Back
Technology

U.S. Treasury and Federal Reserve Officials Urge Banks to Adopt Anthropic's Mythos AI Model Amid Cybersecurity Concerns

View source

The Mythos Model: A Timeline of AI, Cybersecurity, and Government Intervention

In a series of developments during the spring of 2026, U.S. financial regulators and major bank CEOs convened to discuss the cybersecurity implications of a new, highly capable AI model from Anthropic called Mythos.

The meetings, which included Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell, urged major financial institutions to utilize the model for vulnerability detection. This push occurred against a backdrop of significant debate over the model's safety, its potential for misuse, supply-chain disputes between Anthropic and the U.S. government, and ultimately, a historic government intervention to control its distribution.

Government and Industry Engagement

U.S. Treasury and Federal Reserve Meeting with Bank Executives

On a Tuesday in mid-April 2026, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell met with the CEOs of several major U.S. banks in Washington, D.C. The meeting was convened to discuss potential cybersecurity risks and opportunities presented by Anthropic's new Mythos AI model. According to reports from Bloomberg, the officials encouraged the bank executives to use the model to detect security vulnerabilities.

The meeting was held while the bank heads were in Washington for a Financial Services Forum board meeting. Attendees included CEOs from Bank of America (Brian Moynihan), Citigroup (Jane Fraser), Goldman Sachs (David Solomon), Morgan Stanley (Ted Pick), and Wells Fargo (Charlie Scharf). JPMorgan Chase CEO Jamie Dimon was unable to attend the meeting. A spokesperson for the Federal Reserve declined to comment on the meeting, and the Treasury Department did not respond to requests for comment.

JPMorgan Chase and CEO Jamie Dimon on AI Cyber Risks

In a separate but related development, JPMorgan Chase CEO Jamie Dimon stated on February 25, 2026, during the bank's earnings call that artificial intelligence tools are currently making companies more vulnerable to cyberattacks. Dimon stated that AI "has made it worse, it's made it harder" and creates additional vulnerabilities, though he noted it could eventually help companies defend themselves.

Dimon confirmed that JPMorgan Chase is testing Anthropic's Mythos model as part of its broader effort to benefit from AI while protecting against malicious use. When asked about Mythos, Dimon referenced Anthropic's warning that the model had already found thousands of vulnerabilities in corporate software, stating, "It shows a lot more vulnerabilities need to be fixed." He added that JPMorgan Chase spends significant resources on cybersecurity, employs top experts, and maintains constant contact with government agencies on the matter.

International Response and Concerns

"The world does not have the ability to protect the international monetary system against what she described as massive, exponentially growing cyber risks."

IMF Managing Director Kristalina Georgieva expressed concern about the cybersecurity risks posed by the Mythos model. In an interview scheduled for broadcast on April 20, 2026, Georgieva stated that the world does not have the ability to protect the international monetary system against what she described as massive, exponentially growing cyber risks. She called for more attention to guardrails necessary to protect financial stability in the era of AI.

The UK's AI Security Institute evaluated the model and reported it as a "step up" over previous models. The Financial Times reported that U.K. financial regulators are also discussing potential risks associated with the Mythos model. Separately, the Bank of England stated that Anthropic had assured UK banks of near-term access to the model.

The Anthropic Mythos AI Model

Model Announcement and Capabilities

Anthropic formally announced the Mythos AI model in April 2026. The company described it as a "stunningly capable" frontier model designed for general-purpose use, with a particular proficiency in cybersecurity tasks. According to Anthropic, the model can autonomously discover vulnerabilities in operating systems, web browsers, and other software, and can develop working exploits for those vulnerabilities.

Anthropic reported that Mythos identified thousands of high- and critical-severity vulnerabilities during its testing phase, including a 27-year-old flaw in OpenBSD and a 17-year-old bug in FreeBSD. The company stated these capabilities emerged as a side effect of general improvements in code, reasoning, and autonomy, and were not explicitly trained for. The model demonstrated an 83% success rate in exploit creation on the first attempt in some tests.

Mozilla, using early access to Mythos, reported that it identified 271 vulnerabilities in Firefox 150, over ten times more than with older models. Mozilla CTO Bobby Holley stated that the findings suggest "the tools have changed things dramatically," as AI now can cover the "full space of vulnerability-inducing bugs."

Project Glasswing and Controlled Access

Due to the model's advanced capabilities, Anthropic did not release Mythos to the general public. Instead, the company established "Project Glasswing," a consortium of approximately 40 to 50 organizations that received private access to the model, which was branded as the "Claude Mythos Preview."

Key partners in Project Glasswing included Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Anthropic stated the purpose of the limited release was to give defenders a head start in finding and fixing vulnerabilities in their systems before malicious actors could gain access to similar AI capabilities. The company also committed up to $100 million in usage credits and $4 million in donations to open-source security groups to support this effort.

Anthropic co-founder Jack Clark stated that while Mythos is advanced, other companies would likely release similar systems within months, and that open-weight models with these capabilities could emerge from China within a year to a year and a half.

Intentional Data Leak and Limited Model Release

The existence of the Mythos model was initially revealed due to a security lapse. Fortune reported that a draft blog post about the model, then code-named "Capybara," was found in an unsecured, publicly accessible data cache. Anthropic attributed the leak to "human error" in the configuration of its content management system. The leaked document described Mythos as "by far the most powerful AI model we've ever developed" and noted it could pose "significant cybersecurity risks."

Anthropic later released two versions of the model on June 9, 2026:

  • Claude Fable 5: A public-facing version with strict guardrails that routed flagged cybersecurity, biology, chemistry, and distillation requests to a weaker model (Claude Opus 4.8).
  • Claude Mythos 5: A version with reduced cybersecurity restrictions, available only to vetted cybersecurity defenders and critical infrastructure operators.

Unauthorized Access and Cybersecurity Incidents

Breach via Third-Party Vendor

Shortly after the public announcement of Mythos, reports emerged of unauthorized access to the model. Bloomberg reported that a group of users had gained access to Claude Mythos Preview via a private Discord channel. The group reportedly gained access because one member was a third-party contractor for Anthropic. They used prior knowledge of Anthropic's practices, obtained from AI training startup Mercor, to locate the model.

Anthropic confirmed it was investigating the unauthorized access through a third-party vendor environment. The company stated it had not detected any breaches outside of that vendor environment or any compromises to its own systems. The group reportedly had no intention of using the model maliciously.

Mercor Data Breach

The incident also involved a data breach at Mercor, an AI staffing startup that provides contractors to Anthropic and was affected by the LiteLLM supply-chain attack. The URL details for the Mythos model were reportedly exposed in this Mercor data breach.

U.S. Government Legal and Supply-Chain Disputes

The Pentagon "Supply-Chain Risk" Designation

Prior to and during the roll-out of Mythos, Anthropic was involved in a legal dispute with the Trump administration. In early March 2026, the U.S. Department of Defense designated Anthropic as a "supply-chain risk." This designation followed failed negotiations in which Anthropic refused to allow the Pentagon unrestricted use of its AI models for "all lawful purposes," citing concerns about the technology being used in fully autonomous weapons or for mass surveillance of U.S. citizens.

The designation prohibited the military and defense contractors from using Anthropic's models for government contracts. Anthropic filed a lawsuit challenging this designation. A federal judge in California initially blocked the government from using the designation to cut ties with Anthropic outside the Department of Defense. However, the DC Circuit Court of Appeals later ruled that the Department of Defense could continue to restrict its dealings with Anthropic while legal challenges proceeded.

Trump Administration Executive Order

On an unspecified Tuesday in April or May 2026, President Donald Trump signed an executive order on artificial intelligence oversight. The order established a framework for the federal government to voluntarily review advanced AI systems for national security risks for up to 30 days before public release. The order applied only to advanced AI systems that could pose such risks, as determined by the director of the NSA.

The White House stated the order "creates a process for frontier labs to voluntarily share cutting-edge cyber models" and emphasized it was not conducting oversight of all new models. OpenAI and Anthropic were reported to be engaging with the White House on the order. The order was influenced by Anthropic's decision to limit the release of its Mythos Preview model due to security concerns.

Government Export Controls on Fable 5 and Mythos 5

The Directive

"On Friday, June 12, 2026, the U.S. government issued an export control directive to Anthropic, ordering the company to suspend access to its newly launched Fable 5 and Mythos 5 AI models by any foreign national, whether inside or outside the United States."

The directive was based on national security authorities and applied to all users globally. To ensure compliance, Anthropic disabled the models for all customers.

The government did not provide specific details of the national security concern but verbally informed Anthropic of a "potential narrow, non-universal jailbreak" of Fable 5. Anthropic stated it disagreed with this finding, arguing that similar capabilities were already available in other publicly accessible models, such as OpenAI's GPT-5.5, and that the finding did not warrant recalling a commercial model deployed to hundreds of millions of people.

Investigation and Reactions

The directive was prompted by a report from researchers at Amazon.com Inc., who claimed they could bypass Fable 5's guardrails. Amazon CEO Andy Jassy reportedly raised these concerns with senior U.S. officials. The National Security Agency (NSA) also reviewed the vulnerabilities. Anthropic disputed the characterization of the issue as a "jailbreak," and security researcher Katie Moussouris stated, "I've seen the paper. It's not a jailbreak."

The Pentagon's chief information officer publicly supported the move, stating, "Some things are simply more important than revenue cycles, clickbait, and pre-IPO valuation." The directive set a precedent for government control over the release of American-made software. Foreign governments, including from France, Canada, and the UK, subsequently expressed concern about the reliability of U.S. AI as a technology partner and called for greater "AI sovereignty."

Partial Lifting of Export Controls

Following a two-week negotiation, the U.S. Commerce Department, in a June 26, 2026 letter from Secretary Howard Lutnick to Anthropic, partially lifted the restrictions. The Department authorized Anthropic to redeploy Mythos 5 to over 100 U.S. organizations that operate and defend critical infrastructure, including both government agencies and private companies. Access was also granted to non-U.S. national employees of those organizations and Anthropic's own non-U.S. employees.

The letter stated that "appropriate safeguards are in place to permit certain trusted partners to access the Claude Mythos 5 Model." Anthropic committed to working with the U.S. government on protocols and standards for future model releases. The status of Fable 5, the public-facing version, remained under discussion and was not included in the partial lift.

Cybersecurity Expert and Broader Industry Reactions

Criticism of Export Controls

A group of 76 cybersecurity experts, including Alex Stamos, Casey Ellis, and Katie Moussouris, published an open letter requesting the U.S. government to lift the export control orders. The signatories argued that the restriction removed powerful tools from cybersecurity defenders, hindering vulnerability discovery and software security, and that the capabilities could be replicated on other AI models, including OpenAI's GPT-5.5 and Chinese models.

Alternative Perspectives on Model Capabilities

Some industry experts questioned whether Anthropic's claims about Mythos were a marketing tactic. AI cybersecurity startup Aisle reported that it had replicated much of what Anthropic claimed Mythos accomplished using smaller, open-weight models. Aisle's team argued there is no single deep learning model for cybersecurity, and effectiveness depends on the specific task.

Anthropic's Proposed Development Pause

In the wake of these events, Anthropic published a blog post in May 2026 proposing that leading AI companies develop a coordinated mechanism to slow or temporarily pause development of advanced AI systems. The company argued that AI is improving so quickly that humans risk losing control, citing the potential for "recursive self-improvement," where an AI could design its own successor. The proposal called for policymakers, researchers, civil society, and other AI companies to jointly discuss the risks of advanced AI.