Fed, Treasury Warn Bank CEOs About Mythos Risks

Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent held a closed-door meeting this week with chief executives of major U.S. banks to flag cyber risks posed by Anthropic's newest model, Claude Mythos. Anthropic says Claude Mythos can find and exploit vulnerabilities across every major operating system and web browser and has uncovered thousands of potential security issues. Access to the model is limited to about 40 technology partners as part of a defensive initiative, Project Glasswing.

Anthropic describes Claude Mythos as having advanced offensive and defensive cybersecurity capabilities; the company paused a broad release and limited access to about 40 partners including large cloud and hardware providers. Anthropic said the model identified software and browser vulnerabilities at scale and that it is engaging both government and industry to deploy the capability defensively. Banks were briefed on the model's dual-use nature and urged to assume a higher risk posture.

Key attendees and partners:

• •Bank CEOs reported present included leaders from Goldman Sachs, Bank of America, Citigroup, Morgan Stanley, and Wells Fargo; JPMorgan CEO Jamie Dimon was invited but unable to attend.
• •Project Glasswing partners named or reported include Amazon, Apple, Microsoft, Google, and Nvidia.

Why regulators convened: The Treasury-hosted meeting focused on the systemic risk that widely available tools able to discover or exploit software vulnerabilities could pose to the financial system. Regulators want banks to accelerate vulnerability management, strengthen detection and response, and coordinate intelligence sharing with vendors and government agencies. Anthropic has proactively briefed officials; the company warned, "Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout-for economies, public safety, and national security-could be severe."

This is the most visible example to date of near-term government engagement on dual-use model risks for critical infrastructure. In 2023 the U.S. designated AI as a potential risk to financial stability; this meeting operationalizes that concern by bringing monetary and fiscal sector leadership into direct contact with private-sector systemically important firms. The limited-release approach for Claude Mythos echoes cautious gating seen elsewhere in the industry, but it also creates asymmetries: a small number of well-resourced defenders will have access to powerful capabilities that could be reverse engineered or leaked.

Banks should treat this as a call to action on measurable controls: accelerate asset inventory and patch cadence, expand threat-hunting coverage for AI-enabled exploit patterns, formalize vendor engagement around model-based discovery, and update playbooks for zero-day scale events. Expect increased demand for offensive-defensive AI tooling, rapid patch rollouts, and government-industry information sharing mechanisms.

Whether regulators issue formal guidance or require reporting, how Project Glasswing implements access controls and auditability, and whether other model providers adopt similar limited-release defensive collaborations. Monitor vendor disclosure timelines and any spike in coordinated vulnerability disclosure activity.