What global banks said about Anthropic's new Mythos model that the company ‘refused’ to release publicly

Anthropic unveiled Claude Mythos in a selective manner earlier this month. However, the AI company chose not to release it publicly. The reason was straightforward, even though unsettling: the model had demonstrated a capacity to locate and exploit software vulnerabilities across every major operating system and web browser, including a flaw in OpenBSD that had gone undetected for 27 years.


Instead of a public launch, Anthropic established Project Glasswing, a controlled-access initiative involving 12 partner organisations and more than 40 additional groups that build or maintain critical software infrastructure and committed up to $100 million in usage credits for defensive security work. That decision set off a scramble across the global banking system that has not yet subsided.

Within days, US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent meeting at the Treasury building with the chief executives of the country's systemically important banks. According to Bloomberg, the session was attended by Citigroup's Jane Fraser, Morgan Stanley's Ted Pick, Bank of America's Brian Moynihan, Wells Fargo's Charlie Scharf, and Goldman Sachs's David Solomon.



JPMorgan Chase CEO Jamie Dimon was unable to attend. The meeting sought to prompt financial institutions to understand what Mythos and comparable models could mean for their exposure to attacks and to put adequate defences in place. It was the beginning of a global reckoning that has since drawn in central bankers, finance ministers, regulatory supervisors, and bank chief executives from Seoul to Zurich.



Across the Atlantic, European regulators opened consultations with their own institutions. The Reserve Bank of India has also reportedly begun its own process of holding talks with counterparts at the Federal Reserve and the Bank of England, while India's payment authority, the National Payments Corporation of India, moved to seek early access to the model, even as the technical and regulatory barriers to obtaining it remained formidable.

US banks on Mythos: Access, acknowledgement and accelerated investment

JPMorgan Chase is the only bank Anthropic has publicly confirmed as having access to Mythos through Project Glasswing, though the picture at other major US institutions is more nuanced. According to a Reuters source familiar with the matter, Bank of America has been part of Glasswing since the start and has been testing the technology internally. More recently, other US banks have said they have obtained access.



Morgan Stanley CEO Ted Pick confirmed the bank's position during an earnings call. "And yes, we are permissioned on Claude Mythos Preview," he told analysts, adding that cyber risk represents an increasing threat. "So we will, I imagine, collectively get better via that, and then there will be other competitive products."



Goldman Sachs CEO David Solomon was similarly direct. "We're aware of Mythos and its capabilities," Solomon said on the bank's earnings call. "We have the model. We're working closely with Anthropic and all of our security vendors to kind of harness frontier capabilities wherever it's possible. And this will continue to be an important focus."



Solomon had flagged his bank's awareness even before that, telling analysts: "Obviously, the LLMs are making rapid progress and we're hyper-aware of the enhanced capabilities of these new models with the help of the US government and the model publishers." He added that Goldman was accelerating investment in cyber and infrastructure resilience as a direct result.



Citigroup also has access to the model and is using it for internal tests, according to one person with knowledge of the matter cited by Reuters. The bank has not made a public statement on the subject.



JPMorgan's internal view of Mythos was made unusually explicit in a note circulated by analyst Michael Cembalest, the firm's head of market and investment strategy. Cembalest's analysis, titled "Misanthropic," drew attention to what he described as a paradox at the heart of the model: Anthropic simultaneously described Mythos as its "best aligned model to date" while conceding that it "likely poses the greatest alignment-related risk of any model we have released to date."



Cembalest noted that Mythos achieved a perfect score on Anthropic's CyBench cybersecurity benchmark, meaning the model had effectively saturated the test and that when applied to Firefox, it achieved a 72% shell exploitation success rate, compared to 1% for the prior Claude Opus 4.6 model and 0% for Claude Sonnet 4.6.



AI security expert Nicholas Carlini, who joined Anthropic a year before the model's release, was quoted in that same analysis as saying: “I've found more bugs in the last couple of weeks than I've found in the rest of my life combined.”

Barclays and the Bank of England gives a shared warning on Mythos

Among non-US banks, Barclays has been among the most vocal. CEO C.S. Venkatakrishnan spoke at a Group of Thirty meeting on the sidelines of the IMF spring meetings in Washington and did not soften his assessment. "On Mythos, look, it's a serious issue. But here's the thing: there will be a Mythos 2 and a Mythos 3, and they'll come up with probably distressing frequency," he said, as reported by Reuters.



In separate comments to the BBC, Venkatakrishnan said: "It's serious enough that people have to worry. We have to understand it better, and we have to understand the vulnerabilities that are being exposed and fix them quickly." He added that the emergence of Mythos was emblematic of what the financial sector will face going forward in a more connected world.



Venkatakrishnan also noted that the challenge would be compounded for institutions still reliant on legacy systems, which may not be able to respond as quickly to newly identified vulnerabilities.



Bank of England Governor Andrew Bailey struck a similarly direct tone. Speaking at an event in New York, Bailey described the situation to the BBC: "We are having to look very carefully now what this latest AI development could mean for the risk of cyber crime."



He elaborated, “The consequence could be that there is a development of AI, of modelling, which makes it easier to detect existing vulnerabilities in sort of core IT systems, and then obviously cyber criminals — the bad actors — could seek to exploit them."



At the IMF meetings, Bailey was quoted separately as saying: "It is a very serious challenge for all of us. It reminds us how fast the AI world moves," and noted that regulators need to assess the risks quickly.



The UK's AI Security Institute, which was given a preview of Mythos, published the only independent evaluation of the model's cybersecurity capabilities. Testing found that Mythos was the first AI model to complete a 32-step simulation of a corporate network attack,, doing so in three out of ten attempts.



The AISI noted that the model could carry out attacks requiring multiple sequential actions and could discover weaknesses in IT systems without human intervention, tasks that would normally take human professionals days.



At the same time, the AISI cautioned that it "cannot say for sure whether Mythos Preview would be able to attack well-defended systems," as its testing environments lacked active security controls. The institute concluded its report with a clear warning: "investment now in cyber defence is vital."



The Cross Market Operational Resilience Group in the UK, which brings together bank chief executives alongside officials from the Treasury, Bank of England, Financial Conduct Authority, and National Cyber Security Centre, was scheduled to convene within the fortnight following those reports.

Deutsche Bank and German regulators on Mythos: Preparation without panic

Deutsche Bank CEO Christian Sewing, who also chairs the Association of German Banks, offered a notably measured response to journalists. "It's certainly not something that's causing panic or setting off any alarm bells on our end right now, but it's definitely something we need to keep in mind in our day-to-day risk management — and that's exactly what we're doing," he said.



Sewing acknowledged that the broader industry sought access to the model while arguing that its restricted availability was appropriate. "The banks are prepared for this and have their own responses. So this is something we have to live with, and of course everyone is trying to gain access, but I also think it's right that access is limited for now," he told journalists. He noted that European banks had undertaken considerable cybersecurity work in recent years and that a German banking association task force had been established to provide information and guidance to smaller financial institutions.



Kolja Gabriel, a member of the German Banking Association's executive board responsible for technology and innovation, said that IT security firms were already deploying Mythos in a controlled manner to close potential vulnerabilities. "We expect a series of software updates shortly and are closely monitoring developments," he told Reuters.



Germany's financial watchdog BaFin said that financial firms must be prepared for the possibility that vulnerabilities could be discovered in the near future and that they must be addressed promptly.



Commerzbank took an active posture. A spokesperson said the bank is "examining the Mythos model very closely and assessing the associated risks. To this end, we are also in close contact with other banks, technology partners and regulatory authorities."



Bundesbank President Joachim Nagel raised a concern that has become a recurring theme across European regulators: the risk of competitive distortions arising from uneven access. "We must prevent the misuse of this technology. At the same time, all relevant institutions should have access to such technology to avoid competitive distortions,” Nagel said.



Multiple senior banking and regulatory sources in Europe told Reuters that they were unaware of any European financial institution having been granted access to Mythos at the time of reporting.

Switzerland's financial regulator on Mythos: A systemic risk warning

Switzerland's financial market regulator FINMA framed the issue in starker terms than most. "The uncontrolled and immediate availability of AI models such as Mythos would be classified as a systemic risk," a spokesperson said in response to questions from Bloomberg News. "In such a scenario, virtually all existing software systems could simultaneously be affected by a multitude of previously unknown zero-day vulnerabilities, which would be exploited immediately and via AI."



FINMA added that it "takes the rapid development of AI very seriously" and is "in contact with the Federal Office for Cybersecurity, banks, and critical service providers" while also coordinating with international authorities. In its statement, it noted that banks "must actively incorporate the evolving threat landscape into their risk management" and that "cyber attacks are becoming faster, more precise, and easier to carry out with the help of AI."



Bloomberg reported that the European Central Bank was planning a call with the chief risk officers of eurozone lenders to discuss potential threats from Mythos. European supervisory sources told Reuters that regulators were not yet overly concerned and, for now, were assessing the model through existing cyber resilience processes.

Canada and the IMF on Mythos: A lot still unknown

At the IMF and World Bank spring meetings in Washington, Mythos dominated conversations that might otherwise have focused on trade policy or the Middle East crisis.



Canadian Finance Minister François-Philippe Champagne told the BBC that the model warranted serious attention. "Certainly it is serious enough to warrant the attention of all the finance ministers," he said. He offered a striking analogy, "The difference is that the Strait of Hormuz — we know where it is and we know how large it is... the issue that we're facing with Anthropic is that it's the unknown unknown."



Bank of Canada Governor Tiff Macklem framed the challenge as a structural one for the global financial system. "This isn't a one-off. Mythos has arrived; it's a lot more powerful than what came before. But something else will come that's even more powerful than that. As a financial system, both within Canada but internationally, we're going to need to come to grips with how we're going to manage this on an ongoing basis," he said.



Dan Katz, deputy head of the IMF and former chief of staff to US Treasury Secretary Scott Bessent, described the broader stakes: "The evolution of digital technology is posing immense risks from a cybersecurity perspective. This is really going to be absolutely essential on the international agenda for the next few months."

Asian financial institutions on Mythos: Monitoring, access requests, and data complications

Across Asia, financial regulators moved to assess the situation, though access to the model itself remained elusive. South Korea's Financial Supervisory Service held a meeting with information security officials from financial firms to review Mythos-related risks and indicated it was monitoring developments.



India's Reserve Bank of India was in consultations with counterparts at the US Federal Reserve and the Bank of England, according to three sources familiar with the central bank's thinking cited by Reuters. The RBI's preliminary view aligned with that of global regulators: Mythos could pose cybersecurity risks by accelerating the discovery and exploitation of software vulnerabilities.



India's payment authority, the National Payments Corporation of India, was separately reported to be seeking early access to Mythos to identify vulnerabilities ahead of any broader rollout. However, one source told Reuters that such access may prove difficult to arrange, given that Mythos systems are hosted on strictly controlled servers in the United States and that running tests on local data in foreign jurisdictions could present challenges.



The RBI is also preparing broader guidelines for banks entering enterprise partnerships with advanced AI models. The central bank is expected to require that all analytics based on data of Indian customers comply with its domestic data localisation rules, which, since 2018, have required payment system providers to store end-to-end transaction data exclusively on servers within India.



Japan's financial watchdog was also reported to be arranging meetings with banks, and Australia's central bank said it was monitoring the situation.

The access divide and what comes next

One issue running beneath much of the discussion is the unequal distribution of access to Mythos. Several banks without access have questioned whether JPMorgan received a competitive advantage through its Glasswing participation, a matter that industry sources said was likely to be raised with the US Treasury.



Jonathan Kewley, partner and chair of the global technology group at law firm Clifford Chance, said the model had the potential to "super-charge" both cyber attacks and cyber defence simultaneously, raising questions around trust and responsibility that the industry has not yet resolved.



Radi El Haj, chief executive of payments technology firm RS2, argued that the arrival of Mythos made continuous resilience, not reactive security, the only credible posture going forward. "Static security models are insufficient in a context where threats can evolve in near real time," he said, adding that institutions on legacy systems face elevated risk compared to those on modern, flexible platforms.



Eric Paulsen, chief technology officer at cloud development platform Coder, described Mythos as an "inflection point" for AI governance. "Since no standard is in place, enterprises must build their own controls today," he said.



Barclays CEO Venkatakrishnan perhaps put it most plainly when asked about the broader trajectory. The industry, he said, is not dealing with a single event but with a series of increasingly capable models that will require the sector to adapt on an ongoing basis. "We have to understand its capabilities," he said, "and we have to understand how to safeguard against it."



Anthropic has said it intends to publish a report within 90 days on vulnerabilities found and patched through Project Glasswing, along with recommendations for how security practices should evolve. For financial institutions from Washington to Mumbai still seeking access and answers, that timeline may feel both necessary and distant.