UK Banks to Receive Mythos Briefing This Week

Within days, senior officials from the UK’s most prominent financial institutions will gather for a critical briefing. The Bank of England’s Cross Market Operational Resilience Group, alongside the Financial Conduct Authority and the National Cyber Security Centre, will detail the profound cybersecurity implications of Anthropic’s Claude Mythos Preview. This unreleased frontier AI model has already triggered high-level emergency meetings among US and Canadian regulators, signaling a shift in how global finance views systemic digital threats.

The model’s specific capability to autonomously identify and exploit vulnerabilities has placed it at the top of the regulatory agenda. According to its developers, Mythos has discovered thousands of previously unknown zero-day vulnerabilities across every major operating system and web browser. In one documented instance, it found a method for a malicious website to breach a browser and read data from another site, which could include a victim’s online banking portal. The model has also demonstrated the ability to chain multiple attack steps into a complete end-to-end intrusion, a capability confirmed by the UK’s own AI Security Institute.

This briefing follows a significant meeting in Washington last week. US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened the CEOs of America’s largest banks, including Citigroup and Bank of America, to discuss the model’s risks. Powell’s presence was particularly notable, indicating the issue is being treated as a core financial stability concern rather than a mere technical policy matter. Separately, the Bank of Canada held its own consultations with major financial institutions.

In response to the dangers posed by its own creation, Anthropic launched Project Glasswing. This initiative provides early, controlled access to Mythos Preview for approximately four dozen organizations, including named partners like Amazon, Apple, Google, Microsoft, and JPMorgan Chase. The company has committed substantial resources, including $100 million in usage credits, under the premise that defenders must be equipped to find and patch flaws before malicious actors or competing models can leverage them. The goal is to radically compress the vulnerability discovery timeline, turning a potential wave of attacks into an opportunity for proactive defense.

However, this narrative has not been universally accepted. Prominent security expert Bruce Schneier characterized the rollout as a highly effective public relations play, arguing that many reports have uncritically repeated Anthropic’s claims. He noted that some of the vulnerabilities could be found with older, cheaper models, though he acknowledged a critical difference between finding a flaw and weaponizing it into a full exploit. Others, like former NCSC head Ciaran Martin, offered a more balanced view, calling the accelerated timeline “challenging” but also a potential catalyst to fix a vast number of hidden internet bugs.

The situation is further complicated by Anthropic’s tense relationship with the US government. The company is currently in a legal dispute with the Department of Defense, which labeled it a supply-chain risk to national security earlier this year. This creates a paradoxical scenario where a firm at odds with the administration on AI governance is simultaneously being engaged by the Treasury and Federal Reserve as a crucial partner in safeguarding the financial system.

Bank of England Governor Andrew Bailey explicitly cited Mythos in a recent speech, noting that cybersecurity has risen faster than any other category on regulators’ risk lists. As this complex backdrop unfolds, Anthropic plans to proceed with offering the model to UK financial institutions starting next week, ensuring that the conversation around AI, security, and systemic risk is only just beginning.