A quiet but urgent scramble is unfolding in the world’s banking capitals as financial institutions race to gain access to Anthropic’s new Mythos AI model, a technology that cybersecurity experts say poses unprecedented risks to legacy banking systems. The emergence of Mythos is setting off alarm bells in regulatory circles globally, with policymakers and central banks now grappling with how prepared the financial sector truly is to defend itself against the capabilities this advanced AI model represents.
What makes Mythos different from other AI systems is its exceptional ability to write code at an elite level, giving it a potentially dangerous capacity to identify and exploit cybersecurity vulnerabilities that have gone undetected for years. The British government’s AI Security Institute recently concluded that Mythos is “substantially more capable at cyber offence than any model we have previously assessed” — a stark warning that has reverberated through financial regulatory bodies worldwide.
The access picture reveals a telling story about how new technology gets distributed in the global banking world. JPMorgan Chase has been publicly acknowledged as having access through Anthropic’s Project Glaswing initiative, a partnership designed to allow critical infrastructure builders to test frontier AI capabilities responsibly. However, as we’ve learned from sources close to the matter, Bank of America has also been testing Mythos internally since the Glasswing programme’s inception, though this wasn’t publicly disclosed.
Since then, the access list has quietly expanded. Morgan Stanley’s CEO Ted Pick confirmed during recent earnings calls that the bank is “permissioned on Claude Mythos Preview” and is discussing cyber risks with peers through industry forums. Goldman Sachs also revealed it has the model in hand and is collaborating with Anthropic and security vendors to understand its capabilities. Citigroup, too, gained access and is running internal tests, according to sources familiar with their operations.
The unequal distribution of access is raising eyebrows and sparking frustration among banks left on the outside looking in. Some financial institutions without access have begun questioning whether JPMorgan received competitive advantages by being the first major bank granted testing rights, a concern that industry insiders suggest could be escalated to the US Treasury. Neither JPMorgan nor Anthropic has responded to these concerns publicly.
Global regulators scramble to understand Mythos AI model risks
The international regulatory response has been notably measured but attentive. During the International Monetary Fund’s spring meetings in Washington last week, Mythos became a hot topic on the sidelines as policymakers from Europe and beyond convened to assess the threat landscape. Deutsche Bank CEO Christian Sewing told journalists that whilst the situation isn’t causing “panic,” it’s absolutely something banks must integrate into their day-to-day risk management protocols. He noted that German banks are in close contact with European watchdogs and suggested that maintaining limited access to Mythos for now is the right approach, even as everyone scrambles to gain entry.
European supervisors, by contrast, appear less alarmed at present. Multiple senior banking and regulatory sources across Europe told Reuters they’re unaware of any European financial institution currently having access to Mythos. The European approach is to assess the technology through existing cyber resilience frameworks rather than treating it as an emergency requiring special protocols.
The British government has taken a more assertive stance, sending an open letter to Anthropic leadership on 15 April expressing serious concern about Mythos’s offensive capabilities. This formal communication signals that governments are no longer content to let technology companies self-regulate around AI security risks.
Barclays CEO CS Venkatakrishnan struck perhaps the most cautionary tone, describing Mythos as “a serious threat to the global banking system” and warning that more powerful cyberthreats will inevitably follow. His assessment aligns with what cybersecurity researchers have been saying privately: the financial services industry’s ageing technology infrastructure may be particularly vulnerable to attacks engineered using AI models this sophisticated.
What we’re witnessing is a critical juncture where the pace of AI development is outstripping the banking industry’s ability to adapt. Some banks have defence mechanisms in place; others are frantically trying to access the same tools to understand what they’re up against. The regulatory response remains fragmented — the UK is sounding alarms, Europe is monitoring carefully, and the US appears to be allowing selective access whilst the debate about fairness and risk distribution plays out behind closed doors. For South Africa’s banking sector, watching this global drama unfold serves as an important reminder that cybersecurity threats increasingly operate across borders, and our local financial institutions must stay abreast of developments that could eventually reach our shores.