India Flags Mythos AI Cyber Risk to Banks

Finance Minister Nirmala Sitharaman convened a high-level meeting with heads of scheduled commercial banks, the IT Minister, the RBI, NPCI, and CERT-In, India Today reports. The meeting asked banks to take pre-emptive measures, advised a real-time threat-intelligence sharing mechanism with CERT-In, and tasked the Indian Banks' Association (IBA) with developing a coordinated institutional response, India Today reports. The Ministry of Finance posted on X that the threat from Claude Mythos is "unprecedented and requires a very high degree of vigilance, preparedness and better coordination across financial institutions and banks," India Today reports. Economic Times quotes Sitharaman saying, "We need something new, something far more versatile to be able to counter the newer threats which are likely to come." The Indian Express reports the government is in conversation with Anthropic after a briefing that Mythos may have been accessed by unauthorized individuals raised concerns.

Per public reporting, Anthropic unveiled a restricted preview of Claude Mythos as part of Project Glasswing and has limited access to the model, Forbes India and Indian Express report. Indian Express reports that independent testing by the UK AI Security Institute put Mythos at 73% on expert-level hacking tasks and that Anthropic has described the model as unusually capable at finding software vulnerabilities. India Today and Indian Express report Anthropic has granted access to a small set of partners, numbering around 40 firms, while keeping wider release restricted.

Public reporting places India's convening in a broader wave of government and financial-sector concern. Indian outlets note that other governments and major financial institutions have held discussions about Mythos; Indian Express and India Today report similar outreach by regulators and banks abroad. Industry observers following analogous incidents note that tools which accelerate vulnerability discovery quickly change the defender-attacker timing dynamic and complicate existing disclosure and patching processes.

For practitioners: monitor whether regulators publish specific guidance or mandatory disclosure timelines for AI-driven vulnerability discoveries; watch whether CERT-In or the IBA operationalize real-time threat-intelligence sharing; and track any public notices from Anthropic about access controls or third-party audits. For security teams: watch for independent vulnerability reports citing exploitability, and for coordination between software vendors, banks, and national CERTs on emergency patches.

Editorial analysis: The public reporting demonstrates a rare intersection of advanced generative models and critical-infrastructure risk, prompting regulator-led convenings rather than industry-only responses. Industry-pattern observations suggest that when models materially lower the cost of finding vulnerabilities, organizations typically accelerate investment in detection, disclosure coordination, and cross-institution information sharing. For practitioners, the immediate priorities implied by reporting are strengthening telemetry for anomalous activity, formalizing intelligence-sharing channels, and integrating model-driven vulnerability findings into existing patch-management workflows.