Banks Raced to Patch Vulnerabilities Exposed by Anthropic AI Tool

Banks across the United States have been racing to fix vulnerabilities exposed by Anthropic’s Mythos AI tool, which is flagging several hundred to thousands of weaknesses inside major lenders and forcing repairs in days rather than weeks. Only a handful of the country’s largest banks currently have access to the system, but those institutions are already helping smaller lenders prepare for the same kind of findings, a sign that the pressure is spreading beyond Wall Street.

The rush matters because Mythos is changing the tempo of cyber defense inside finance. Instead of waiting for periodic audits or an incident to expose a flaw, banks are being pushed into a constant cycle of remediation. That creates a practical problem for institutions built on legacy infrastructure, where patching often means taking systems offline, rebooting servers or rewriting software that sits on aging proprietary code, open-source dependencies and programs already past support. For customers, that can mean brief disruptions in online banking, payments or internal bank operations while technology teams move faster than they usually do.

The stakes rose after Scott Bessent and Jerome Powell met with bank chief executives in Washington on April 8 and April 9 to warn about cyber risks tied to Mythos. Anthropic had limited access to about 40 technology companies, including Microsoft and Google, and did not broadly release the model because of concerns that it could expose previously unknown cybersecurity vulnerabilities. Anthropic has said Mythos can identify and exploit weaknesses across every major operating system and every major web browser, which gives it unusual reach inside the software stack that banks depend on every day.

The broader industry response suggests that Mythos is less a one-off alarm than a preview of machine-speed vulnerability discovery. Cybersecurity experts and AI researchers have said similar results can be reproduced with older AI models, meaning the threat may be less about a single breakthrough than about how quickly attackers and defenders can now iterate. Anthropic also kept Mythos restricted to a small group of companies that included Apple, Amazon, JPMorgan Chase and Palo Alto Networks, underscoring how closely the company is controlling access while the risks are still emerging. As Dario Amodei put it, the goal was to give the corporate world “time to strengthen defenses before criminal groups and hostile states could exploit the same capabilities.” The warning for banks is stark: the tools that can harden defenses are also revealing just how fragile the financial system’s plumbing still is.