• New AI model Mythos capable of identifying and exploiting vulnerabilities at scale
• Legacy banking systems seen as particularly exposed to advanced AI-driven attacks
• Shared vendor infrastructure could amplify risk across multiple institutions
• Governments and regulators engaging banks on emerging AI cyber threats
• Banks and tech firms accelerating defensive strategies and collaboration 

A powerful new artificial intelligence model is raising alarm across the banking industry, with cybersecurity experts warning it could dramatically increase the scale and speed of cyberattacks against financial institutions.

The model, known as Mythos and developed by Anthropic, was unveiled on April 7 and described by the company as its most advanced system yet for coding and autonomous tasks.

While its capabilities promise significant innovation, experts say they also introduce a new class of risk for banks reliant on complex and often aging technology systems.

Cybersecurity specialists warn that Mythos has an unprecedented ability to identify weaknesses in software and infrastructure.

Its advanced coding capabilities allow it to scan vast and intricate systems, uncover vulnerabilities, and generate potential exploit pathways at a speed and scale previously unattainable.

That presents a particular challenge for financial institutions, many of which operate hybrid technology environments that combine modern digital tools with legacy infrastructure.

These older systems, often built decades ago and repeatedly updated, can harbor hidden vulnerabilities that are difficult to detect using traditional methods.

TJ Marlin, chief executive of Guardrail Technologies, said the model’s ability to analyze “very complex architecture, including legacy infrastructure,” means that previously undiscovered weaknesses could now be exposed and weaponized.

He warned that the scale of potential exposure could be far greater than anything seen before.

The interconnected nature of the banking industry further amplifies the risk. Many institutions rely on a relatively small group of technology vendors to support critical functions such as onboarding, compliance checks, and transaction processing. This shared infrastructure creates common points of vulnerability.

Naresh Raheja, a former regulator with the Office of the Comptroller of the Currency, said that because the sector is highly specialized and tightly regulated, “many banks use the same vendors and the same solutions.” This concentration could turn individual vulnerabilities into systemic threats.

Marlin described the potential impact as a force multiplier, where a single exploit identified by AI could be replicated across multiple institutions, creating widespread disruption. “That could be catastrophic at scale,” he said.

The risks have prompted swift engagement from policymakers. Government officials in the United States, Canada, and the United Kingdom have held discussions with senior banking leaders to assess the implications of the technology and consider potential responses.

According to statements reported in the US, Treasury officials are urging financial institutions to anticipate a broader range of risk scenarios, reflecting concerns that AI-driven threats could evolve rapidly and unpredictably.

Anthropic has sought to limit immediate exposure by restricting access to the model.

Rather than releasing it publicly, the company has launched a controlled evaluation initiative known as Project Glasswing, inviting select organizations to test the system and develop defensive strategies.

Major financial institutions including JPMorgan Chase are participating in the initiative, describing it as an opportunity to evaluate next-generation cybersecurity threats and strengthen defensive capabilities across critical infrastructure.

The concerns are not theoretical. In technical disclosures, Anthropic researchers said the model had already identified thousands of high and critical severity vulnerabilities across major operating systems and software platforms.

These included previously unknown flaws in widely used tools, highlighting the model’s ability to uncover risks that have remained hidden for years.

One example involved a long-standing vulnerability in a widely used open-source media processing library, while another related to a flaw in software used to create secure virtual computing environments.

Both cases illustrate how deeply embedded weaknesses could be exposed.

A recent briefing from the Cloud Security Alliance described the model as a “step change” in AI capability, warning that it lowers the barrier to discovering and exploiting vulnerabilities faster than organizations can respond.

This imbalance between offense and defense is a growing concern for banks.

Costin Raiu, a cybersecurity researcher and co-founder of TLPBLACK, said legacy systems remain a critical weak point.

Referring to older enterprise platforms, he noted that “a model like Mythos would have a field day finding exploits” in technologies that continue to underpin core financial operations.

Even technology providers are acknowledging the challenge. IBM said in a recent blog post that the emergence of such models is forcing security teams to rethink their defenses from the ground up, calling for broader collaboration to strengthen resilience.

The emergence of Mythos highlights a growing tension at the heart of financial services.

As institutions adopt more advanced technologies to improve efficiency and customer experience, they are simultaneously expanding their exposure to new and evolving threats.