Anthropic — Fed Chair and Treasury Convene Bank CEOs Over Mythos Cyber Risk

AI relevance: Claude Mythos Preview's ability to autonomously discover thousands of zero-day vulnerabilities triggered a financial-sector emergency response — while Bloomberg reported the model was accessed without authorization through a contractor account on release day, demonstrating that even controlled-access AI cyber tools face supply-chain and insider threats.

What happened

• Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent convened major US bank CEOs to discuss the systemic cyber risk posed by Mythos-class automated vulnerability discovery.
• In controlled testing, Mythos identified thousands of previously unknown flaws across every major OS and browser, including a 27-year-old OpenBSD bug and a 17-year-old FreeBSD RCE.
• Mozilla shipped Firefox 150 with fixes for 271 vulnerabilities found by Mythos in a single evaluation pass — flaws that had gone undetected by human testers for years.
• Anthropic describes a six-to-twelve month window before adversaries replicate this capability in their own models.
• Bloomberg reported that an unknown group accessed Mythos via a third-party contractor account on the model's release day, raising questions about the effectiveness of access controls on restricted AI systems.
• OpenAI launched its Trusted Access for Cyber (TAC) program on May 7, restricting GPT-5.5-Cyber access — just days after CEO Sam Altman criticized Anthropic for limiting Mythos.
• The IMF flagged AI-powered cyber threats to the global banking system, and India is pushing for sovereign hosting of Anthropic models.

Why it matters

The traditional cybersecurity asymmetry — attackers need one flaw, defenders must secure everything — collapses when AI can scan entire codebases at near-zero cost. The contractor breach on Mythos's release day proves that even tightly controlled access models are vulnerable to supply-chain and insider compromise. When a single AI model can find more vulnerabilities in one pass than years of human auditing, the race to replicate that capability offensively becomes a national-security priority.

What to do

• Inventory your critical software dependencies and prioritize patching of long-standing vulnerabilities — automated discovery means old bugs are now low-hanging fruit.
• Review third-party and contractor access to any restricted AI model accounts; enforce least-privilege and MFA on vendor relationships.
• If your organization uses AI-assisted security scanning, integrate findings into existing vulnerability management pipelines immediately — don't let results sit in dashboards.
• Monitor for open-source or leaked models that reproduce Mythos-class vulnerability discovery; the six-to-twelve month window Anthropic cited may be optimistic.

Sources

• The Next Web — Anthropic's Mythos found thousands of zero-day vulnerabilities
• Business Insider — Mozilla tested Claude Mythos Preview, it found hundreds of bugs
• AI Expert Magazine — OpenAI restricts access to GPT-5.5-Cyber
• CNBC — Fed and Treasury warn banks on AI cyber risk