Finance leaders warn over Mythos as UK banks prepare to use powerful Anthropic AI tool - The Guardian

Detailed Analysis

Anthropic's newly disclosed AI model, Mythos, is drawing urgent regulatory scrutiny from financial authorities on both sides of the Atlantic, as U.S. and UK officials prepare formal warnings to major banks about the cybersecurity risks the system poses to critical financial infrastructure. In the United States, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened senior Wall Street executives to assess the threat landscape and ensure institutions were hardening their networks ahead of broader deployment. The Federal Reserve's direct involvement signals that regulators are treating Mythos not as an isolated commercial product concern but as a potential systemic risk — the kind of designation typically reserved for threats capable of cascading across interconnected financial systems. In the UK, a coordinated response involving the Bank of England, the Financial Conduct Authority, HM Treasury, and the National Cyber Security Centre is underway, with formal warnings to banks, insurers, and exchanges expected within a fortnight.

The core concern centers on Mythos's acknowledged capability to identify and exploit vulnerabilities in major software and browsers when directed by a user. Anthropic itself has disclosed this offensive cyber capability, framing it as a dual-use tool with both attack and defense applications. To manage the risks before any wider commercial release, the company launched "Project Glasswing," a restricted access program limited to a select group of large technology and financial firms. The stated purpose is to leverage the model's capabilities to help secure critical systems — essentially deploying the model's offensive knowledge in service of defense — but regulators appear unconvinced that these guardrails are sufficient given the scale and interconnectedness of global financial infrastructure.

The episode represents a significant escalation in the regulatory conversation around frontier AI models and their intersection with critical national infrastructure. Unlike prior AI safety debates, which often centered on disinformation, bias, or labor displacement, the Mythos situation places a specific, technically capable model at the center of a live geopolitical and systemic risk discussion. The fact that Anthropic consulted with U.S. officials ahead of Mythos's launch regarding its offensive and defensive cyber capabilities suggests the company anticipated regulatory friction and attempted to manage it proactively — yet the urgency of subsequent government-level meetings indicates that consultation did not fully resolve policymakers' concerns.

Broader context reveals that this moment fits into an accelerating pattern in which frontier AI capabilities are outpacing existing regulatory frameworks. Financial regulators, historically focused on capital adequacy, liquidity risk, and conduct, are now being asked to adjudicate the cybersecurity properties of AI models — a technical domain that requires entirely different expertise. The coordinated transatlantic response, while notable for its speed, also underscores how fragmented the global governance landscape remains: the U.S. and UK are acting in parallel rather than through any unified international framework, raising questions about whether institutions in other jurisdictions face equivalent exposure without equivalent warnings.

The Mythos situation may ultimately serve as a defining test case for how AI developers, financial institutions, and sovereign regulators negotiate the deployment of dual-use AI systems. Project Glasswing's controlled rollout model — granting early access to vetted firms in exchange for participation in security hardening — reflects an emerging industry approach to managing dangerous capability releases, but it places enormous trust in a small cohort of private actors to identify and report vulnerabilities rather than exploit them. Whether this public-private arrangement proves adequate to the risks Mythos presents, or whether it becomes the template for managing future frontier model deployments, will depend heavily on the transparency and enforceability of the agreements underpinning it.