The Gaps: Governance Physics and the Cybersecurity Capability Break

Working Paper — CAT Ventures LLC
v1.0 — April 2026

Abstract

Across ten pure-play cybersecurity vendors and nine property and casualty insurers writing material commercial cyber coverage, the number of firms that link executive short-term incentive compensation to a measurable cybersecurity outcome is zero. That finding — zero out of nineteen — is the empirical center of this paper. It is not a coincidence. It is what you would predict if you believed that executives don't pay a personal price when cybersecurity fails. The executive making the security investment decision is rarely the party who bears the cost when that decision proves wrong. That cost lands on customers, on counterparties, on the broader financial system. The compensation plan captures none of it.

On April 7, 2026, Anthropic released Claude Mythos Preview alongside Project Glasswing, demonstrating that a general-purpose AI model — not specifically trained for cybersecurity — could identify thousands of previously unknown software vulnerabilities across every major operating system and browser, at a total compute cost under twenty thousand dollars. The prior regime, in which finding vulnerabilities was bottlenecked by the supply of trained human attention, ended on that date. The governance infrastructure built for that regime has not caught up.

This paper traces the structural reason for that lag. It documents the compensation finding across all nineteen firms. It reads the Glasswing partner list as narrative architecture and asks why Anthropic — a lab that defines safety as its core identity — did not use its considerable leverage to set governance accountability as a condition of coalition membership. It examines the compliance spend estimated at over five billion dollars annually across ten representative large US public companies and argues that this capital is not producing the analytical output it nominally underwrites. It closes with the observation that the cybersecurity industry, given the evolution of its economic structure and the scale of the externalities now in play, may be approaching the threshold at which voluntary coalition governance is no longer the right architecture — and that the historical precedent for that condition is utility regulation. The Strategic Governance Factor framework, developed at CAT Ventures on the premise that governance changes before price, is one approach to analysis that can see what compliance documentation cannot.

Suggested citation

Chun, J.S. (2026). The Gaps: Governance Physics and the Cybersecurity Capability Break. CAT Ventures LLC Working Paper. Available at: sgf.catventures.com/the-gaps

Related work

Op-Ed: How Was CrowdStrike Even Invited to Glasswing?

Working Paper: Antifragile Capital Efficiency (ACE) — SSRN: ssrn.com/abstract=6512158