Euro-area finance ministers will discuss Anthropic’s Mythos AI model with banking supervisors on Monday. No EU government has access to the model, which can find zero-day vulnerabilities in every major operating system and browser. The Bundesbank has urged the EU to demand access. The White House is simultaneously using Mythos through the NSA while opposing Anthropic’s plan to expand access to 70 additional organisations, and the Pentagon has designated Anthropic a supply chain risk.TL;DR
Euro-area finance ministers will discuss Anthropic’s Mythos AI model with banking supervisors on Monday, according to a senior EU official. The technology that will be on the agenda is one that no government in the European Union has access to, built by a company that the United States Pentagon has designated a national security supply chain risk, and which the White House is simultaneously using through the National Security Agency while blocking its creator from expanding access to others. The ministers are expected to return to the topic after Monday’s discussion once they gather more information. The problem is that gathering information is precisely what they cannot do. As the senior EU official put it, governments are only hearing rumours about its capabilities.
Anthropic announced Claude Mythos Preview on 7 April under a restricted access programme called Project Glasswing. The model is capable of autonomously discovering and exploiting zero-day vulnerabilities in every major operating system and every major web browser. It has already identified thousands of high-severity vulnerabilities, including a 27-year-old bug in OpenBSD and a 16-year-old remote code execution vulnerability in FreeBSD. Mozilla fixed 271 Firefox vulnerabilities found by Mythos in a single evaluation pass, more than twelve times the number identified by Anthropic’s previous most capable model. Anthropic has described the system as “currently far ahead of any other AI model in cyber capabilities” and has restricted access to a consortium of launch partners: Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, and Palo Alto Networks. The company is providing up to $100 million in usage credits and $4 million in direct donations to open-source security organisations. Over 99 per cent of the vulnerabilities found have not yet been patched.
The model’s capabilities are simultaneously defensive and offensive. In the hands of a security team, Mythos can identify and help fix vulnerabilities that have persisted in critical infrastructure for decades. In the hands of a threat actor, the same capabilities can be weaponised to run cyberattacks at a scale and speed that human hackers cannot match. Anthropic has said it limited the release precisely because of this dual-use risk. But the limitation creates its own problem: the organisations with access can see where their systems are vulnerable, and the organisations without access cannot. For European banks, which rely on complex, interconnected, and often decades-old technology systems, the asymmetry is not theoretical. It is a competitive and security disadvantage that the Bundesbank has now formally identified.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Germany’s chief banking supervisor Michael Theurer urged the European Commission and EU governments to request access to Mythos from Anthropic or from the US administration directly. “I consider it necessary that the European Commission and governments in Europe now also approach the company, or rather the United States, to request that the technology be shared,” Theurer said. Bundesbank President Joachim Nagel was more direct: “All relevant institutions should have access to such technology to avoid competitive distortions.” The concern is that European banks cannot test which vulnerabilities Mythos is capable of identifying without access to the model itself, which means they cannot defend against threats they cannot see. Theurer warned that “we may be moving into an area in which economic actors could potentially become dependent on state assistance” if the access gap persists.
The access problem extends beyond Europe. Mythos dominated conversations at last week’s IMF spring meetings in Washington. IMF Managing Director Kristalina Georgieva said the world does not have the ability “to protect the international monetary system against massive cyber risks” and warned that “time is not our friend on this one.” Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell held an urgent meeting with top US bank CEOs to discuss the cybersecurity implications. Bank of England Governor Andrew Bailey, who chairs the Financial Stability Board, called it “a very serious challenge for all of us.” European Central Bank President Christine Lagarde framed the core tension: “The development we’ve seen with Anthropic and Mythos is a good example of a responsible company that is suddenly thinking, ah, that could be really good, but if it falls in the wrong hands, it could be really bad.” Regulators from the Fed, ECB, Bank of England, Treasury, and Australia’s ASIC are all now monitoring Mythos for systemic financial risk.
The White House’s position on Mythos is structurally incoherent. The NSA is using the model. The Pentagon has designated Anthropic a supply chain risk for refusing to allow its AI to be used for autonomous weapons and domestic mass surveillance. And the White House has told Anthropic it opposes the company’s plan to expand access to roughly 70 additional organisations, citing concerns that Anthropic lacks sufficient computing power to serve that many entities without compromising the government’s access. The administration is simultaneously blocking Anthropic from defence contracts, using its most sensitive model through intelligence agencies, and preventing the company from sharing that model with the private sector or allied governments. Anthropic CEO Dario Amodei has been meeting with White House chief of staff Susie Wiles and Treasury Secretary Bessent to negotiate access and the Pentagon standoff, but the contradictions have not been resolved.
For European finance ministers, the contradiction creates a dependency they have not faced before. The most consequential cybersecurity tool in existence is controlled by an American company that the American government has partially blacklisted, partially embraced, and entirely refused to share with allies. Anthropic has said it plans to provide access to European banks “soon,” according to sources, but no formal agreement is in place. The unauthorised access to Mythos by a Discord group that guessed its URL through a third-party vendor environment has only heightened the urgency: if a group of curious hobbyists can find and use the model, so can state-sponsored hackers and criminal organisations. Europe’s finance ministers are preparing to discuss a technology that their banks need, that their governments cannot access, that an ally is hoarding, and that has already leaked. The discussion on Monday will not resolve any of this. But it will establish, formally, that Europe recognises it has a problem it cannot solve alone.
Get the most important tech news in your inbox each week.