There is something almost theatrical about Sam Altman publicly mocking Anthropic for restricting access to its cybersecurity tool Mythos, only to turn around days later and announce that OpenAI’s competing tool, Cyber, would be rolled out in exactly the same way.
The irony would be funny if the stakes were not so high.
But beyond the Silicon Valley point-scoring, there is a more important question that nobody seems to be asking: what does any of this mean for cybersecurity practitioners in Africa?
Credentialed – But Not in the Right Postcode
OpenAI’s Trusted Access for Cyber (TAC) programme promises access to its most capable cybersecurity models for “verified defenders” and teams protecting critical infrastructure. Applicants submit credentials and intended use cases. Sounds reasonable in theory.
In practice, verification frameworks like these are built around ecosystems that skew heavily toward the United States and its allied governments. The consultation process OpenAI references involves the U.S. government. The implied trust networks are Western by design.
A skilled penetration tester in Johannesburg, a threat analyst in Nairobi, or a SOC team protecting a South African bank is not automatically less credible than their counterpart in Washington. But they may well find themselves at the back of a very long queue.
The Dual-Use Problem Is Real, But So Is the Access Gap
To be fair, the caution is not entirely without merit. Tools capable of vulnerability exploitation and malware reverse engineering are genuinely dual-use. Keeping them out of the wrong hands matters.
But the “wrong hands” framing often defaults to geography and institutional affiliation rather than actual intent or competence. African enterprises and governments face the same threat actors as anyone else. In some sectors, they are more exposed. Restricting the most capable defensive tools to a Western-centric verified network does not make the global threat landscape safer. It just makes parts of it more undefended.
What African Practitioners Should Do Now
Waiting for TAC approval is not a strategy. African cybersecurity teams should be actively building the case for access: documenting credentials, affiliations, and defensive mandates in terms that resonate with international verification standards. Industry bodies, CERTs, and regional cybersecurity networks have a role to play in advocating for equitable access frameworks.
The AI giants will keep competing. The tools will keep improving. The question is whether Africa gets to participate in that progress as a peer, or watches it unfold from the outside.
That answer depends partly on what we do next.
