The Bank of England’s Cross Market Operational Resilience Group will convene within days to brief major UK banks, insurers, and exchanges about Anthropic’s Claude Mythos Preview.
This unreleased AI model regulators say can autonomously identify and exploit vulnerabilities across every major operating system and web browser. The US Treasury, the Federal Reserve, and the Bank of Canada have already held emergency sessions.
Within days, senior executives from major UK banks, insurers, and financial exchanges will be briefed by the Bank of England, the Financial Conduct Authority, HM Treasury, and the National Cyber Security Centre about the cybersecurity implications of a new AI model that has already prompted emergency meetings at the highest levels of financial regulation in the United States and Canada.
The model is Claude Mythos Preview, built by Anthropic. It is not publicly available.
According to Bloomberg, Anthropic’s Mythos model is on the agenda for the Bank of England’s next Cross Market Operational Resilience Group and CMORG AI Taskforce meetings, scheduled within the next fortnight.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
CMORG is a high-level body whose members include the CEOs of the UK’s eight largest banks, four financial infrastructure providers, two insurers, and representatives from the Treasury, BoE, FCA, and NCSC.
The regulatory response in the UK follows an emergency meeting in Washington last week at which US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened the heads of systemically important US banks, including Jane Fraser of Citigroup, Brian Moynihan of Bank of America, Ted Pick of Morgan Stanley, Charlie Scharf of Wells Fargo, and David Solomon of Goldman Sachs, to discuss Mythos’s implications.
CNBC confirmed the meeting, which Bloomberg first reported. The presence of Powell was described by people familiar with the matter as significant: the Fed chair typically preserves a clear separation from the Treasury, and his attendance signalled the issue was being treated as a systemic financial stability concern rather than a technology policy matter.
JPMorgan Chase CEO Jamie Dimon was unable to attend but JPMorgan is listed as a launch partner for Anthropic’s associated initiative, Project Glasswing. The Bank of Canada separately held its own meeting with Canadian banks and financial institutions on the same topic.
Mythos Preview is described by Anthropic as a general-purpose frontier model with exceptional capabilities in computer security tasks. In its own documentation and in Anthropic’s public Project Glasswing announcement, the company says the model has already identified thousands of zero-day vulnerabilities, previously unknown security flaws, across every major operating system and web browser.
In one case cited by Anthropic’s security team, the model identified a method of breaching a web browser in a way that would allow a malicious website to read data from another site, including, as Anthropic put it, “the victim’s bank.”
Testing also uncovered a 27-year-old weakness in OpenBSD. Anthropic has said the model can identify and exploit such vulnerabilities autonomously when instructed to do so, and that it withheld public release specifically because of these capabilities.
The UK’s AI Security Institute evaluated Mythos and described it as broadly comparable to peer models on single cyber tasks but stronger at chaining multiple steps into complete intrusions — and as the first model to complete a full cyber-range attack end-to-end, according to Resultsense.
Project Glasswing, Anthropic’s response to the risks its own model poses, gives approximately 40–50 organisations early controlled access to Mythos Preview.
Named partners include Amazon Web Services, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan Chase. Anthropic has committed up to $100 million in Mythos usage credits across these efforts plus $4 million in direct donations to open-source security organisations.
The premise is that defenders should have time to find and patch vulnerabilities before the model, or similar models from competitors, which Anthropic says are not far behind, reaches broader or malicious access.
Not everyone has accepted Anthropic’s framing at face value. Security technologist Bruce Schneier wrote that the episode “is very much a PR play by Anthropic, and it worked,” noting that “lots of reporters are breathlessly repeating Anthropic’s talking points without engaging with them critically.”
Schneier observed that the security firm Aisle had been able to replicate some of the vulnerabilities Anthropic found using older, cheaper public models, though he acknowledged a meaningful distinction exists between finding a vulnerability and weaponising it into a full exploit.
Former UK NCSC head Ciaran Martin offered a more measured read: the collapse of the vulnerability discovery timeline from months to seconds or hours “is challenging,” he told AFP, but also creates “a real opportunity here to fix a lot of the internet’s hidden bugs.”
David Sacks, who recently departed his White House AI and cryptocurrency role, posted scepticism about Anthropic’s claims repeatedly over the weekend.
The regulatory response is unfolding against a complicated political backdrop. Anthropic is currently in a dispute with the US Department of Defense, which designated the company as a supply-chain risk to national security earlier this year, prompting Anthropic to push back with legal action.
President Trump and Defence Secretary Hegseth have publicly criticised Anthropic over its insistence on limits to military uses of its AI.
The Mythos episode has created an unusual situation in which a company at odds with the administration over AI governance is simultaneously being treated by the Treasury and Federal Reserve as a key partner in protecting systemic financial infrastructure.
BoE Governor Andrew Bailey named Mythos explicitly by name in a speech at Columbia University on 15 April, describing it as a major cybersecurity concern and saying that cyber had climbed regulators’ risk rankings “faster than any other category in recent years.”
With all of this, Anthropic plans to make its new Mythos model available to financial institutions in the UK next week, according to Pip White, the company’s head of UK, Ireland, and Northern Europe.
