Finance Minister Nirmala Sitharaman raises alarm on bank security risk due to Anthropic Mythos AI - India Today

Detailed Analysis

India's Finance Minister Nirmala Sitharaman convened a high-level emergency meeting on April 23, 2026, bringing together the heads of public sector banks, Reserve Bank of India officials, CERT-In representatives, and Electronics and IT Minister Ashwini Vaishnaw to assess cybersecurity threats posed by Anthropic's newly disclosed AI model, Mythos — also referred to as Claude Mythos. The meeting resulted in a series of concrete directives aimed at fortifying India's financial infrastructure: establishing a coordinated response mechanism through the Indian Banks' Association (IBA), implementing real-time threat intelligence sharing with CERT-In, mandating immediate reporting of suspicious activity, and engaging top-tier cybersecurity professionals to bolster system defenses. Critically, no specific incidents within Indian banks were reported, indicating that the government's response is preemptive rather than reactive — a notable posture given the scale of the mobilization.

The urgency stems directly from the disclosed capabilities of Anthropic's Mythos model. Anthropic itself acknowledged that the system outperforms humans in cybersecurity tasks, demonstrating an ability to identify and exploit thousands of software vulnerabilities — including previously unknown bugs in major operating systems and browsers dating back as far as 27 years. The company withheld public release of the model precisely due to misuse risks, a rare self-imposed restraint that paradoxically underscored the severity of the threat. For India's banking sector, which handles vast volumes of digital transactions and customer data across a rapidly expanding fintech ecosystem, an AI system capable of autonomous vulnerability discovery and exploitation represents a qualitatively new category of systemic risk — one that traditional cybersecurity frameworks were not designed to anticipate.

The Sitharaman-led meeting reflects a broader global reckoning with advanced AI's dual-use nature in the financial sector. Germany's Bundesbank has issued similar warnings, and a Kotak InstitutionalEquities report flagged potential disruptions to India's substantial IT services industry from AI advancements of this caliber. What distinguishes India's response is its institutional scope: by looping in regulators, sector heads, government ministries, and national cybersecurity agencies simultaneously, the government is attempting to build a coordinated, multi-layered defense rather than leaving individual banks to assess and respond in isolation. This reflects growing recognition that AI-driven cybersecurity threats are not merely technical problems for IT departments but systemic risks requiring policy-level coordination.

The episode also highlights a deepening tension between AI frontier labs and national regulatory bodies worldwide. Anthropic's decision to withhold Mythos from public release demonstrates a degree of corporate responsibility, but the model's existence — and the government's knowledge of its capabilities — is itself sufficient to trigger defensive mobilization. This creates a paradox: the responsible disclosure of AI capabilities by developers may increasingly prompt preemptive regulatory responses, potentially shaping the conditions under which future AI systems are developed, tested, and reported. For India specifically, the meeting signals that AI governance in the financial sector is moving from a background policy discussion to an acute operational priority, with the country positioning itself as one of the more proactive emerging-market regulators in responding to frontier AI risk.