US banking regulators are pausing some cyber examinations of the largest banks to give them time to address vulnerabilities exposed by Anthropic’s Mythos AI model. The Fed and OCC are letting institutions focus on patching flaws while conducting their own Mythos trials, as Wall Street mobilises hundreds of staff to shore up defences.TL;DR
Weeks after Anthropic’s Mythos AI model sent shockwaves through the financial system, America’s top banking regulators are stepping back from the exam room to give the country’s largest lenders time to shore up their defences.
The Federal Reserve and the Office of the Comptroller of the Currency are pausing some cyber-related examinations of the biggest US banks, according to Bloomberg. The delay is not a retreat from oversight, officials stress, but a calculated decision to let institutions focus on the sprawling list of software vulnerabilities that Mythos has been uncovering since its limited release in April.
Anthropic said last month it would restrict access to its new frontier model after internal testing showed Mythos could identify thousands of zero-day flaws across every major operating system and browser, capabilities the company warned could potentially power sophisticated cyberattacks if the model fell into the wrong hands.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
The initial reaction on Wall Street was alarm. Under Project Glasswing, Anthropic’s initiative that grants select companies early access to Mythos for defensive testing, banks immediately discovered the model’s striking ability to move through code and pinpoint hacking weaknesses at a pace no human team could match.
In April, Treasury Secretary Scott Bessent and then-Fed Chair Jerome Powell summoned Wall Street’s most senior leaders to Treasury headquarters in Washington for a closed-door briefing on the threat. The meeting, which included CEOs from Goldman Sachs, Morgan Stanley, Citigroup, Bank of America, and Wells Fargo, was designed to ensure the industry understood the scale of what Mythos had exposed.
After weeks of testing, however, the initial panic gave way to a long to-do list. The biggest US banks with Mythos access, JPMorgan Chase, Morgan Stanley, and Goldman Sachs among them, pulled together secretive internal teams to triage and patch the vulnerabilities the model flagged. Many of those institutions are also working directly with federal intelligence agencies to map the broader threat landscape.
JPMorgan CEO Jamie Dimon has been blunt about the scale of the effort. “It’s serious work. We have, I think, hundreds of people doing it full time now,” he said at an Anthropic event in May. Goldman Sachs CEO David Solomon struck a similar tone during an April earnings call, saying the bank is “working closely with Anthropic and all of our security vendors” to bolster its defences.
The OCC, meanwhile, is conducting its own trial run with the model. Regulators want to understand first-hand what Mythos can do before they resume examining the banks’ preparedness. Fed Vice Chair for Supervision Michelle Bowman, speaking at a Financial Stability Oversight Council roundtable, signalled that the pause should not be mistaken for complacency. “Regulators will continue to focus on critical developments and communicating these risks to supervised institutions, as well as on refining our cybersecurity approach,” she said.
The broader picture is one of an industry and its overseers racing to keep pace with a technology that has fundamentally shifted the cybersecurity arms race. Anthropic CEO Dario Amodei has warned of a six- to 12-month window to patch tens of thousands of flaws before rival AI labs, including those in China, produce models with similar capabilities.
For banks, the exam pause buys time but not relief. Examiners remain engaged on cyber issues, and Anthropic is already briefing the Financial Stability Board on what Mythos has been finding. As 2026 shapes up to be the year of governed cybersecurity AI, the question is no longer whether advanced models will reshape financial sector security, but whether institutions can patch fast enough to stay ahead of the attackers who want to use the same technology.
Get the most important tech news in your inbox each week.
