- Treasury Secretary Bessent and Fed Chair Powell convened bank executives after Anthropic’s Mythos AI found critical financial system flaws sitting undetected for up to 27 years.
- Mythos discovered over 2,000 unknown software vulnerabilities in just seven weeks of testing—vulnerabilities human auditors missed for decades.
- Banks now face the dual-use paradox: the same AI that finds bugs can also exploit them, and regulators are struggling to keep pace.
Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell held an emergency meeting with major bank CEOs last week after Anthropic’s Mythos AI discovered critical vulnerabilities that had gone undetected in financial systems for as long as 27 years. The White House separately convened tech firms on April 28 to discuss the national security implications of the tool, according to Axios.
The discovery sent shockwaves through the financial sector. Mythos, Anthropic’s autonomous vulnerability research model, found more than 2,000 unknown software vulnerabilities in seven weeks of testing—flaws that existing security infrastructure had failed to detect, according to Fox News. Japan’s Financial Services Agency subsequently issued an alert after the country’s banks identified exposure to the same class of bugs, Dark Reading reported.
The UK’s Bank of England moved faster. A BoE-co-chaired industry group said the UK’s financial sector was already preparing testing protocols for Mythos-class tools, Insurance Journal noted. HMRC, the UK’s tax authority, separately requested access to test its own systems with Mythos, Bloomberg Law reported.
Why Banks Are Now Facing a Dual-Use Problem
The meeting crystallized a dilemma regulators have been circling for months: the same AI that finds vulnerabilities can also exploit them. Mythos demonstrated the offensive capability by default—find enough bugs and you inevitably find ones that double as attack vectors. Global regulators are trailing banks in understanding what these tools mean for systemic risk, KITCO reported.
The White House has pushed back on Anthropic’s plans to expand Mythos access, with experts warning the tool could cause AI doomsday scenarios if misused, the New York Post reported. CISA, the US cybersecurity agency, remains last in line for Mythos access, CSO Online reported—meaning the government’s primary cyber defense body cannot itself evaluate the findings.
Bessent and Powell’s decision to summon bank CEOs directly, rather than route through normal regulatory channels, reflects the unusual nature of the discovery: vulnerabilities this old suggest the flaws were either introduced deliberately or have been exploited without detection. No public statement has detailed which banks were affected or what specifically was found.
The UK’s financial sector prepared for Mythos through a Bank of England-coordinated working group—suggesting the American approach of emergency CEO meetings may be less structured than what UK regulators organized independently, Insurance Journal noted in its coverage.
Anthropic has not disclosed which specific vulnerabilities Mythos found. The company’s decision to restrict Mythos access while demonstrating its capabilities has drawn criticism from security researchers who say the tool’s findings should be public so systems can be patched. The company has reportedly offered limited access to government agencies on a case-by-case basis.