Mythos heads to Tokyo: Japanese banks to acquire Anthropic’s vulnerability-detecting AI.

      MUFG, Mizuho, and SMFG are set to become the first Japanese institutions to be included in Anthropic’s limited Project Glasswing rollout, as reported by a source familiar with the situation to Reuters. The three major banks in Japan are expected to gain access to Claude Mythos, Anthropic’s AI model designed for vulnerability detection, within approximately two weeks, according to the same source on Tuesday. This marks the first instance of a Japanese company being allowed into the restricted preview, which has primarily involved Anthropic’s American and select European partners.

      The Mitsubishi UFJ Financial Group, Mizuho Financial Group, and Sumitomo Mitsui Financial Group learned about this development during meetings in Tokyo this week with US Treasury Secretary Scott Bessent. The three banks are anticipated to be onboarded by the end of May.

      The sentiment surrounding Mythos has been significant among regulators and company executives, with many considering its announcement earlier this month a game-changing event. The model has identified thousands of previously unknown zero-day vulnerabilities across major operating systems and web browsers, and in internal tests, it created working exploits, including those that evade both renderer and operating-system sandboxes in a browser.

      Last week, Mozilla released Firefox 150, which included fixes for 271 vulnerabilities identified by Mythos during a single evaluation. Anthropic has not made the model publicly available; instead, it has been introduced through a controlled rollout known as Project Glasswing, featuring 12 designated launch partners, such as AWS, Apple, Cisco, Google, JPMorgan Chase, Microsoft, Nvidia, and Palo Alto Networks, in addition to around 40 other institutions receiving access on a case-by-case basis.

      Japan's participation follows recent meetings held by the Fed and US Treasury with American bank CEOs concerning cyber risks, alongside UK regulators pledging to update major British banks shortly. Concurrently, Tokyo is also making strides; Finance Minister Satsuki Katayama has announced the establishment of a public-private working group addressing Mythos-level risks, which includes Japan’s leading banks, the Bank of Japan, and the Japanese branches of Anthropic and OpenAI.

      The group is chaired by Mizuho’s chief information security officer and is tasked with identifying vulnerabilities, instituting protective measures, and developing contingency plans for a coordinated patching strategy across the Japanese financial sector.

      For the three involved banks, the immediate concern is operational. The use of Mythos under Glasswing comes with limitations on output disclosure, meaning the model is intended to uncover vulnerabilities within a partner’s systems and assist in creating remediation strategies, not for the public release of exploits. The Mozilla example serves as a case in point: 271 vulnerabilities were addressed in a single Firefox update following a Mythos examination, with the findings returned to Mozilla engineers under non-disclosure agreements rather than being made publicly available.

      The geopolitical implications are also pronounced. Bessent’s role in communicating the access decision in Tokyo aligns the Mythos rollout with US Treasury objectives rather than simply with Anthropic’s business strategy, an arrangement that has raised concerns in European capitals. Eurozone finance ministers discussed this issue in an Ecofin meeting last week, highlighting that no EU government had access to the model, while it was reported that the White House is preventing further expansion of the partner list.

      Opinions on Mythos within the industry are divided. Some cybersecurity researchers contend that the vulnerabilities identified by Mythos could be accessed through clever manipulation of existing public models, suggesting that the more significant narrative is the advancing capabilities of frontier AI in offensive cyber activities, rather than Mythos itself. Others, like Anthropic CEO Dario Amodei, have referred to this moment as a “cyber moment of danger,” which justifies the need for access controls.

      Anthropic and the three Japanese banks did not immediately respond to requests for comments, according to the report from Reuters.