Key Takeaways
- Anthropic’s Mythos model can autonomously detect and exploit software vulnerabilities, including zero‑day flaws in major operating systems and browsers.
- Bank of England Governor Andrew Bailey warned that the model could “crack the whole cyber risk world open,” prompting urgent discussions among UK and US financial regulators.
- While Mythos performed well in simulated corporate‑network attacks, it failed in operational‑technology environments, raising questions about its real‑world effectiveness against well‑defended financial systems.
- Access to Mythos is tightly restricted through Anthropic’s Project Glasswing initiative, which shares the model only with selected tech firms and banks for defensive testing.
- Tech leaders such as IBM’s Rob Thomas and Linux Foundation’s Jim Zemlin argue that concentrating AI cybersecurity tools in a few hands could give threat actors an early advantage and undermine overall resilience.
- Major U.S. banks (Morgan Stanley, JPMorgan Chase, Goldman Sachs) acknowledge receipt of the model, using it to hunt vulnerabilities while also cautioning that the same capabilities could be weaponised by bad actors.
- Regulators on both sides of the Atlantic are convening emergency meetings to assess the systemic risk Mythos poses to the highly consolidated cloud‑service infrastructure that underpins modern banking.
- The debate centers on whether openness and broad scrutiny—or controlled, builder‑led deployment—will best safeguard financial stability in the AI era.
Anthropic’s Mythos Model Raises Alarm Among Regulators
Bank of England Governor Andrew Bailey recently warned that Anthropic’s new AI model, dubbed Mythos, could “crack the whole cyber risk world open.” Speaking at Columbia University, Bailey said regulators must urgently determine the model’s capacity to locate and exploit software flaws that could be turned into cyberattacks. His remarks followed Anthropic’s own claims that Mythos can autonomously identify and leverage zero‑day vulnerabilities across all major operating systems and web browsers, a capability highlighted in an April 7 blog post from the company.
Simulated Successes Reveal Both Strengths and Limits
Anthropic reports that Mythos successfully navigated a 32‑step corporate‑network attack simulation, demonstrating an impressive ability to chain exploits. However, an independent evaluation by the UK’s AI Security Institute, released on April 13, showed the model failing completely when tested against operational‑technology environments. The institute noted that its test ranges lacked common defensive features such as active defenders and security tooling, suggesting that Mythos’s true potency against well‑protected financial infrastructures remains uncertain.
Regulators Mobilise to Gauge Systemic Threat
In response to Bailey’s warning, the Bank of England’s Cross Market Operational Resilience Group and its AI Taskforce have scheduled meetings within the next two weeks to dissect the Mythos model. Across the Atlantic, U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent summit with Wall Street leaders to discuss the potential for Mythos to usher in a new era of heightened cyber risk. The meetings underscore a shared concern that a single AI‑driven capability could destabilise the highly consolidated cloud service providers that underpin modern banking.
Major Banks Receive Access, Adopt Defensive Stance
Several global banks confirmed they have obtained access to Mythos under Anthropic’s restricted programme. Goldman Sachs CEO David Solomon told analysts that his firm is “hyper‑aware of the enhanced capabilities” and is working closely with Anthropic and security vendors to harness the model for defensive purposes. JPMorgan Chase CEO Jamie Dimon offered a more cautionary view, stating that AI has made cyber risk “worse” and “harder,” while acknowledging that Mythos highlights the sheer volume of unpatched vulnerabilities that remain. Morgan Stanley’s CEO Ted Pick struck an optimistic tone, describing AI as “our friend” and a natural evolution of the technology ecosystem.
Project Glasswing: Controlled Distribution of a Powerful Tool
Anthropic has not released Mythos to the public. Instead, it launched Project Glasswing, an initiative that shares the model exclusively with a select group of technology companies and financial partners—including Morgan Stanley, JPMorgan Chase, and CrowdStrike—for private evaluation and defensive preparation. Anthropic frames this as a “unique, early‑stage opportunity to evaluate next‑generation AI tools for defensive cybersecurity across critical infrastructure.” Participating security vendors argue that model safety remains the builder’s responsibility, while deployment governance falls to security firms.
Calls for Openness Counter the Closed‑Door Approach
Despite the defensive rationale, many tech leaders warn that concentrating access to such powerful AI cybersecurity tools could backfire. IBM Senior Vice President Rob Thomas criticised the closed model, asserting that “as AI reaches the scale of foundational infrastructure, security improves more often through scrutiny than through concealment.” He urged that open‑source examination is essential for resilience. Linux Foundation CEO Jim Zemlin echoed this sentiment, noting that open‑source maintainers—who often lack the budgets of large security teams—have historically underpinned critical systems like banking. Zemlin warned that the industry is entering a dangerous transition period where threat actors could gain an early advantage if AI tools remain sequestered in the hands of a few well‑resourced firms.
Balancing Innovation, Security, and Financial Stability
The Mythos episode captures a broader tension facing the financial sector: how to leverage cutting‑edge AI for defence without inadvertently empowering attackers. Regulators are tasked with determining appropriate oversight mechanisms that neither stifle beneficial innovation nor allow uncontrolled diffusion of offensive capabilities. As central banks revisit their mandates to protect public trust in money, the outcome of ongoing discussions around Mythos will likely shape policies on AI transparency, access controls, and collaborative defence strategies for years to come.