “Building the Canadian sovereign AI foundation” and “Building trusted partnerships and global alliances.” Whether those phrases operationalize for grid-defensive AI, or whether grid AI is treated as a separate critical infrastructure question handled through Bill C-8 and NERC compliance, is the first measurable test the strategy has to pass when it lands.

The threat has a release date. The CUSMA review opens July 1, 2026. The defense does not yet have a Canadian deployment plan. The architecture is being built by procurement default, on foreign compute, under foreign jurisdiction, in a window the lab that built the threat has publicly disclosed. The cost of governing the architecture rises with every week the strategy is delayed. The cost of governing the grid rises faster.