America's largest banks are in emergency patching mode after Anthropic's Mythos AI model began surfacing IT vulnerabilities at a pace that has fundamentally broken how the industry thinks about security timelines. According to Reuters, major lenders with access to Mythos are discovering hundreds to thousands of system weaknesses ranked low to moderate, and they are being forced to fix them in days rather than the weeks they previously budgeted.

The finding comes as the IMF has separately warned that Mythos and similar frontier AI models represent systemic risks to the global financial system, not just operational problems at individual firms.

What Mythos Is Actually Doing

The problem is not that Mythos is finding individual bugs. It is that the model is expert at chaining together lower-risk vulnerabilities into high-risk attack paths. A handful of low-severity issues that would have sat in a backlog for months are being combined by Mythos into exploit chains that demand immediate action.

"This is a wake-up call because cyber risk is moving to machine speed, while much of bank defense still operates at human speed," said Nitin Seth, co-founder and CEO of Incedo, a data and AI services firm. "It also breaks a long-standing assumption in banking security: that vulnerabilities can remain hidden for extended periods before they are discovered and weaponized."

Mythos is particularly devastating against proprietary and open-source code, putting banks under pressure to upgrade aging systems that have reached end of software support. Legacy technology, the kind of infrastructure that banks have spent decades bolting together with duct tape and prayer, is now exposed.

Who Has Access, and Who Doesn't

Anthropic initially restricted Mythos to partners in its Project Glasswing initiative and about 40 additional organizations. JPMorgan Chase was a publicly named launch partner. Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley also have access, Reuters previously reported. These are the banks running the scans and finding the vulnerabilities.

Smaller banks have a problem. The model costs $25 per million input tokens and $125 per million output tokens, exactly five times more expensive than Anthropic's Opus 4.7. Most community and regional banks also lack the processing power to run Mythos effectively. The larger lenders are sharing findings downstream, but there is no formal framework for this, and the smaller institutions are essentially relying on secondhand intelligence to secure their own systems.

The Customer Impact Nobody Wants to Talk About

The increased patching workload could force banks to take systems offline more frequently. Sources familiar with the process told Reuters that banks would try to minimize disruption, but the reality is that patching at this speed, on systems this old, carries inherent risk. The alternative, leaving the vulnerabilities open, is worse.

Anthropic has offered some mitigation. The company pledged $100 million in credits to Glasswing partners and other Mythos customers, and released a separate tool called Claude Security that can scan for vulnerabilities and is available to a wider set of organizations. But the core dynamic remains: the most powerful vulnerability discovery tool in history is in the hands of a few, while the vulnerabilities it finds exist everywhere.

The Systemic Risk Question

The IMF's May 7 analysis reframed this as a financial stability issue, not just a cybersecurity one. When a single AI model can expose the security posture of the entire banking sector in weeks, the question shifts from "can banks patch fast enough?" to "what happens when threat actors get access to the same capability?" One source at a major bank told Reuters that rapid AI-driven security testing is now "the new normal" that they expect to perform continually. The era of annual penetration tests and quarterly vulnerability scans is over. First reported by Reuters.