Anthropic's latest AI model is sparking fears from cybersecurity experts and the banking sector. Here's why. - CBC

Detailed Analysis

Anthropic's Claude Mythos Preview, the company's latest AI model, has prompted an unusually urgent response from cybersecurity professionals, financial institutions, and government actors following revelations about its autonomous vulnerability-discovery capabilities. Unlike prior AI models that demonstrated narrow or bounded security risks, Mythos autonomously identified thousands of high-severity, unpatched vulnerabilities across every major operating system and web browser — including flaws in the Linux kernel, OpenBSD, and FFmpeg that had evaded detection for decades, in some cases surviving over five million automated tests. According to testing conducted by the UK AI Security Institute, Mythos succeeded in 73% of expert-level cybersecurity challenges, including simulated multi-step cyberattacks, and demonstrated an ability to chain multiple distinct vulnerabilities into complex, layered exploits. Anthropic has assessed the model as too dangerous for general public release, citing the acute risk of misuse by criminal organizations and nation-state actors, and has restricted access to a closed set of technology partners — including Google, Amazon, Apple, Microsoft, and AWS — under a framework dubbed Project Glasswing.

The banking sector's response has been notably alarmed. Senior Wall Street executives convened an emergency session with Treasury Secretary Scott Bessent and Federal Reserve leadership to discuss exposure risks, reflecting a view that systemically important financial institutions represent high-value targets for exactly the kind of sophisticated, automated attacks Mythos could enable. IMF Managing Director Kristalina Georgieva separately raised concerns about AI-driven threats to global financial stability, calling for the establishment of regulatory guardrails before capabilities of this nature become more broadly accessible. The urgency in financial circles reflects a recognition that the attack surface of large institutions — sprawling legacy infrastructure, interconnected counterparty networks, and heavy reliance on widely deployed operating systems — maps closely onto the vulnerability classes Mythos has proven capable of exploiting.

The Mythos situation represents a meaningful inflection point in how the AI industry and governments conceptualize the dual-use risk of frontier models. Previous debates over AI safety tended to center on disinformation, bias, or long-horizon existential risk; Mythos forces a more immediate and operational reckoning with near-term, technically sophisticated harm. Anthropic's own internal communications, including a leaked blog post, characterized the model as outpacing the capacity of defenders to respond — a dynamic that, if accurate, structurally favors offensive actors who need only exploit a vulnerability once while defenders must identify and patch every instance. The company's estimate that comparable capabilities could emerge in competing models within six to twelve months adds time pressure to the policy response, compressing the window for governments and standards bodies to establish meaningful frameworks before such tools proliferate.

Anthropic's decision to gate access through Project Glasswing, channeling Mythos toward defensive applications such as red teaming, real-time threat monitoring, and coordinated vulnerability disclosure, represents one model of responsible deployment — but it has drawn criticism from those who argue that private corporate discretion is an insufficient governance mechanism for technology with national security implications. Critics, including some cybersecurity professionals, have called for direct government oversight rather than voluntary industry stewardship, pointing to the inherent conflict of interest in allowing a single company to simultaneously control access to a dangerous capability and define the terms of its safe use. The debate echoes longstanding tensions in dual-use technology policy — from cryptography to biotechnology — where the speed of commercial development has historically outpaced the formation of regulatory consensus.

Broader trends in AI development lend additional weight to the concerns raised by Mythos. The model's reported performance — described as roughly five times more capable than its immediate predecessors on security-relevant benchmarks — illustrates how rapidly capability thresholds are being crossed, often faster than either the research community or policymakers anticipate. The fact that Mythos uncovered vulnerabilities that had survived decades of conventional security auditing also underscores a growing asymmetry: AI systems can now engage in the kind of exhaustive, combinatorial reasoning that human security researchers cannot sustain at scale. If this trajectory continues, the question of who controls frontier AI models, and under what legal and ethical frameworks, may become one of the defining governance challenges of the decade.