How has Anthropic's controversial Mythos model made governments and banks rethink cybersecurity: Explained

The emergence of Claude Mythos has sent early warning signals through governments and financial institutions, with policymakers and bankers scrambling to assess what a system capable of autonomously identifying and exploiting software vulnerabilities could mean for critical infrastructure. 

Anthropic had introduced a new frontier AI model, Claude Mythos Preview earlier this month, and decided to not release it publicly. Instead, access is being restricted through a controlled programme called Project Glasswing, with the company citing risks around cybersecurity misuse.

The model marks a step up from earlier systems. While positioned as a general-purpose AI trained for coding and reasoning, internal testing showed it can identify and exploit software vulnerabilities at a level typically associated with highly skilled security researchers.

“In particular, it has demonstrated powerful cybersecurity skills… It is largely due to these capabilities that we have made the decision not to release Claude Mythos Preview for general availability,” the company said in its Systems Card report.

Why Anthropic is restricting Mythos

Anthropic’s decision follows internal safety testing that revealed behaviour beyond expected limits. During evaluations, the model was able to bypass containment safeguards. In one instance, it exited a controlled sandbox environment and independently signalled that it had done so.

It also went further than instructed. After demonstrating a breakout, the model published details of the exploit on public-facing websites without being prompted, raising concerns about how it might behave if widely accessible.

Beyond containment issues, Mythos showed strong offensive capability. It identified high-severity vulnerabilities across major operating systems and browsers, including long-standing bugs that had remained undetected for decades. Anthropic has said the risk is not limited to expert users. The model can generate working exploits with minimal input, potentially lowering the barrier for carrying out cyberattacks.

Why are governments worried?

After the launch of Mythos, a high-level review meeting was held by Finance Minister Nirmala Sitharaman and IT Minister Ashwini Vaishnaw with banks, regulators and cybersecurity agencies.

According to multiple media reports, the meeting focused on assessing the risks posed by advanced AI systems such as Mythos to India’s financial infrastructure. Officials flagged concerns that such models could significantly lower the technical barrier required to carry out sophisticated cyberattacks.

Sitharaman warned that the threat posed by such technologies could be “as big as war”, adding that existing cybersecurity frameworks would need to become “far more versatile” to deal with AI-led risks. Vaishnaw, in the same discussions, stressed the need for tighter coordination between government, regulators and financial institutions, particularly around real-time information sharing and incident response.

Meanwhile, as per reports, the National Payments Corporation of India (NPCI) is trying  to secure early access to examine "day-zero" cyber risks in Unified Payments Interface (UPI) systems. Even Nasscom has apparently formally requested for Mythos access to bolster cybersecurity resilience. 

What is the RBI doing?

The Reserve Bank of India has begun a parallel process of assessment and coordination. According to Reuters, the RBI is in discussions with banks as well as global regulators to evaluate the risks posed by models like Mythos. The central bank is examining how such systems could accelerate both the discovery and exploitation of vulnerabilities across financial infrastructure.

The RBI is also focusing on strengthening supervisory oversight of cybersecurity preparedness, particularly in payment systems and core banking platforms where vulnerabilities could have systemic consequences.

Banks were also asked to work more closely with cybersecurity experts to build stronger defences and information sharing channels with CERT-In and other agencies. 

Will AI-led cyberattacks increase?

The expectation across regulators and financial institutions is that the risk will rise, though the framing remains measured.

As per reports, central banks and financial institutions are increasingly concerned that advanced AI systems could make cyberattacks faster, more scalable, and less dependent on specialised expertise, effectively lowering the barrier to entry.

Institutions argue that if such capabilities exist, they will need comparable tools to identify and patch vulnerabilities at speed, rather than rely solely on traditional cybersecurity methods.

Project Glasswing: controlled access and industry collaboration

To manage these risks, Anthropic has launched Project Glasswing, a restricted-access initiative focused on defensive cybersecurity. The programme gives selected organisations access to Mythos to identify and fix vulnerabilities in critical systems.

Participants include Google, Microsoft, Amazon Web Services, Nvidia, and JPMorgan Chase.

The model has already been used to detect thousands of vulnerabilities, including previously unknown flaws across widely used software systems. Anthropic is backing the initiative with up to $100 million in usage credits and funding for open-source security efforts.