Science

Anthropic briefs Financial Stability Board on Claude Mythos cyber findings

UK AI Security Institute reports capability jump on hacking tests, banks trial model as regulators map systemic risk

Images

Anthropic has given access to the Claude Mythos AI model to select group of tech companies and banks, including Apple and JP Morgan Photograph: Samuel Boivin/NurPhoto/Shutterstock Anthropic has given access to the Claude Mythos AI model to select group of tech companies and banks, including Apple and JP Morgan Photograph: Samuel Boivin/NurPhoto/Shutterstock Shutterstock

Anthropic is preparing to brief the Financial Stability Board on security findings from its AI model Claude Mythos after UK government testers reported a sharp jump in autonomous hacking capability. The Guardian reports the model has been shared with a limited group of banks and technology firms, but not released publicly, with Anthropic citing concerns it could be misused by criminals. The planned discussion with the FSB—an international body that monitors risks to the global financial system—was first reported by the Financial Times and later confirmed to the Guardian by a source familiar with the talks.

The immediate trigger is an updated appraisal from the UK’s AI Security Institute (AISI), which has been running standardized “capability evaluations” on frontier models. According to the Guardian, AISI found the latest iteration of Mythos completed a previously unsolved cybersecurity test known as “cooling tower” in three of ten attempts, something no model it had tested had managed before. AISI also said the length of cyber tasks models can complete autonomously has been doubling within months, and that it is now designing tougher tests to keep pace.

For financial regulators, the concern is less that a single model can break into a single system than that the cost of probing for weaknesses falls faster than the cost of fixing them. Banks and critical market infrastructure already run on sprawling software estates, rely on third-party vendors, and patch on schedules shaped by downtime and compliance calendars. A tool that reliably surfaces unknown flaws compresses the window between discovery and exploitation, and pushes defenders toward constant remediation rather than periodic upgrades.

The FSB’s membership includes senior officials from central banks and finance ministries across major economies, and it has spent years treating cyber risk as a cross-border stability problem rather than an IT problem. The Guardian notes the International Monetary Fund warned in 2024 that rapid AI development was increasing financial stability risks and that inconsistent oversight could weaken an interconnected system. At the same time, cybersecurity practitioners quoted in the report caution that many breaches still hinge on old failures—weak authentication, unpatched known vulnerabilities—suggesting that the new tools may amplify existing sloppiness more than they create entirely new attack paths.

Anthropic’s briefing will land in a world where some of the model’s earliest users are the very institutions regulators are meant to protect. The Guardian quotes senior bank executives describing heightened awareness of Mythos’s capabilities, while the company itself keeps the model restricted.

AISI’s testers saw Mythos solve “cooling tower” three times out of ten. The FSB is now being asked to treat that as a financial-system input, not a laboratory curiosity.