Anthropic model sparks regulatory alarm

Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell pulled the chief executives of the biggest U.S. banks into a short-notice meeting in Washington this week because regulators think Anthropic’s newest model could change cyber risk faster than bank defenses can adapt. (bloomberg.com) The banks in that room were systemically important lenders, which means regulators treat their stability as part of the plumbing of the global financial system, not just a problem for one company. (bloomberg.com) The fear is not that artificial intelligence suddenly learned to rob a bank by itself. The fear is that a model can now scan software the way a metal detector scans a beach, finding buried flaws in minutes instead of months. (anthropic.com) Anthropic said on April 7 that Claude Mythos Preview is its most capable frontier model so far, and the company decided not to make it generally available because of the jump in capability. (anthropic.com) Instead, Anthropic put the model inside Project Glasswing, a restricted program with launch partners including Amazon Web Services, Apple, Google, Microsoft, NVIDIA, Palo Alto Networks, CrowdStrike, Cisco, Broadcom, the Linux Foundation, and JPMorganChase. (anthropic.com) That partner list explains why Washington is paying attention. When the same tool touches cloud computing, phones, chips, corporate networks, open-source software, and the biggest U.S. bank, a bug hunt in one corner can turn into a market risk in another. (anthropic.com) The concrete example landed almost immediately. A vulnerability now tracked as CVE-2026-34197 was found in Apache ActiveMQ Classic, a message-broker program that moves data between software systems the way a switchyard moves rail cars between tracks. (activemq.apache.org) Apache said the flaw affects ActiveMQ versions before 5.19.4 and versions from 6.0.0 before 6.2.3, and that the bug can let an authenticated attacker execute arbitrary code on the broker’s Java virtual machine through the Jolokia management bridge. (activemq.apache.org) Horizon3.ai researcher Naveen Sunkavally, who got finder credit in Apache’s advisory, said Claude did most of the work in uncovering the 13-year-old flaw, with human effort focused on packaging the report. (activemq.apache.org, infosecurity-magazine.com) Security coverage this week said the model helped uncover the bug in about 10 minutes and moved from finding the weakness to building an exploit path fast enough to alarm defenders. (csoonline.com, bleepingcomputer.com) That is the part regulators are reacting to. Banks already live with constant attacks, but a model that compresses vulnerability research from a specialized team’s quarter-long project into a single afternoon changes the math on patching, testing, and incident response. (bloomberg.com, anthropic.com) Anthropic’s answer is to keep Mythos gated while partners use it to harden critical systems before similar capabilities spread more widely. Washington’s answer, at least this week, was to warn Wall Street that the race between bug finders and bug fixers just got a lot faster. (anthropic.com, bloomberg.com)