At the end of May 2026, Japan’s three largest banks — Mitsubishi UFJ Financial Group (MUFG), Sumitomo Mitsui Financial Group (SMBC), and Mizuho Financial Group — gained access to Anthropic’s Claude Mythos, the company’s most powerful and most restricted AI model.

The move makes Japan the first country in Asia to receive access to Mythos, which until now had been confined to a small group of American and European institutions through Anthropic’s Project Glasswing program. Access was arranged during a visit to Tokyo by US Treasury Secretary Scott Bessent in mid-May, with Finance Minister Satsuki Katayama publicly confirming the arrangement shortly after.

The reason these banks are getting access is not to build customer-facing tools or automate back-office workflows. It is to defend themselves.

What Mythos Does That Other Models Cannot

Claude Mythos is, by Anthropic’s own assessment, “currently far ahead of any other AI model in cyber capabilities.” Its core capability is finding security vulnerabilities — including decades-old flaws that no human security researcher has ever identified — and doing it at a speed and scale that no human team can match.

That capability is what makes Mythos genuinely dangerous in the wrong hands. And it is exactly why Japan’s megabanks want it.

The logic is straightforward: adversaries are already building or acquiring AI models capable of finding and exploiting vulnerabilities in critical financial infrastructure. The only viable defense is using equivalent AI to find your own weaknesses before attackers do. You cannot patch what you do not know is broken.

MUFG, Mizuho, and SMBC are deploying Mythos specifically to scan their own systems — not to answer questions, not to automate reports, but to run aggressive vulnerability assessments on banking infrastructure that supports trillions of dollars in transactions.

The Geopolitics Behind the Move

This is not just a corporate technology decision. The fact that it required coordination between the US Treasury Secretary, Japan’s Finance Ministry, and Anthropic signals something bigger: AI capability has become an instrument of allied security policy.

The announcement came as part of a broader US-Japan agreement on AI cooperation, with both governments framing access to frontier AI models as a matter of financial system resilience. Japan and the United States have pledged to work together to respond quickly to cyberattacks targeting vulnerabilities in financial systems, and sharing access to Mythos is part of that framework.

In response to the emergence of Mythos and models like it, Japan is also drafting national cyberdefense guidelines, directing software providers across all sectors to use AI tools to proactively check for vulnerabilities. That is a significant shift for a country that has historically been conservative about AI regulation — moving from caution to active deployment, driven by the threat landscape.

What This Means for Businesses

Most businesses will never touch Claude Mythos. The model is tightly restricted, access requires significant vetting, and the use cases are highly specialized. But the Japan megabank story carries practical implications that every business leader with digital infrastructure should understand.

AI-powered cyberattacks are no longer hypothetical. The fact that three of the world’s largest financial institutions are deploying a frontier AI model specifically to hunt vulnerabilities tells you everything about where the threat environment is heading. If MUFG is running AI-driven security scans, it is because the attacks that Mythos-class AI can generate are real and coming.

The defense gap is widening. Most businesses — including most mid-market companies — still run security practices that assume a human attacker moving at human speed. AI changes that assumption. An attacker with access to capable AI can find vulnerabilities faster than any traditional scanning tool can detect them.

Compliance and governance are catching up. Japan’s move to draft national cyberdefense guidelines requiring AI-assisted vulnerability scanning is almost certainly a preview of what regulators in other markets will mandate. Businesses in regulated industries like finance, healthcare, and critical infrastructure should expect similar requirements to arrive.

Upskilling matters more than ever. Understanding what AI-powered threats look like, how to assess your own exposure, and how to evaluate AI security tools is no longer an IT department specialty. It is a leadership-level requirement. The gap between organizations that understand the AI threat landscape and those that do not is growing wider by the month.

For context, Anthropic’s Claude Mythos is the same model that prompted the US Federal Reserve and Treasury Secretary Bessent to summon America’s top bank CEOs for an emergency briefing in April. The model that warranted that kind of response is now being deployed, by design, inside Japan’s financial system as a first line of defense.

That tells you where AI and enterprise security are heading. The question is whether your organization is preparing for it.