NHS Orders Hundreds of GitHub Repositories to Go Private Over AI Security Concerns

Summary

The UK's National Health Service (NHS) has mandated that all publicly accessible GitHub repositories be made private by May 11, 2026, citing security risks posed by advanced AI models, particularly Anthropic's Mythos. Internal NHS guidance reveals that the organization views public code repositories as material security risks, stating they "increase the risk of unintended disclosure of source code, architectural decisions, configuration detail, and contextual information" that frontier AI models capable of large-scale code analysis could exploit.

The decision represents a significant reversal of the NHS's established open source policy, which previously mandated that all new publicly-funded code be made open and shareable unless there was an explicit need for secrecy. This policy reflected the principle that taxpayer-funded technology should be reusable across the public sector. The temporary shift marks a watershed moment where organizational leadership has prioritized cybersecurity concerns over open development principles in response to rapid AI advancement.

However, NHS sources suggest the actual risk is likely overstated. Most of the hundreds of affected repositories contain low-sensitivity materials such as documentation, architecture diagrams, and internal tools for managing clinical schedules. While frontier AI models like Mythos could theoretically identify latent code vulnerabilities, there is minimal direct threat to active healthcare services. The NHS characterizes this as a temporary measure while assessing the cybersecurity implications of advanced AI models, though no timeline has been provided for reopening repositories.

• The move reflects broader organizational anxieties about frontier AI models' code analysis and reasoning capabilities
• No timeline was provided for when repositories will be reopened, though the closure is described as 'temporary'