Key Takeaways
- U.S. banking regulators (Federal Reserve and Office of the Comptroller of the Currency) have temporarily paused certain cyber‑related examinations of the largest banks.
- The pause is intended to give banks time to assess and strengthen defenses against cyber‑threat risks highlighted by Anthropic’s new Mythos AI model.
- Anthropic has restricted access to Mythos, warning it could be weaponized for cyber attacks, and launched Project Glasswing with select firms (including Apple and JPMorgan) to test defensive uses first.
- Senior officials—Treasury Secretary Scott Bessent and former Fed Chair Jerome Powell—warned Wall Street in April about the AI‑driven cyber risks, prompting banks to form dedicated response teams.
- Initial alarm among bank executives has evolved into structured, long‑term remediation plans involving hundreds of full‑time staff.
- Regulators continue to engage banks on cyber issues; the exam delay does not reduce oversight but supports deeper stress‑testing of defenses.
- Collaboration among banks, federal intelligence agencies, security vendors, and regulators is underway, as evidenced by comments from CEOs Jamie Dimon (JPMorgan) and David Solomon (Goldman Sachs).
Regulators Pause Cyber Exams
The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have decided to temporarily suspend some cyber‑related examinations of the nation’s biggest banks. This move is not a withdrawal of supervisory attention but a strategic pause designed to give lenders additional time to evaluate and fortify their systems against emerging threats. Regulators emphasized that the pause is meant to accommodate the rapid evolution of artificial‑intelligence‑driven risks, particularly those posed by new AI models that could be repurposed for malicious purposes. By halting the routine exam cadence for a limited period, the agencies hope banks can conduct more thorough internal assessments without the pressure of imminent regulatory scrutiny.
Motivation Behind the Pause
Regulators cited the need for banks to “bolster their systems against cyber threats exposed by the latest AI models” as the primary motivation for the delay. Both the Fed and the OCC are themselves testing the capabilities of Anthropic’s Mythos AI to understand how such technology could be exploited to uncover vulnerabilities in banking infrastructure. The pause allows banks to align their internal risk‑management processes with the regulators’ own fact‑finding missions, ensuring that when examinations resume, they will be based on a more mature and tested defensive posture. Officials stressed that the delay does not equate to reduced oversight; rather, it is intended to enhance the quality and relevance of future supervisory work.
Anthropic’s Mythos and Project Glasswing
Anthropic announced last month that it would limit access to its Mythos AI model, issuing a clear warning that the technology could potentially be harnessed to power cyber attacks. To mitigate this risk while still enabling constructive experimentation, the company launched Project Glasswing, a selective initiative that grants a handful of trusted corporations—including Apple Inc. and JPMorgan Chase & Co.—the ability to use Mythos for testing their own cyber defenses first. By controlling who can experiment with the model, Anthropic aims to balance innovation with security, providing a sandbox environment where defensive strategies can be developed before the technology becomes more widely available.
Early Bank Reactions
Inside the largest U.S. banks, the initial reaction to Mythos was one of alarm. Executives noted the model’s remarkable speed in scanning code and pinpointing hacking weaknesses, which raised immediate concerns about the potential for rapid exploitation by threat actors. The early weeks of testing generated a sense of urgency, prompting banks to allocate significant resources to understand the model’s capabilities and to assess how their existing defenses might be bypassed. This phase was characterized by intense scrutiny and a heightened awareness of the gap between traditional cybersecurity measures and the novel threats posed by advanced generative AI.
Shift from Panic to Action
After several weeks of hands‑on experimentation, the initial panic among bank leaders has begun to settle into a more methodical, long‑term remediation effort. Rather than reacting impulsively, banks have compiled extensive to‑do lists that outline specific upgrades, monitoring enhancements, and procedural changes needed to mitigate the risks identified by Mythos. This shift reflects a maturation of the response: banks are moving from emergency triage to sustained investment in cyber resilience, recognizing that the challenge posed by AI‑driven threats will require ongoing attention rather than a one‑off fix.
Impact on Examination Schedule
The decision to delay certain cyber examinations is expected to give banks the temporal space necessary to fully grasp the power and pitfalls of Mythos. Regulators argue that this extra time will improve the effectiveness of their own stress‑testing efforts, as banks will be able to present more robust defenses when the exams resume. The OCC, for instance, is concurrently conducting its own trial run with Mythos to gain firsthand insight into the model’s behavior. Officials reiterated that examiners remain actively engaged with the banks on cyber issues and that a postponement of scheduled exams does not signal a relaxation of supervisory rigor.
Regulatory Guidance and Supervision Approach
Fed Vice Chair for Supervision Michelle Bowman emphasized that the regulator will continue to seek effective ways to supervise banks in the face of emerging technologies such as Mythos. She stated that regulators will “continue to focus on critical developments and communicating these risks to supervised institutions, as well as on refining our cybersecurity approach.” This forward‑looking stance suggests that the pause is part of a broader strategy to evolve supervisory frameworks in tandem with technological innovation, ensuring that oversight remains relevant and proactive rather than reactive.
Industry Collaboration and CEO Comments
Many of the biggest U.S. banks that have secured access to Mythos—JPMorgan, Morgan Stanley, and Goldman Sachs—have assembled secretive, cross‑functional teams to work directly with the model. In addition to internal efforts, several institutions are coordinating with federal intelligence agencies to map out potential threat vectors emanating from AI‑enabled attacks. Goldman Sachs CEO David Solomon noted that the bank is collaborating with security vendors to bolster its defenses, while JPMorgan CEO Jamie Dimon described the undertaking as “serious work,” revealing that “hundreds of people” are now devoted full‑time to preparing the bank’s systems. These statements underscore the scale of the industry’s response and the importance of public‑private partnership in confronting AI‑related cyber risks.