The AI Model That Has Regulators, Central Banks, and Global Banks on High Alert
On April 7, 2026, Anthropic announced Claude Mythos Preview — and did not release it publicly because its capabilities are too advanced to release without giving the industry time to prepare defences. It has autonomously identified thousands of high and critical-severity vulnerabilities across every major OS and browser. The next day, US Treasury and the Fed convened CEOs of Bank of America, Citi, Goldman, Morgan Stanley, and Wells Fargo. This is Part 1 of a three-part series.
FinSaAIstra Intelligence | Cyber Security Series | Part 1 | April 2026
The Model That Was Not Released
On April 7, 2026, Anthropic announced a new frontier AI model called Claude Mythos Preview. It did not make it publicly available. The reason was direct: the model’s capabilities are too advanced to release without first giving the industry time to prepare its defences.
That decision — and what it reveals about what the model can do — is what has put regulators, central banks, and the CEOs of the world’s largest banks on high alert.
What Claude Mythos Preview Can Do
Mythos Preview has autonomously identified thousands of high and critical-severity vulnerabilities across every major operating system and web browser. Among the documented cases:
- A 17-year-old remote code execution vulnerability in FreeBSD’s NFS server allowing unauthenticated root access to any machine running the service
- A 27-year-old integer overflow in OpenBSD’s TCP implementation enabling remote crash of any affected host
Both involve among the most security-hardened software environments in existence.
The UK Government’s AI Security Institute (AISI) conducted independent evaluations:
- On expert-level capture-the-flag challenges — a class of task no AI model could complete before April 2025 — Mythos Preview succeeded 73% of the time
- On a 32-step corporate network attack simulation (reconnaissance through full network takeover), Mythos completed the full sequence on 3 of 10 attempts, averaging 22 of 32 steps
- The next best-performing model averaged 16 steps
The Regulatory Response: Immediate and Unprecedented
On April 8, 2026 — the day after the announcement — US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened a closed-door meeting with the CEOs of Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, and Wells Fargo.
In the UK, the Bank of England convened its own briefing with the financial sector on the AISI findings.
On April 14, the Cloud Security Alliance, SANS Institute, and OWASP GenAI Security Project jointly published an emergency strategy briefing — produced over a single weekend by more than 60 contributors, reviewed by over 250 CISOs globally — concluding that organisations are likely to be overwhelmed by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
Why BFSI Is Specifically Exposed
The NBFC and fintech sector operates on a patchwork of modern platforms and older legacy infrastructure — precisely the environment where undiscovered vulnerabilities concentrate. Not because of negligence, but because legacy systems accumulate complexity faster than they are audited.
CrowdStrike’s 2026 Global Threat Report documents:
- 89% year-on-year increase in attacks by AI-enabled adversaries
- Average time between initial access and lateral movement fallen to 29 minutes
The sector’s deep integration with shared payment infrastructure, credit bureaus, and third-party technology providers compounds this. Each connection is a potential entry point; each shared platform is a vulnerability affecting every institution running it.
Three Actions That Deserve Immediate Attention
1. Review your attack surface against chain-based threat models. The multi-step attack pattern Mythos demonstrates is different from single-point vulnerability exploitation. Security reviews focused on individual CVEs without mapping how they can be chained are assessing the wrong threat model.
2. Engage with Project Glasswing. Anthropic has restricted Mythos Preview access to a consortium of eleven named launch partners including AWS, Cisco, CrowdStrike, Google, JPMorganChase, and Microsoft, plus 40+ additional organisations. Institutions exploring engagement should involve legal and risk functions from the outset.
3. Brief upward before you are asked to. The Treasury and Federal Reserve meeting with bank CEOs is a signal that this will become a regulatory expectation-setting conversation. Institutions that brief their boards proactively will be better positioned than those that respond to external prompts.
Part 2 of this series: why the sector’s shared vendor stack may be its most underappreciated vulnerability.
Sources: Anthropic (April 7, 2026), UK AISI evaluation, Bloomberg, CrowdStrike 2026 Global Threat Report, Cloud Security Alliance/SANS/OWASP emergency briefing (April 14, 2026).