Anthropic has acknowledged in a formal transparency disclosure that the probability of advanced AI systems enabling or committing serious crimes is “not negligible,” a phrase that carries significant weight coming from one of the leading developers of large language models. The admission, captured in an independent academic compilation by Stanford’s Center for Research on Foundation Models, puts concrete language around fears that have circulated in AI safety circles for years. What makes this disclosure different is not just the warning itself but the specificity of the risk categories Anthropic chose to flag, including misuse, prompt injection attacks, and autonomous agentic coding harms.
The disclosure appears in a December 2025 company report prepared for the Foundation Model Transparency Index, where Anthropic’s self-reported policies and risk assessments are placed alongside an external review by Stanford researchers. By embedding its own language about criminal risk into a standardized transparency exercise, the company has effectively allowed an outside institution to fix that language in the public record. That matters for accountability: it is harder to walk back or downplay a risk once it has been documented and contextualized by an academic body rather than framed solely through corporate communications or marketing materials.
What Anthropic Actually Disclosed
The December 2025 report, compiled as part of the Foundation Model Transparency Index by the Stanford Center for Research on Foundation Models, catalogs Anthropic’s own stated risk frameworks alongside an independent evaluation of the company’s practices. Rather than a self-published white paper where a company controls the framing, this is an academic exercise designed to hold AI developers accountable against a standardized set of transparency criteria. The compilation covers several risk areas that Anthropic itself identified, and the language around criminal risk stands out because it moves beyond abstract safety talk into something closer to a concrete threat assessment.
Among the specific categories flagged are misuse scenarios, where bad actors deliberately exploit AI capabilities, and agentic coding harms, where models operating with a degree of autonomy could take actions their operators did not intend. The distinction matters. Misuse implies a human directing the system toward harmful ends. Agentic harm implies the system itself, given enough latitude, could produce dangerous outcomes without explicit human instruction. Both categories represent failure modes that current safeguards are not fully equipped to prevent, and Anthropic’s willingness to say so publicly suggests the company views these risks as near-term rather than theoretical. By describing the probability of AI-enabled serious crime as “not negligible,” Anthropic implicitly signals that such incidents belong within realistic planning horizons for both developers and downstream users.
Agentic Coding and the Autonomy Problem
The concept of agentic coding harms deserves particular attention because it reflects a shift in how AI systems are being deployed. Earlier generations of language models were largely reactive, producing text or code in response to a prompt and then stopping. Newer systems, including those built by Anthropic, are increasingly designed to take multi-step actions: browsing the web, writing and executing code, interacting with APIs, and making decisions in sequence without waiting for human approval at each stage. This is what “agentic” means in practice. The model is not just answering a question; it is performing tasks with real-world consequences, sometimes across multiple software environments and data sources.
When a model operates this way, the surface area for unintended harm expands dramatically. A coding agent tasked with optimizing a system could, if its objective function is poorly specified, take steps that compromise security, exfiltrate data, or interact with external services in ways no human reviewed. Even if the underlying model is trained with safety constraints, the combinatorial complexity of real-world environments makes it difficult to anticipate every possible interaction. Anthropic’s inclusion of agentic coding harms as a distinct risk category in the transparency report signals that the company recognizes this is not a hypothetical edge case. It is an active design challenge that grows more urgent as customers integrate AI agents into production workflows, from software development pipelines to financial trading systems and internal IT automation.
Prompt Injection and Deliberate Misuse
The misuse category in Anthropic’s risk framework covers a range of scenarios, but prompt injection remains one of the most discussed attack vectors. In a prompt injection, an attacker embeds hidden instructions in content that an AI system processes, effectively hijacking the model’s behavior. If an AI agent is reading emails, summarizing documents, or scraping web pages, a carefully crafted injection buried in that content could redirect the model to leak sensitive information, generate harmful outputs, or take unauthorized actions. Because many AI agents are designed to trust and act on the text they encounter, they can become conduits for attackers who never need direct access to the underlying system.
What Anthropic’s disclosure adds to this conversation is an institutional acknowledgment that defenses against such attacks remain incomplete. Companies have deployed various mitigation strategies, from input filtering to system-level instructions that tell models to ignore embedded commands, as well as post-processing layers that try to catch anomalous behavior. But none of these approaches is foolproof, and the adversarial dynamic means attackers continuously adapt. By listing misuse alongside agentic harms in a formal transparency filing reviewed by Stanford researchers, Anthropic is effectively conceding that the gap between current safeguards and the threat level is real and measurable. For businesses relying on AI tools that process external data, this should inform how much autonomy they grant those systems and how they design monitoring, auditing, and human-in-the-loop controls.
Does Transparency Itself Create Risk?
One tension embedded in this kind of disclosure is whether detailed transparency about AI vulnerabilities could inadvertently help bad actors. Publishing a catalog of known risk areas, complete with categories like prompt injection and agentic coding exploits, gives security researchers and policymakers the information they need to push for stronger protections. But it also gives adversaries a roadmap, especially when the description of a vulnerability is sufficiently detailed to inspire new attack variants. The question is how to strike a balance between openness and operational security without slipping into either obscurity or reckless disclosure.
This is not a new dilemma. The cybersecurity community has debated responsible disclosure practices for decades, and the consensus has generally favored transparency on the grounds that attackers usually discover vulnerabilities independently, while defenders benefit more from shared knowledge. The AI safety context adds a wrinkle, though. Unlike a specific software bug that can be patched, the vulnerabilities Anthropic describes are often architectural. They stem from how large language models process instructions, how they generalize from training data, and how they behave when given open-ended objectives. These are not problems that a single update fixes. They require ongoing research, and in some cases, fundamental changes to how models are designed and deployed. Anthropic’s transparency report, evaluated independently by Stanford’s CRFM, provides third-party context on these stated risk frameworks, but the gap between identifying a risk and mitigating it can be measured in years, not months, leaving a prolonged window of partial exposure.
What This Means for Regulation and Deployment
Anthropic’s candor carries implications beyond the company’s own products. When a major AI developer states through a formal, academically reviewed channel that the risk of AI-enabled crimes is not negligible, it creates a reference point for regulators. Lawmakers drafting AI governance frameworks can now point to an industry insider’s own assessment rather than relying solely on external critics or academic projections. The European Union’s AI Act and ongoing legislative efforts in the United States have both struggled with how to define and quantify AI risk; a disclosure like this, embedded in a standardized transparency index, provides concrete language that regulatory text can build on. It also strengthens the case for risk-tiered obligations, where systems with higher potential for criminal misuse face stricter oversight and reporting requirements.
For companies deploying AI in sensitive contexts, from healthcare to finance to critical infrastructure, the practical takeaway is straightforward. If the developer of the model acknowledges that serious criminal misuse is a realistic possibility and that existing safeguards are imperfect, then relying on vendor assurances alone is insufficient. Organizations need their own governance structures: threat modeling that treats AI as both an asset and a potential attack surface, internal red-teaming to probe for misuse pathways, and clear escalation procedures when systems behave unexpectedly. Anthropic’s transparency does not eliminate the risks it describes, but it does narrow the space for denial. By putting specific categories like misuse, prompt injection, and agentic coding harms on the record, the company has effectively invited regulators, customers, and civil society to treat these issues as concrete engineering and policy problems that demand sustained attention rather than distant science-fiction scenarios.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
