NHS to Make Hundreds of Public GitHub Repositories Private in Response to AI Threats

NHS Temporarily Reverses Open-Source Policy

The UK’s National Health Service (NHS) has directed its technical leadership to make all GitHub repositories managed by the organization private by May 11, 2026. This decision stems from concerns about the risk of large-scale codebase analysis by advanced AI models.

According to internal guidance documents obtained by The Register, the NHS expressed concern that public repositories “significantly increase the risk of unintended leaks of source code, architectural design decisions, configuration details, and contextual information.” The guidance specifically highlights the rapid advancements in AI models capable of “ingesting, reasoning, and logically analyzing extensive codebases.”

The guidance explicitly mentions Anthropic’s Mythos model, instructing that GitHub repositories should not remain public “unless there is an explicit and exceptional need to do so.”

NHS Describes the Move as a “Temporary Measure”

An NHS England spokesperson told The Register that this measure is purely temporary.

“To evaluate the impact of rapid advances in AI models and to further strengthen cybersecurity, access to some NHS England source code is being temporarily restricted,” the spokesperson explained. “The publication of source code where there is a clear need will continue.”

The measure was reportedly approved by the NHS Engineering Board.

Public Repositories Are “Largely Non-Sensitive,” Insiders Say

Sources within the NHS have suggested that only a small fraction of the organization’s hundreds of open-source repositories contain highly sensitive information. Examples of publicly available repositories included documents, architectural diagrams, and codebases for internal tools such as web applications for clinic appointment management.

While there is a possibility that frontier AI models like Mythos could identify bugs, the actual risk to healthcare services is believed to be minimal.

A Departure from Long-Standing Open-Source Policies

This decision represents a significant shift from the NHS’s long-standing policy of prioritizing open-source practices. Reflecting broader UK government policies, the NHS service manual has long stipulated that “all new source code should be made open source and shared under appropriate licenses.”

The manual justifies this stance by stating, “Public services are built with public funds. Therefore, unless there are compelling reasons otherwise, the code that underpins them should be made available for others to reuse and build upon.”

Additionally, the manual explains that open-source code “reduces duplication of effort between teams, enabling the development of better services at a faster pace” and that releasing source code under open licenses “reduces the risk of being locked into a single supplier.”

Signs of the Policy Shift Were Evident Last Year

The shift in the NHS’s open-source policy had already been hinted at by the end of 2025. Reports surfaced that the organization had removed webpages dedicated to promoting its open-source initiatives, sparking speculation about a potential policy change. At the time, the NHS attributed these removals to “routine cleanup work associated with NHSX and NHS Digital.”

It remains to be seen whether this latest measure will indeed be temporary or if advances in AI technology will lead to a more permanent policy change. The move raises broader questions about the balance between open source and AI security in the healthcare sector.

---

FAQ:

Q: What is the specific reason behind the NHS making its GitHub repositories private?
A: The NHS is concerned about the risk posed by advanced AI models, such as Anthropic’s Mythos, which could analyze public source code on a large scale to infer security vulnerabilities and configuration flaws. The NHS has described this as a “temporary cybersecurity enhancement measure.”

Q: What kind of code has been made private?
A: Most of the public repositories contained non-sensitive content, such as documentation, architectural diagrams, and codebases for internal tools like web applications for managing clinical appointments. The risk to healthcare services is considered minimal.

Q: Will this measure become permanent?
A: NHS England has stated that the measure is temporary and that source code will remain public where there is a clear need. However, the policy may evolve depending on advancements in AI technology, and future developments will be closely watched.