US Summons Bank Chiefs Over Anthropic Cyber Risks

The US Treasury, led by Scott Bessent, and the Federal Reserve, represented by Jerome Powell, summoned senior executives from systemically important banks to Washington after Anthropic revealed capabilities of its new model, Claude Mythos. Anthropic said the model can locate and, in demonstrations, craft exploits for software flaws, exposing thousands of vulnerabilities. Bank chiefs from Goldman Sachs, Bank of America, Citigroup, Morgan Stanley, and Wells Fargo attended; JP Morgan was invited but unable to attend.

Claude Mythos is described by Anthropic as operating at a level that can outperform nearly all human vulnerability researchers on automated discovery tasks. Anthropic warned that models have surpassed "all but the most skilled humans at finding and exploiting software vulnerabilities," and a partial leak of code prompted the company to restrict access to a small set of corporate partners. Key technical takeaways for practitioners:

• •Claude Mythos reportedly automates vulnerability discovery across major operating systems, web browsers, and popular applications, increasing discovery throughput and reducing time-to-exploit.
• •The release model is limited, with pilot access granted to firms like Amazon, Apple, and Microsoft while broader distribution is paused.
• •The primary risk vector is automated reconnaissance and exploit generation, which lowers the skill floor for attackers and could accelerate supply-chain and zero-day exploitation.

Financial institutions are high-value targets with complex technology stacks and deep third-party dependencies. The convergence of advanced large models and offensive security tooling changes the threat landscape in three ways. First, automation scales vulnerability discovery and reduces attacker turnaround time from finding a flaw to weaponizing it. Second, tooling that can both find and craft exploits compresses the attacker lifecycle, increasing the probability of successful intrusions before defenders can patch. Third, an uneven access model creates asymmetric risk: firms and nation-states with access to capable models may gain offensive advantages, while others face elevated defensive burdens. Jamie Dimon has long warned that cybersecurity "remains one of our biggest risks" and that "AI will almost surely make this risk worse," a view regulators clearly took into the meeting.

Banks must treat this as a strategic shock to their cyber risk calculus. Immediate and medium-term actions include:

• •Expanding continuous vulnerability scanning and prioritized patching for internet-facing and critical internal assets.
• •Accelerating adversary simulation and red-team exercises that incorporate AI-assisted offensive tooling to validate detection and response playbooks.
• •Enhancing supply-chain risk management and third-party due diligence, since the model can surface vulnerabilities in widely used libraries and frameworks.
• •Increasing cross-industry information sharing of indicators and attack patterns, coordinated with regulators and CERTs.

Regulators may translate the meeting into tighter supervisory guidance, mandatory reporting requirements for AI-related exploitation, or coordinated incident response frameworks for systemically important financial institutions. Watch for follow-on guidance from the Treasury, the Fed, and US-CERT, as well as policy moves on disclosure and controlled access to powerful model capabilities.

Bottom line: The Anthropic Claude Mythos episode is a catalyst, not a one-off. It accelerates an arms race where offensive capabilities become cheaper and faster, forcing financial institutions and regulators to reconsider defensive posture, threat intelligence sharing, and the governance of high-capability models.