Anthropic Mythos Prompts Treasury Meeting with Bank CEOs

US Treasury Secretary Scott Bessent has convened an emergency meeting with the chief executives of major American banks following a series of disclosures regarding "Claude Mythos," a new frontier AI model from Anthropic that has demonstrated an unprecedented ability to autonomously exploit critical software vulnerabilities.

Claude Mythos demonstrates autonomous discovery of decades-old zero-days

The catalyst for the current regulatory urgency is the performance of Claude Mythos Preview, an unreleased model that Anthropic claims has surpassed nearly all human experts in identifying software flaws. Unlike previous iterations of large language models that required significant human prompting to identify code errors, Mythos appears capable of autonomous vulnerability discovery and exploit development.

In technical disclosures, Anthropic revealed that the model identified a 27-year-old remote-crash vulnerability in OpenBSD—an operating system widely regarded as a gold standard for security-hardened infrastructure. Perhaps more concerning for industrial and financial operators was the discovery of a flaw in the FFmpeg library. This specific line of code had reportedly been subjected to over five million automated tests using traditional "fuzzing" techniques without the bug being detected.

The ability of Mythos to find bugs that survived decades of human and automated scrutiny suggests a shift from brute-force testing to semantic reasoning. This means the AI is not just guessing inputs until something breaks; it is "understanding" the logic of the software to find architectural oversights. For financial institutions relying on legacy codebases, this capability represents a direct threat to the assumption that "mature" code is inherently more secure.

Project Glasswing forms a defensive coalition to preempt AI-driven exploits

In an attempt to manage the implications of this breakthrough, Anthropic has launched Project Glasswing, a defensive initiative involving Amazon Web Services, Google, Microsoft, NVIDIA, and several major cybersecurity firms. The project aims to use Mythos to scan and secure critical infrastructure before the same capabilities are developed or leaked to adversarial actors.

Project Glasswing - a new initiative that brings together Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks in an effort to secure the world’s most critical software.

Anthropic has committed $100 million in usage credits to help partners, including JPMorgan Chase, secure first-party and open-source systems. This proactive disclosure is intended to create a "defensive advantage," but it highlights a significant operational risk: the speed of discovery now vastly outpaces the speed of remediation. While Mythos can identify thousands of high-severity vulnerabilities in weeks, the human-led process of security through automated code reviews and manual patching often takes months for large-scale enterprise deployments.

The coalition’s focus on the Linux kernel and major web browsers acknowledges that the modern financial system is built on a shared digital foundation. If the "base layer" of the internet is vulnerable to autonomous exploitation, individual bank security becomes secondary to the stability of the underlying infrastructure.

Treasury intervention signals concern over financial infrastructure stability

The emergency meeting called by Secretary Bessent indicates that the US government views this as a systemic economic risk rather than a standard IT security update. Reports from the assessment of risks to banking infrastructure suggest that regulators are particularly concerned about "zero-day" vulnerabilities in the Swift messaging system and internal ledger software used by global Tier 1 banks.

Scott Bessent calls emergency meeting with bank CEOs over AI that could crash the financial system — what is Anthropic’s Mythos and why the panic?

The core of the concern lies in the potential for a "flash-crash" style compromise. If an adversarial actor were to deploy a model with Mythos-level capabilities, they could theoretically chain together multiple vulnerabilities to bypass authentication and disrupt the flow of capital in real-time. This risk is compounded by the tradeoffs between AI plausibility and technical debt that many institutions have inherited from decades of rapid digitization.

Financial regulators in the UK have also joined the effort to evaluate the latest AI model's impact, signaling that the response will be multilateral. The Treasury’s primary goal appears to be ensuring that the "defensive" application of these models by banks does not inadvertently introduce new vulnerabilities or create a scenario where the model’s findings lead to a loss of public confidence in banking digital integrity.

The scaling gap between AI discovery and human-led remediation

The release of Mythos forces a difficult choice for the cybersecurity industry. If Anthropic had suppressed the model’s capabilities, there is no guarantee that a state-sponsored actor would not have developed a similar tool in private. By choosing to launch Project Glasswing, the company is betting that transparency will accelerate the patching of the world’s most critical software.

However, the "remediation bottleneck" remains the primary constraint. Even with $4 million in direct donations to open-source security organizations, the sheer volume of vulnerabilities being surfaced—thousands in just a few weeks—threatens to overwhelm the developers responsible for maintaining the Linux kernel and other essential libraries.

For the bank CEOs meeting with Secretary Bessent, the takeaway is clear: the era of "security through obscurity" or relying on the age of a codebase as a proxy for its stability is over. As frontier models advance, the window between the discovery of a flaw and its active exploitation by a motivated actor is narrowing to a point where human-in-the-loop defense may no longer be sufficient to prevent a systemic failure.