On April 10, the Chair of the Federal Reserve and the US Treasury Secretary gathered the heads of America’s largest banks in Washington for an unscheduled meeting. The topic was not interest rates, tariffs, or credit markets. It was a single AI model.
Fed Chair Jerome Powell and Treasury Secretary Scott Bessent assembled the group at Treasury headquarters to brief bank CEOs on the cybersecurity threat posed by Anthropic’s Claude Mythos — the model Anthropic itself released in restricted form just three days earlier. The bank CEOs were already in Washington for a routine Financial Services Forum board meeting when the special session was called.
The meeting was described by sources as urgent but measured. The goal was not to create panic — it was to make sure banks understood what Mythos can do and whether their defenses are prepared for it.
Why Regulators Are Worried
Mythos is not a typical AI assistant. In Anthropic’s own assessment, it is “currently far ahead of any other AI model in cyber capabilities” and can autonomously discover and exploit software vulnerabilities without human guidance. That includes decades-old vulnerabilities that no human security researcher has ever flagged.
What makes it particularly concerning in a financial context is scale and speed. A sophisticated human attacker might identify a handful of exploitable vulnerabilities in a major banking system over months of work. Mythos can reportedly scan for weaknesses at a rate that no human team can match, and can generate working exploits to go with them.
The concern Powell and Bessent were communicating is not that Mythos itself will attack banks. Anthropic controls access tightly through Project Glasswing, its restricted rollout program. The concern is what happens when models of equivalent capability end up in the hands of adversaries — state-sponsored hackers, criminal organizations, or less scrupulous actors who build similar systems without the same guardrails.
What the Banks Were Told
According to sources familiar with the meeting, Powell and Bessent urged banks to treat AI-assisted cyberattacks as a near-term operational risk rather than a hypothetical future threat. They were advised to review incident response playbooks, audit critical system dependencies, and evaluate whether existing security monitoring tools are capable of detecting AI-generated exploit attempts.
The message was not that an attack is imminent. It was that the tooling available to adversaries has changed materially, and institutions that have not updated their threat models to account for AI-speed vulnerability discovery are behind.
Several of the banks represented in the meeting — including JPMorgan Chase — already have access to Mythos through Anthropic’s Project Glasswing, which gives 40-plus enterprise partners access specifically for defensive security work. The irony is notable: the same model being used to brief regulators about systemic risk is also being used by the major banks themselves to find and patch vulnerabilities before attackers can exploit them.
AI as a Macroeconomic Risk
The Powell-Bessent meeting signals something that has been building quietly: AI capability has crossed a threshold where it is now treated as a macroeconomic risk variable, not just a technology story.
When the Fed Chair and Treasury Secretary call an unscheduled meeting about a single AI model, it lands differently than a think tank report or a congressional hearing. It means people at the top of the financial regulatory system view frontier AI capability as within the scope of systemic risk — the category of threats that can cause cascading failures across interconnected institutions.
That framing matters for every business leader, not just banks. The same capability that makes Mythos a concern for financial infrastructure makes it a concern for healthcare systems, logistics networks, manufacturing control systems, and any organization running software that connects to the internet.
What This Means for Business
The threat model has changed. For years, the assumption in enterprise security was that sophisticated attacks require sophisticated human attackers — nation-state teams with deep resources and long timelines. AI-assisted vulnerability discovery compresses that timeline dramatically and potentially lowers the resources required. If you have not revisited your organization’s security posture with this in mind, it is overdue.
Defensive AI is now a real category. Anthropic’s Project Glasswing and OpenAI’s parallel Trusted Access for Cyber program are the earliest signals of what is becoming a distinct market: AI systems used specifically to outpace AI-assisted attacks. Organizations large enough to access these programs are getting ahead; everyone else needs to think carefully about what defensive tooling is in their stack.
Regulators are watching the AI-risk intersection closely. The Powell-Bessent meeting is not an isolated event. It reflects a broader regulatory posture that treats AI capability as financially material. For businesses in regulated industries — banking, insurance, healthcare, critical infrastructure — the expectation that you have assessed and managed AI-related cyber risk is likely to become explicit in compliance frameworks within the next 12 to 18 months.
For most businesses, this is a signal, not an alarm. The systemic risk conversation is relevant primarily to large financial institutions. But the underlying dynamic — AI making cyberattacks faster and cheaper to execute — applies broadly. The right response is not panic; it is making sure your security thinking is current and that you have a clear-eyed view of where your exposure actually lies.
For a deeper walkthrough of tools like this and how they fit together, the free Working With Claude field guide covers the ecosystem end to end. Get the guide.
Source
CNBC
Free Resource
Going deeper with Claude?
Get the free 32-page implementation guide for ANZ teams.
Your guide is ready
Check your downloads folder. If it did not open automatically, use the button below.
Download the Guide