Mythos sparks regulatory alarm

Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell pulled top Wall Street bank chiefs into an urgent meeting this week after Anthropic unveiled a model called Claude Mythos Preview and warned that its cyber abilities were unusually strong. Bloomberg reported that the Bank of England was also looped into the discussion, which is a sign officials were treating this as a cross-border financial-stability problem, not a routine product launch. (bloomberg.com) (cnbc.com) Anthropic did not put Mythos on the open market. The company said it first deployed the model internally and then gave only a small set of outside users research access because the system was strong enough at software engineering and cybersecurity work to require tighter controls. (anthropic.com 1) (anthropic.com 2) The reason officials reacted so fast is simple: banks run on software the way airports run on electricity. In Anthropic’s own testing, Mythos was able to identify and exploit previously unknown software flaws in every major operating system and every major web browser when a user directed it to do so. (red.anthropic.com) (anthropic.com) A previously unknown software flaw is called a zero-day, which means defenders have zero days of warning before the weakness can be abused. Anthropic said more than 99% of the vulnerabilities it found were still unpatched, which is why the company withheld technical details instead of publishing a normal product demo. (red.anthropic.com) Anthropic tried to frame the release as a defensive project. It launched Project Glasswing with partners including Amazon Web Services, Apple, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation, and said it would provide up to $100 million in usage credits plus $4 million in open-source security donations. (anthropic.com 1) (anthropic.com 2) That partner list helps explain why regulators care about finance in particular. JPMorganChase was a launch partner on the defense side, while separate reporting said Jamie Dimon was the only major big-bank chief who could not attend the Treasury meeting, which shows how directly the banking system was pulled into the response. (anthropic.com) (cnbc.com) Markets heard the same message and sold first. Reuters reported that United States software shares fell on April 9 after Anthropic held back wide release of Mythos, and cybersecurity names including Cloudflare, Okta, CrowdStrike, and SentinelOne dropped between 4.7% and 7.7% in morning trading. (reuters.com) (whtc.com) Cloudflare became the symbol of that selloff because investors suddenly had to price in a world where the same kind of artificial intelligence that helps defenders scan code can also help attackers probe for weak spots faster. By the April 10 close, Zacks said Cloudflare shares had fallen 13.48% in that session to $167.02. (zacks.com) (reuters.com) This is the new line regulators are trying to draw around frontier artificial intelligence. Anthropic’s own risk report says Mythos is its most capable model so far and is more autonomous and agentic than earlier systems, which means the worry is no longer just bad answers on a chatbot screen but software actions that can ripple into banks, payment rails, and market plumbing. (anthropic.com 1) (anthropic.com 2) The immediate fight is over who gets to use a model like this first. Anthropic is betting that a locked-down coalition of defenders can patch holes before criminals get similar tools, while Treasury, the Federal Reserve, and the Bank of England are acting as if that race has already become important enough to threaten financial stability. (anthropic.com) (bloomberg.com)