Anthropic to brief global financial regulators on Mythos cybersecurity findings

At a glance:

• Anthropic will brief the Financial Stability Board on cybersecurity vulnerabilities found by its Mythos AI model
• The model reportedly discovered thousands of high-severity flaws in major operating systems and browsers, with an 83% success rate in developing exploits
• The briefing follows global regulatory concern after Bank of England Governor Andrew Bailey highlighted Mythos as a major cybersecurity development

What happened

Anthropic is preparing to brief the Financial Stability Board on the cybersecurity vulnerabilities its Mythos model has been identifying in the global financial system, according to a Financial Times report. The briefing has been requested by Andrew Bailey, the Bank of England governor and Financial Stability Board chair, and will be delivered to G20 finance ministries and central banks under the board's umbrella.

This represents a significant moment in the intersection of artificial intelligence and cybersecurity regulation. Bailey, who chairs the global financial-risk watchdog, specifically invited Anthropic to present findings from Mythos, underscoring the model's importance to global financial stability. The briefing closes a regulatory arc that began with Bailey's April 15 speech at Columbia University, where he named Mythos alongside the Gulf escalation as one of two events that had moved cyber up regulators' risk ranking 'faster than any other category in recent years.'

The Mythos model

Mythos, announced last month but not yet released, is Anthropic's cybersecurity model designed to surface long-standing vulnerabilities in browsers, infrastructure, and software. The company claims it has already found thousands of high-severity flaws across major operating systems and web browsers. When directed to develop working exploits against those flaws in internal testing, the model reportedly succeeded on the first attempt in more than 83% of cases.

What makes Mythos particularly noteworthy is that it appears to be the first publicly disclosed AI system that has, on its developer's own account, found exploitable vulnerabilities in 'every major operating system and web browser.' This comprehensive discovery capability has raised both excitement and concern among cybersecurity professionals and regulators alike. The dual-use implications were obvious to regulators even before the model went public, given its potential to be used for both defensive security research and offensive cyber operations.

Global regulatory response

The impact of Mythos has been felt across multiple continents and jurisdictions. Following Bailey's Columbia remarks, UK banks were given their own Mythos briefing within days. The Federal Reserve and US Treasury subsequently convened the chief executives of major American banks to discuss the same risk. Australia's securities regulator joined the watch-list in early May, while Euro-area finance ministers raised access demands of their own.

Internationally, Mythos has been delivered into Japanese megabanks, demonstrating the model's global relevance. This widespread regulatory interest has created a coordinated response pattern, with financial supervisors on three continents now engaged with the implications of Anthropic's findings. The FSB briefing represents the first time these requests will be coordinated internationally rather than handled on a national basis, potentially setting a precedent for how AI-driven cybersecurity discoveries are regulated in the future.

Project Glasswing

Mythos is currently being made available under 'Project Glasswing,' the controlled-access program Anthropic has established to limit who can run the model and against what targets. Roughly 40 to 50 organizations have early access to the system, including major technology and financial firms such as AWS, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan.

This controlled distribution approach reflects the dual-use nature of the technology and the concerns about potential misuse. Bank supervisors outside the current access list have, on the public record, been pressing for either direct access or a regulator-mediated equivalent. The FSB session will provide a forum for these requests to be discussed collectively rather than individually, potentially leading to a more standardized approach to access and oversight of such powerful cybersecurity AI systems.

Political implications

The briefing takes place against a complex political backdrop. The model being presented to G20 financial regulators is a US-headquartered AI system whose distribution and military access have been the subject of an ongoing negotiation between Anthropic and the Trump administration. Regulators on the receiving end will be aware that the company appearing before them has simultaneously been navigating its export profile with Washington.

This geopolitical context adds another layer to the already complex discussion about AI and cybersecurity. Anthropic and the FSB had not responded to Reuters requests for comment by the time of the report, and the timing of the actual briefing has not been publicly disclosed. The lack of transparency around these discussions highlights the delicate balance between technological advancement, national security interests, and international cooperation in the realm of AI-powered cybersecurity.

Why it matters

The FSB briefing marks the first time the global financial-supervision community will collectively assess the practical implications of an AI system that has demonstrated an unprecedented ability to discover critical vulnerabilities across major software platforms. The question Bailey raised at Columbia—of how much harder the model has made the attack side relative to the defense side—remains the central concern for regulators worldwide.

This development comes at a critical juncture in cybersecurity, as organizations globally already struggle to defend against increasingly sophisticated threats. The fact that an AI system can identify and potentially exploit vulnerabilities with such high success rate represents both a powerful defensive tool and a potential threat multiplier. As financial institutions become more digitally interconnected, the security of their underlying systems becomes paramount to global economic stability, making this briefing not just a technical discussion but a matter of international economic importance.