News

Governments and Banks Assess Cyber Risks After Anthropic Flags Limits on Mythos AI Release

• By John K. Waters
• 04/13/2026

Governments and major financial institutions are assessing potential cybersecurity risks following Anthropic’s disclosure of its latest artificial intelligence system, Claude Mythos, a model the company has said it will not release publicly due to safety concerns.

Anthropic said last week that the system demonstrated an ability to identify and combine previously unknown software vulnerabilities at scale, raising questions about how such capabilities could be used and controlled. An earlier data exposure at the company revealed details about the model before the official announcement. That leak prompted responses from regulators and industry groups in the United States and Europe.

In a technical blog post, Anthropic described Mythos as capable of “identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser.”

The company added that many of the vulnerabilities uncovered were long-standing, with some “ten or twenty years old.”

Since the disclosure, attention has shifted toward managing risks while making limited use of the technology for defensive purposes.

Executives at major banks, including Goldman Sachs, have said they are evaluating the implications of advanced AI systems for cybersecurity and operational risk. Public comments from bank leadership indicate a heightened focus on how such tools could affect financial infrastructure, though firms have not disclosed detailed plans.

Anthropic has restricted access to Mythos to a small group of partners under a controlled program known as Project Glasswing, which aims to help organizations identify vulnerabilities in their own systems. The company has said the goal is to support defensive security work while limiting broader exposure. The list of participants includes Amazon Web Services, Anthropic, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.

The blog post emphasized the scale of the challenge, noting that “over 99% of the vulnerabilities we’ve found have not yet been patched,” and warning that broader disclosure would be irresponsible.

Regulators in the United Kingdom and the European Union are also examining whether existing frameworks for artificial intelligence and cybersecurity are sufficient for systems with advanced capabilities. Officials have emphasized the need for coordinated vulnerability disclosure and timely patching by software vendors.

Anthropic said Mythos was able to uncover large numbers of potential vulnerabilities across widely used software systems and that it is working with affected parties under established disclosure practices, though it has not provided details on timelines for remediation.

The company also said internal testing raised concerns about misuse and containment, contributing to its decision not to release the system more broadly.

In its blog post, Anthropic described the model as representing “a substantial leap” in cybersecurity capabilities and called for “urgent action” from the industry.

The developments have intensified debate over how to handle increasingly capable AI systems that can be applied to both defensive and offensive cybersecurity tasks. Although automated tools for vulnerability detection are widely used, systems like Mythos could accelerate the process and expand access to advanced techniques.

For now, access to the model remains limited, and there is no public indication that comparable systems are widely available. Industry groups and government agencies are focusing on improving coordination around vulnerability disclosure and response as a near-term priority.

Anthropic has not said whether it plans to release a modified version of Mythos. The company said it is exploring ways to constrain the system’s capabilities while maintaining its usefulness for security applications.