UK banks receive their Mythos briefing within a few days.

      The Cross Market Operational Resilience Group of the Bank of England will meet shortly to inform major UK banks, insurance firms, and exchanges about Anthropic's Claude Mythos Preview. This AI model, which has not yet been released, can reportedly autonomously detect and exploit vulnerabilities across all major operating systems and web browsers, according to regulators. Emergency sessions have already taken place involving the US Treasury, the Federal Reserve, and the Bank of Canada.

      In the coming days, senior leaders from prominent UK banks, insurers, and financial exchanges will receive a briefing from the Bank of England, Financial Conduct Authority, HM Treasury, and the National Cyber Security Centre regarding the potential cybersecurity risks posed by this new AI model. Named Claude Mythos Preview and developed by Anthropic, this model is not publicly accessible.

      Bloomberg reports that the Mythos model is on the agenda for the upcoming meetings of the Bank of England’s Cross Market Operational Resilience Group and CMORG AI Taskforce, which will occur within the next two weeks. CMORG consists of high-level members, including the CEOs of the UK’s eight largest banks, four financial infrastructure providers, two insurers, and delegates from the Treasury, BoE, FCA, and NCSC.

      The regulatory response in the UK follows an emergency meeting held last week in Washington, where US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell discussed the implications of Mythos with leaders from key US banks, including Jane Fraser from Citigroup, Brian Moynihan from Bank of America, Ted Pick from Morgan Stanley, Charlie Scharf from Wells Fargo, and David Solomon from Goldman Sachs. CNBC confirmed the meeting, initially reported by Bloomberg, noting Powell's attendance as significant, as he typically maintains a distinct separation from the Treasury, indicating the issue is viewed as a serious concern for systemic financial stability rather than merely a technology policy issue.

      Jamie Dimon, CEO of JPMorgan Chase, was unable to attend the meeting, but JPMorgan is listed as a launch partner for Anthropic’s related initiative, Project Glasswing. The Bank of Canada also conducted a separate meeting with Canadian banks and financial institutions on the same subject.

      Anthropic describes Mythos Preview as a general-purpose frontier model with outstanding abilities in computer security tasks. In its documentation and the public announcement of Project Glasswing, Anthropic states that the model has already discovered thousands of previously unknown vulnerabilities, termed zero-day vulnerabilities, across all major operating systems and web browsers.

      One example highlighted by Anthropic’s security team involves the model discovering a method to compromise a web browser, enabling a malicious site to access data from another site, including sensitive information like "the victim’s bank." Additionally, testing revealed a 27-year-old flaw in OpenBSD. Anthropic claims that the model can autonomously identify and exploit such vulnerabilities when directed, which is why it has been withheld from public release.

      The UK’s AI Security Institute evaluated Mythos and found it to be generally comparable to peer models regarding single cyber tasks, but more adept at coordinating multiple steps into comprehensive intrusions — being the first model to successfully execute a full cyber-range attack from start to finish, according to Resultsense.

      Project Glasswing, an initiative by Anthropic to mitigate the risks its own model presents, allows around 40–50 organizations early controlled access to Mythos Preview. Partner organizations include Amazon Web Services, Apple, Google, Microsoft, Nvidia, Cisco, and JPMorgan Chase. Anthropic has committed up to $100 million in usage credits for Mythos, as well as $4 million in direct contributions to open-source security organizations. The goal is to give defenders the opportunity to discover and patch vulnerabilities before the model, or similar models from competitors, which Anthropic asserts are not far behind, gain broader or malicious access.

      Not everyone has taken Anthropic’s portrayal at face value. Security expert Bruce Schneier commented that this situation is primarily a public relations play for Anthropic, which seems to have succeeded, as many reporters are relaying its narratives without critical engagement. He noted that the security firm Aisle managed to replicate some vulnerabilities found by Anthropic using older, less expensive public models, though he acknowledged a significant difference between identifying a vulnerability and turning it into a full-fledged exploit.

      Former head of the UK NCSC, Ciaran Martin, provided a more balanced perspective, stating that the reduction of vulnerability discovery timelines from months to mere seconds or hours is "challenging," yet also presents "a real opportunity…to address many of the internet’s hidden flaws." David Sacks, who recently left his White House role focused on AI and cryptocurrency, expressed skepticism regarding Anthropic's assertions throughout the weekend.

      The regulatory response is taking place against a complex political backdrop. Anthropic is currently in conflict with the US Department of Defense, which classified the company as a supply-chain risk to national security earlier this year, leading Anthropic to pursue legal action. Both President Trump and Defense Secretary Hegseth have publicly criticized