Reuters reported today that Anthropic plans to extend Mythos Preview access to European banks "soon," citing sources familiar with the matter. Which means some of the largest financial institutions in the world have been waiting in line while their American competitors have been scanning their codebases for weeks.

JPMorganChase is publicly part of Project Glasswing, Anthropic's defensive cybersecurity coalition launched today. But Bank of America has quietly been part of Glasswing since the start and has been testing Mythos internally, according to a source familiar with the arrangement. Other US banks have "more recently" been given access, as regulators rush to understand the cybersecurity risks the model creates.

European banks do not have Mythos. Not yet. And that gap is causing real anxiety.

The Two-Speed Banking World

Consider what this means in practice. JPMorgan and Bank of America can scan their entire codebase for zero-day vulnerabilities that no human security team has ever found. Mythos Preview discovered thousands of high-severity flaws in every major operating system and browser. It found a 27-year-old OpenBSD bug and a 16-year-old FFmpeg vulnerability that automated tools hit five million times without catching.

Now imagine you are Deutsche Bank, BNP Paribas, or Barclays. You know these vulnerabilities exist in your systems. You know an AI model can find them. You know your biggest American competitors are already patching. And you cannot get access.

Jamie Dimon addressed this on JPMorgan's recent earnings call: AI "does create additional vulnerabilities, and maybe down the road, better ways to strengthen yourself too." That is carefully worded CEO-speak for: we are already using Mythos and it is finding things we did not know about.

Regulators Are Not Ready

The regulatory response has been a masterclass in being caught flat-footed. Bank of England Governor Andrew Bailey warned last week that Mythos could "crack the whole cyber risk world open." The ECB's Christine Lagarde admitted no governance framework exists. Singapore's MAS is telling banks to patch everything urgently. South Korea convened government meetings. Australia's ASIC started monitoring.

None of them had a plan for a private company discovering thousands of critical vulnerabilities in the software that runs global finance and then deciding who gets to know about it.

Goldman Sachs CEO David Solomon confirmed "hypersensitivity" on his earnings call. Deutsche Bank CEO Christian Sewing claimed German banks are "well-prepared." Given Deutsche Bank's compliance history, take that with the appropriate amount of skepticism.

The Structural Problem Nobody Wants to Talk About

A private AI company is now deciding which financial institutions get access to defensive cybersecurity capability. Not a government. Not a regulator. Not a central bank. Anthropic.

Today's Project Glasswing launch formalizes what was already happening informally. Roughly 40 organizations have had Mythos access. Now the coalition is public, the $100 million in credits is committed, and the expansion to European banks is confirmed.

But the model that got Anthropic blacklisted from the Pentagon in February is the same model that banks are now desperate to use. The company that fought the US government over safety principles is now the gatekeeper of the world's financial cybersecurity. Anthropic did not plan this position. Mythos created it.

European banks will get access soon. The question is whether "soon" means days, weeks, or months. Every day of delay is a day when American banks can find and fix vulnerabilities that European banks cannot. In cybersecurity, that kind of head start is not a competitive advantage. It is a survival advantage.