Pull to refresh
Logo
Daily Brief
Following Why Ranks Sign Up
Global financial regulators scramble to assess cybersecurity risks from Anthropic's Mythos AI model

Global financial regulators scramble to assess cybersecurity risks from Anthropic's Mythos AI model

New Capabilities

Central banks in the US, UK, and Canada convene emergency meetings with financial institutions after Anthropic reveals an AI model capable of finding thousands of previously unknown software vulnerabilities

April 11th, 2026: Bank of England schedules Mythos discussions with UK banks

Overview

An AI model that can find software flaws no human has caught in nearly three decades has triggered a coordinated response from central banks across the Western world. Anthropic's Claude Mythos Preview, which the company says discovered thousands of previously unknown vulnerabilities in every major operating system and web browser, prompted the US Treasury and Federal Reserve to summon Wall Street chief executives to Washington on April 8. By April 11, the Bank of England, the Bank of Canada, and their respective financial regulators had convened or scheduled their own emergency sessions with banks.

The core fear is asymmetric: Mythos can find exploitable flaws faster than financial institutions can patch them, and similar capabilities will inevitably appear in models from other companies. Anthropic chose not to release Mythos publicly, instead restricting access to 12 major technology and financial firms through an initiative called Project Glasswing. But regulators now face a question with no precedent—how to defend a financial system built on software that a single AI model has shown to be riddled with decades-old holes.

Why it matters

If AI can find software vulnerabilities faster than banks can fix them, every digital financial transaction becomes less secure overnight.

Play on this story Voices Debate Predict

Key Indicators

Thousands
Zero-day vulnerabilities discovered
Mythos Preview identified thousands of previously unknown critical flaws across major operating systems, browsers, and other software
27 years
Oldest vulnerability found
A vulnerability in OpenBSD, an operating system known for its security, that went undetected for nearly three decades
$100M
Anthropic's Project Glasswing commitment
Usage credits committed to partner organizations for defensive vulnerability scanning
12
Project Glasswing launch partners
Including Amazon Web Services, Apple, Google, Microsoft, JPMorgan Chase, and CrowdStrike
3
Central banks that convened discussions
The Federal Reserve, Bank of England, and Bank of Canada all held or scheduled emergency meetings with financial institutions within days of each other

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Log in Sign Up

Play

Exploring all sides of a story is often best achieved with Play.

Log in to play. Track your picks, climb the leaderboards. Log in Sign Up
Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play
Timeline Five events from this story — drag them oldest to newest. Log in to play
Connections Sixteen names from the news. Find the four hidden groups of four. Log in to play

People Involved

Dario Amodei
Dario Amodei
Leading Anthropic's response to Mythos disclosure while managing ongoing Pentagon litigation
 Scott Bessent
Scott Bessent
Co-convened emergency meeting with bank chief executives over Mythos risks
 Jerome Powell
Jerome Powell
Co-convened emergency meeting with bank chief executives

Organizations Involved

Anthropic
Anthropic
Artificial intelligence company
Developer of Mythos; restricting model access through Project Glasswing while managing Pentagon litigation

A San Francisco-based AI safety company that builds the Claude family of AI models, now at the center of an unprecedented regulatory response after revealing that its latest model can autonomously discover and exploit software vulnerabilities at a scale no human team has matched.
Bank of England
Bank of England
Central Bank
Scheduling emergency CMORG meetings on Mythos risks with UK financial sector

The United Kingdom's central bank and prudential regulator, now coordinating a multi-agency response to AI-driven cybersecurity risks through its Cross-Market Operational Resilience Group.
Project Glasswing
Project Glasswing
Cybersecurity Initiative
Active; partner organizations scanning critical software

Anthropic's restricted-access initiative giving 12 major technology and financial firms early access to Mythos Preview for defensive vulnerability scanning, backed by $100 million in usage credits and $4 million in direct donations to open-source security organizations.

Timeline

February 2026 April 2026

9 events Latest: April 11th, 2026 · 1 month ago
Tap a bar to jump to that date

  1. Bank of England schedules Mythos discussions with UK banks

    Latest Regulatory

    The Bank of England announces that Mythos will be on the agenda for upcoming Cross-Market Operational Resilience Group (CMORG) and CMORG AI Working Group meetings, to include the Treasury, the Financial Conduct Authority, and the National Cyber Security Centre.

  2. Bank of Canada convenes financial sector meeting

    Regulatory

    The Bank of Canada and the Canadian Financial Sector Resilience Group—including the country's six largest banks, the Office of the Superintendent of Financial Institutions (OSFI), and the federal Ministry of Finance—meet to discuss Mythos cybersecurity risks.

  3. Bessent and Powell summon Wall Street chief executives

    Regulatory

    Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convene an emergency meeting at Treasury headquarters with the chief executives of Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, and Wells Fargo. JPMorgan's Jamie Dimon was the only major banking chief executive unable to attend.

  4. Appeals court upholds Pentagon designation on narrow grounds

    Legal

    A federal appeals court denies Anthropic's request to fully block the Pentagon's supply-chain risk designation, creating a split outcome: Anthropic is excluded from Defense Department contracts but can continue working with other government agencies.

  5. Anthropic launches Mythos Preview and Project Glasswing

    Release

    Anthropic publicly reveals Mythos Preview's capabilities—thousands of zero-day vulnerabilities found across every major operating system and browser—and announces Project Glasswing, restricting access to 12 partner organizations for defensive security work. The company commits $100 million in usage credits.

  6. Data leak reveals Mythos model

    Disclosure

    Fortune reports that a misconfigured content management system exposed nearly 3,000 unpublished assets from Anthropic's blog, including descriptions of an unreleased model called Claude Mythos that Anthropic calls a "step change" in capabilities with "meaningful advances in reasoning, coding, and cybersecurity."

  7. Judge blocks Pentagon's supply-chain designation

    Legal

    A federal judge in California grants a preliminary injunction, calling the Pentagon's designation of Anthropic "classic illegal First Amendment retaliation."

  8. Anthropic sues the Pentagon

    Legal

    Anthropic files two federal lawsuits challenging the Pentagon's supply-chain risk designation as unconstitutional retaliation for the company's public disagreements with the Defense Department.

  9. Pentagon designates Anthropic a supply-chain risk

    Legal

    Defense Secretary Pete Hegseth designates Anthropic a "supply-chain risk to national security" after the company refuses to allow Claude for autonomous weapons or mass domestic surveillance. It is the first time the designation has been applied to an American company.

Historical Context

3 moments from history that rhyme with this story — and how they unfolded.

1997-2000

Y2K Financial Sector Preparations (1997-2000)

Regulators discovered that a date-formatting limitation embedded across decades of financial software could cause widespread system failures on January 1, 2000. The Federal Financial Institutions Examination Council required banks to submit remediation plans, the Bank of England created a dedicated task force, and the Basel Committee established the Joint Year 2000 Council to coordinate the global financial sector response.

Then

An estimated $300-600 billion was spent globally on remediation. The transition to 2000 passed without major financial system disruption.

Now

Established the template for coordinated multi-regulator, multi-country responses to technology risks in the financial system. Led to the creation of standing operational resilience frameworks that regulators are now activating for Mythos.

Why this matters now

Y2K was the last time regulators simultaneously discovered that the entire financial system ran on software containing deeply embedded, decades-old flaws. The Mythos situation is structurally similar—except the flaws are security vulnerabilities rather than date bugs, and they can be actively exploited by adversaries.

December 2020 - March 2021

SolarWinds Supply-Chain Compromise (2020)

Attackers compromised the software update mechanism of SolarWinds' Orion network management platform, distributing malicious code to approximately 18,000 organizations including the US Treasury, the Office of the Comptroller of the Currency, and numerous financial institutions. The breach went undetected for months.

Then

The Cyber Unified Coordination Group was established across FBI, CISA, ODNI, and NSA. Congressional hearings followed. Financial regulators issued heightened monitoring advisories.

Now

Drove Executive Order 14028 on cybersecurity (May 2021), which mandated software supply-chain security improvements for federal contractors and established new incident reporting requirements.

Why this matters now

SolarWinds demonstrated that a single point of compromise in widely used software could threaten the entire financial system. Mythos raises the same systemic concern but at far greater scale—it found vulnerabilities not in one product but across every major operating system and browser.

2013-2017

Dual-Use Export Controls on Surveillance Technology (2013-2017)

After revelations that companies like Hacking Team and FinFisher sold exploit tools and surveillance software to authoritarian governments, the 41-nation Wassenaar Arrangement added "intrusion software" to its dual-use export control list in December 2013. The US Commerce Department proposed implementing rules in 2015 that cybersecurity researchers warned would criminalize legitimate defensive security work.

Then

The initial US implementation was withdrawn after receiving over 300 negative public comments, largely from security researchers arguing it would hamper vulnerability research.

Now

Revised rules adopted in 2017 narrowed the scope, but the episode demonstrated the difficulty of regulating dual-use cyber capabilities without undermining defensive security.

Why this matters now

Mythos embodies the same dual-use tension: the model that can find vulnerabilities for defenders can also find them for attackers. Regulators face the same challenge of restricting offensive use without crippling the defensive applications that Project Glasswing represents.

Sources

(12)
+6
Bloomberg GuruFocus CNBC Fortune TechCrunch Anthropic Axios Bloomberg Fortune Bloomberg Fortune CNBC