British financial regulators are moving urgently to assess the cybersecurity risks posed by Claude Mythos Preview, Anthropic’s most capable โ and most restricted โ AI model. According to a Financial Times report citing people familiar with the discussions, the Bank of England, Financial Conduct Authority, HM Treasury, and the National Cyber Security Centre are in emergency talks as part of the UK’s Cross Market Operational Resilience Group (CMORG). Major banks, insurers, and exchanges will be formally briefed on the risks within the next two weeks.
In the United States, the response has been equally swift. US Treasury Secretary Scott Bessent has separately convened a meeting with major Wall Street banks specifically to discuss Claude Mythos Preview’s cyber risk potential โ an unusual step that reflects how seriously financial regulators on both sides of the Atlantic are taking the model’s capabilities.
What Makes Mythos Different From Every Previous AI Model
Claude Mythos Preview is not a chat assistant with improved coding skills. It is, in Anthropic’s own description, a model that “excels at identifying weaknesses and security flaws within software” โ and in testing, it has done so at a scale that has no precedent in the AI industry.
The specific capabilities triggering regulatory alarm:
- Mythos has already identified thousands of previously unknown zero-day vulnerabilities across operating systems, web browsers, and widely used software
- It uncovered a 27-year-old vulnerability in OpenBSD โ a flaw that had gone undetected through decades of human security audits
- Engineers with no security training have asked Mythos to find remote code execution bugs overnight and woken up to complete, working exploits
- CrowdStrike’s CTO described the window between AI-assisted vulnerability discovery and exploitation as “collapsed” โ compressing what once took months to minutes
This is the first time Anthropic has limited a general-purpose model release on cybersecurity grounds โ a line the company foreshadowed in its responsible scaling policy but had not previously enforced.
Who Has Access and Under What Terms
Claude Mythos Preview is being deployed exclusively through Project Glasswing, a controlled initiative covering approximately 40 organizations. Current access is limited to: Amazon, Apple, Microsoft, Cisco, Broadcom, CrowdStrike, Palo Alto Networks, and the Linux Foundation, alongside other companies that build or maintain critical software infrastructure. Anthropic has committed up to $100 million in usage credits for these efforts; partners pay for usage beyond that threshold.
All Project Glasswing participants are required to use Mythos exclusively for defensive cybersecurity โ finding and patching vulnerabilities in their own systems and in open-source software, not for offensive purposes. Anthropic’s Frontier Red Team cyber lead Newton Cheng described the initiative as designed to give defenders “a head start” before Mythos-class capabilities become more widely available.
Why Regulators Are Alarmed
The concern from financial regulators is not that Mythos will be used offensively by Anthropic or its partners. The concern is dual-use: a model this capable at finding vulnerabilities could, if it were to become more widely accessible or if its techniques were replicated by less scrupulous actors, fundamentally compress the timeline between vulnerability discovery and exploitation across the entire financial infrastructure.
Banks, insurers, and exchanges run on software stacks that have accumulated vulnerabilities over decades. Many of those vulnerabilities have never been discovered because the security tooling required to find them didn’t exist. Mythos changes that equation โ and in a sector where a single exploited vulnerability in critical infrastructure can cascade across the entire financial system, regulators are right to treat this as an urgent operational resilience concern.
Conclusion
Claude Mythos Preview is the most consequential unreleased AI model in the industry โ not because of what it can write or reason about, but because of what it can find and exploit in the world’s software. The regulatory response from London and Washington is the clearest signal yet that governments are beginning to treat advanced AI capabilities with the same urgency as other systemic risks to critical infrastructure. Browse our directory to follow Claude and the Anthropic ecosystem as the Mythos story continues to develop.
