A specific type of meeting that hardly ever takes place in Washington without leaking occurred earlier this month. The heads of America’s biggest banks, Treasury Secretary Scott Bessent, and Federal Reserve Chair Jay Powell convened in a room not to talk about tariffs, rates, or some kind of quarterly stress test. They had come to discuss a piece of software. In particular, Anthropic’s Claude Mythos AI model, which the company itself determined was too risky to ship.
Just the optics are amazing. CEOs of banks don’t set aside time on their calendars for academic matters. That same week, Jamie Dimon had already stated in his shareholder letter that cybersecurity was still one of the company’s biggest risks and that AI would almost certainly make matters worse. That warning gained a face when Mythos emerged. Watching the executives of Citigroup and Goldman Sachs get a private briefing on a chatbot’s progeny is somewhat bizarre, but that is essentially what transpired.
| Anthropic Mythos: Quick Profile | Details |
|---|---|
| Developer | Anthropic, based in San Francisco |
| Model name | Claude Mythos Preview |
| Release date | 7 April 2026 (restricted access only) |
| Distribution program | Project Glasswing, ~40–50 partner organizations |
| Notable partners | Amazon, Microsoft, Google, Cisco, CrowdStrike, JPMorgan Chase |
| Independent reviewer | UK AI Security Institute |
| Most striking finding | A 27-year-old vulnerability in OpenBSD |
| Banks summoned by U.S. Treasury | Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, Wells Fargo |
| Key concern | Autonomous chaining of zero-day exploits |
| Regulatory body weighing in | Bank of England |
| Status of public release | Withheld indefinitely |
The nature of Mythos’ capabilities and what Anthropic has acknowledged in writing set it apart from the lengthy parade of AI announcements. According to the company, the model outperforms all but the most proficient human researchers in its ability to identify and exploit software vulnerabilities. It found thousands of serious bugs in major operating systems and browsers during internal testing, including a 27-year-old vulnerability in OpenBSD. It combined several bugs into functional exploits, which up until recently required several months and a small team of highly skilled experts. Mythos did it on her own. Anthropic has stressed that the capability was not intentionally trained. It came out.
It’s not totally incorrect for skeptics to resist. Anthropic has a history of dramatic framing, adorable cartoons in the vein of Calvin and Hobbes combined with apocalyptic warnings, and the timing of all of this, with an impending IPO, is convenient. At the HumanX conference, Alex Stamos referred to it as a “marketing schtick,” and he was right. The only independent reviewer to date, the UK’s AI Security Institute, stated that Mythos was strong but not significantly superior to its predecessor in defended environments. In this field, hype has a long history.
Even so. It’s difficult to ignore the fact that those who are most qualified to ignore the issue are also the ones who are most inclined to do so. The Bank of England’s Andrew Bailey described it as a very serious challenge. The ECB’s Christine Lagarde put it this way: a responsible business created something that could be extremely beneficial, but it could also be disastrous if it went awry. Canada’s finance minister, François-Philippe Champagne, told the BBC that the Strait of Hormuz differs from this in that you can at least locate it. The unknown unknown is mythos.
Beneath it all is a structural issue that no one wants to talk about. The infrastructure of banks is multi-layered, old in some places, and was created decades before contemporary threat models. People who would know have referred to SWIFT, the messaging system that transfers a significant portion of the world’s currency, as a massive cluster of outdated technology. It’s not necessary for mythos to be magical. The current defenses, which are based on the premise that human attackers move one step at a time, are not made for an adversary that doesn’t sleep, doesn’t tire, and doesn’t require a coffee break in between exploits; it simply needs to be patient and parallel.
As this develops, there’s a sense that the financial industry is acknowledging its genuine uncertainty—something it seldom does in public. According to Bailey, the timing of regulations is unachievable because if they are implemented too soon, technology will be distorted, and if they are implemented too late, control will be lost. A central banker’s candor usually indicates that the runway is shorter than what the press releases indicate. Mythos might not live up to the hype. Alternatively, it might be the first of many. In any case, the meeting has already taken place, and that fact alone reveals the scenario that the adults are preparing for.
