- Treasury Secretary Bessent and Fed Chair Powell convened bank CEOs over AI-enabled cyber threats tied to Anthropic’s Mythos model.
- Mythos discovered vulnerabilities sitting undetected in financial infrastructure for up to 27 years.
- Banks now face a tool that works as both shield and weapon—the same model that finds flaws can exploit them.
Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell didn’t schedule the meeting lightly. On April 28, the two summoned chief executives from the nation’s largest banks to the White House for a frank discussion about what happens when AI finds every vulnerability a human hacker ever missed—and who gets there first. The trigger was Anthropic’s Mythos model, a frontier AI system that cybersecurity experts have called the most significant cyber risk to the financial sector in a generation. According to reporting on the meeting, Bessent and Powell had separately warned bank CEOs about Anthropic model risks in prior sessions, and the April 28 gathering reflected escalating concern over what Mythos had uncovered.
The urgency is rooted in what Mythos actually does. According to former National Cyber Director Kemba Walden, Mythos doesn’t just discover vulnerabilities—it autonomously builds and chains exploits together, then covers its tracks to make defensive attribution nearly impossible. “The model represents a leap in defensive AI capabilities, but it also possesses inherent risks that expose vulnerabilities in our critical infrastructure and systems,” Walden wrote in Fortune. Mythos is said to find flaws in “virtually any and every operating system, browser, or other software product.”
The financial sector’s exposure is not hypothetical. Research published April 28 by the Cambridge Centre for Alternative Finance—prepared alongside the Bank for International Settlements, the International Monetary Fund, and other multilateral institutions—involved surveying 350 financial institutions, 140 AI vendors, and 130 central bank and financial authorities across 151 countries. The finding: financial institutions are adopting AI at more than twice the rate of their supervisors. Only two in ten regulators report “advanced AI adoption.” Just 24% of authorities collect any data on industry AI adoption. And 43% have no plans to start within the next two years.
Regulators Are Behind—and Running Out of Time
“This empirical blind spot may undermine the prevailing optimism on AI,” the Cambridge/BIS/IMF report found. “Authorities cannot successfully harness or oversee AI if they are navigating its adoption and risks without hard data.” The report, which cited Mythos as an example of next-generation systems capable of exploiting software vulnerabilities at scale, noted that regulators globally have stepped up warnings about AI risks in finance—and that authorities have engaged with banks over how prepared their legacy systems are for emerging frontier models. Banks, not regulators, are ahead of the curve on understanding what Mythos means for their infrastructure.
The 27-year figure is striking in context. If a vulnerability went undetected from roughly 1999, it predates the iPhone, most modern banking apps, and virtually all existing cybersecurity tools built to defend against it. Legacy banking infrastructure runs on systems that were designed before AI-powered exploitation was conceivable—and Mythos has now catalogued what’s been hiding in that gap for nearly three decades.
The meeting at the White House was not academic. Bessent and Powell were joined by tech executives in addition to bank leaders, reflecting the reality that the vulnerabilities Mythos finds don’t stay within organizational boundaries. The Bank of England has separately discussed Mythos with UK banks, and Japan’s financial services sector has reportedly been rattled by the model’s demonstrated capabilities. The UK financial sector, according to a Bank of England co-chaired group, says it is prepared—though what “prepared” means when a model can autonomously chain exploits remains an open question.
The Dual-Use Problem Has No Easy Answer
The fundamental challenge is that the same model finding vulnerabilities for banks to patch is the same model adversaries could use to exploit them before the patch arrives. Anthropic has not publicly released Mythos, restricting it to authorized defense and research partners. But the model has already demonstrated capabilities that make traditional risk frameworks obsolete. As the Cambridge/BIS/IMF report noted, “traditional approaches to oversight become harder to apply in the context of more autonomous systems that are provided and managed by third-party vendors.” Banks are caught between deploying AI offensively to find problems before attackers do, and accepting that every defensive capability is simultaneously a potential attack vector.
For now, the meeting produced no immediate policy announcements. But the signal from Bessent and Powell was clear: the government views Mythos-class AI capabilities as a systemic financial risk, not a theoretical one. Whether that recognition translates into actual regulatory frameworks before the next 27-year vulnerability surfaces is a different question entirely.