NHS Restricts Public GitHub Access Amid AI Security Concerns
The UK's National Health Service has ordered a temporary shift of its public GitHub repositories to private status, citing concerns that advanced AI models could exploit exposed source code.
The UK's National Health Service (NHS) has ordered its technology teams to transition hundreds of public GitHub repositories to private status by May 11, 2026. This directive, issued by the NHS Engineering Board, is a temporary measure aimed at mitigating potential security risks posed by advanced artificial intelligence models, specifically citing Anthropic’s "Mythos" model The Register.
The NHS guidance warns that public repositories increase the risk of exposing source code, architectural configurations, and internal documentation. The organization is particularly concerned that frontier AI models, which possess advanced code ingestion and reasoning capabilities, could be used to identify and exploit vulnerabilities within these codebases. While the NHS maintains a long-standing policy of favoring open source to ensure transparency and public accountability, this move represents a significant, albeit temporary, strategic pivot to bolster its cybersecurity posture while the impact of these AI advancements is assessed The Register.
Despite the broad nature of the order, internal sources suggest that the majority of the affected repositories contain non-sensitive material, such as documentation, architecture diagrams, and internal tools for administrative tasks like clinic scheduling. NHS England has stated that it will continue to publish source code where there is a "clear need," emphasizing that the restriction is not a permanent abandonment of its open-source commitments The Register.
The decision comes amid growing industry debate regarding the capabilities of Anthropic’s Mythos model. While some national authorities, including the UK’s AI Safety Institute and the National Cyber Security Centre (NCSC), have acknowledged that Mythos represents a significant leap in AI-driven vulnerability research, other experts remain skeptical. Critics have questioned the model's actual effectiveness in real-world scenarios, noting that Anthropic has yet to provide transparent data regarding the rate of false positives generated during automated bug-hunting processes The Register.
This action by the NHS highlights a broader, emerging tension between the benefits of open-source collaboration and the potential security risks introduced by AI-assisted reconnaissance. As organizations grapple with the reality that AI can now automate the discovery of vulnerabilities at scale, many are re-evaluating the exposure of their internal development practices. The NHS has not provided a timeline for when these repositories might be returned to public access, leaving the future of its open-source strategy dependent on the outcome of its ongoing security assessment The Register.