Banks patch flaws with Mythos AI

Robert Ta’s May 24 post on X captured a tension already visible across banking and cybersecurity reporting: banks are finding and fixing software weaknesses faster than supervisors can examine them. Ta wrote that large banks using Anthropic’s Mythos AI were patching vulnerabilities before regulators arrived, making the traditional exam cycle look stale. His post echoed a broader shift described this month by Reuters, Bloomberg and CNBC, which reported that Mythos has pushed banks, regulators and technology firms into urgent reviews of cyber defenses. Ta also pointed to a reply in the thread that flagged Zscaler as a possible “sleeper play,” tying the discussion to cybersecurity stocks as well as bank supervision. ### Why are banks suddenly moving faster than examiners? Reuters reported on May 12 that U.S. banks were rushing to repair scores of IT weaknesses flagged by Anthropic’s Mythos tool. The report said a small group of large lenders with access to the model had uncovered hundreds to thousands of vulnerabilities, prompting urgent software upgrades and repairs. (money.usnews.com) CNBC reported on May 8 that AI is accelerating how quickly vulnerabilities are found, while companies still often need days or weeks to patch them. Ben Harris, chief executive of cybersecurity firm watchTowr, told CNBC that teams were already reproducing Mythos-style findings with public models through “clever orchestration,” suggesting the pace problem is not limited to one product. (money.usnews.com) ### What exactly did Ta say about the exam process? Robert Ta wrote on May 24 that the exam process now produces “outdated results before the report is even written.” That line is not a regulatory statement, but it matches the timing problem described in recent reporting: AI systems can identify weaknesses continuously, while formal examinations are still organized around scheduled reviews and written findings. (cnbc.com) Bloomberg reported on May 19 that U.S. regulators were pausing some cyber-related examinations of the largest banks to give firms more time to strengthen systems exposed by Mythos. The report said the Federal Reserve and the Office of the Comptroller of the Currency wanted to give banks breathing room as both banks and regulators tested the new technology. (bloomberg.com) ### Which regulators and institutions are involved? The Federal Reserve and the Office of the Comptroller of the Currency were identified by Bloomberg as the U.S. agencies adjusting some cyber-related exams. Bloomberg said the move applied to the largest banks and was tied to the risks exposed by Anthropic PBC’s Mythos model. (bloomberg.com) Anthropic has limited Mythos access to a small group of U.S. companies, CNBC reported, including Apple, Amazon, JPMorgan Chase and Palo Alto Networks. CNBC said the controlled rollout was part of Anthropic’s Project Glasswing, a security measure intended to give defenders time to prepare before more capable cyber models spread further. ### Is this only a U.S. banking issue? (bloomberg.com) The World Economic Forum said on May 18 that banks in the United States, Europe and Japan were scrambling to fix cyber holes surfaced by Mythos and to prepare for misuse of similar tools. The Forum said smaller banks were receiving warnings through findings shared by larger peers, while the European Central Bank was urging euro zone lenders to prepare urgently for cyberattacks. (cnbc.com) Frank Elderson, a member of the ECB’s Executive Board, told the Forum that lack of access to Mythos was “no excuse for doing nothing.” The International Monetary Fund, cited by the Forum, also warned that fast-moving AI-driven cyber risks could destabilize the financial system if they were not managed carefully. (weforum.org) ### Why did Zscaler come up in the thread? A user in Ta’s thread flagged Zscaler, whose U.S.-listed shares trade under the ticker ZS, as a possible AI-linked “sleeper play.” Ta did not endorse that view in the material reviewed, and no regulator or company statement in the reporting tied Zscaler directly to Mythos deployments at banks. (weforum.org) Zscaler’s appearance in the thread reflects how the Mythos story has broadened beyond bank operations into investor debate over which cybersecurity vendors may benefit as companies speed up detection, remediation and automated defense. Anthropic is still restricting Mythos access, and Bloomberg said the next concrete step is continued testing by banks, the Federal Reserve and the OCC as exam schedules are reconsidered. (bloomberg.com) (money.usnews.com)