The Mythos Threat: Why Treasurers Must Prepare for the AI Arms Race

As the corporate treasury landscape becomes increasingly digitised, the arrival of advanced AI brings both transformative potential and unprecedented systemic risk. Recent developments concerning Anthropic PBC’s latest model, Claude Mythos, have sent ripples through the financial sectors of both the UK and US. This has prompted emergency high-level summits between regulators and the world’s most powerful banking institutions.

For the modern treasurer, understanding this new frontier of cyber risk is no longer optional. It is now a core component of strategic risk management.

The Claude Mythos Threat

Anthropic’s Claude Mythos is not just another iterative update in the generative AI race. It represents a paradigm shift in “dual-use” technology. While designed for defensive cybersecurity, the model possesses an alarming capability. It can identify and generate working exploits for vulnerabilities across every major operating system and web browser at a level that rivals or exceeds top human experts.

Anthropic has admitted that Mythos has already uncovered thousands of “zero-day” vulnerabilities. These are flaws that have existed for decades in widely used software but remained undetected until now. This capability is particularly dangerous for the financial sector, which often relies on a complex “tech stack” that blends modern interfaces with legacy back-end systems.

Why Regulators are Sounding the Alarm

The “offensive” potential of such a model has triggered a rare and coordinated response from transatlantic authorities.

• In the UK, officials from the Bank of England (BoE), the Financial Conduct Authority (FCA), and HM Treasury are in urgent talks with the National Cyber Security Centre (NCSC). A formal briefing for major British banks, insurers, and exchanges is scheduled to take place within the next fortnight under the auspices of the Cross Market Operational Resilience Group (CMORG).

• In the US, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell recently summoned the CEOs of systemically important banks. These included JPMorgan Chase, Bank of America, Goldman Sachs, and Citigroup. They attended an urgent and short-notice meeting at the Treasury Department. The goal was to ensure these institutions recognise the systemic nature of the risk and are taking immediate precautions.

The Rapid Escalation

The speed at which “Mythos” moved from a lab announcement to a matter of national security highlights the shrinking window for treasury response.

• October 2025: The Bank of England’s Prudential Regulation Authority (PRA) warns bank executives that their AI risk monitoring is “not frequent enough,” which set the stage for stricter oversight.

• 7 April 2026: Anthropic officially announces Project Glasswing, which is a controlled initiative for the Claude Mythos Preview. It reveals the model has already found critical vulnerabilities in code that remained hidden for up to 27 years.

• 10 April 2026: The IMF leadership expresses public concern by stating that “time is not our friend” regarding AI-driven financial instability. Reports emerge that AI weaponisation timelines have shrunk from months to days.

• 13 April 2026: US Treasury Secretary Scott Bessent convenes the “Big Six” Wall Street banks. Simultaneously, UK regulators begin urgent talks with the NCSC to evaluate financial infrastructure vulnerabilities.

• Late April 2026 (Expected): UK regulators are set to issue formal warnings to the broader financial sector, including insurers and market exchanges.

Implications for Treasury Leaders

The emergence of Claude Mythos highlights several critical areas where treasury departments must evolve their defensive posture.

1. Vulnerability of Legacy Infrastructure Financial systems are highly interconnected and often dependent on older codebases. The ability of Mythos to “drag old system flaws into view” means that even systems considered “secure” due to their age and obscurity may now be easily compromised.

2. The Proliferation Risk While Anthropic is currently deploying the model under a controlled initiative by partnering with select firms to patch flaws, they have warned that it may not be long before these capabilities proliferate beyond safe actors.

3. Market Stability and the “SaaSpocalypse” Beyond direct cyber threats, the rapid advancement of AI models like Mythos is already impacting market stability. Earlier releases contributed to a massive sell-off in enterprise software stocks because investors fear AI could commoditise the very security tools meant to protect financial systems.

A Defensive Arms Race

To counter these risks, regulators are encouraging banks to use the very tools that threaten them. Major financial firms have begun in-house testing of Mythos to identify their own vulnerabilities before malicious actors can.

For treasury professionals, this marks the beginning of a high-stakes defensive arms race. As UK and US regulators move toward standardised AI testing for lenders, the focus will shift from periodic audits to continuous and AI-driven monitoring. In this environment, the ability to anticipate trends and offer strategic guidance on AI integration will define the next generation of treasury leadership.