EBA puts Anthropic's Mythos AI on high alert for European banks
Source · Banking desk
— Summary
Anthropic's new AI model 'Mythos' has put banking regulators on high alert. The European Banking Authority's new president, François-Louis Michaud, told the press on 16 April 2026 that cybersecurity tied to Mythos is 'clearly a top priority' and is being discussed with international partners.
Mythos, positioned by Anthropic as a tool to 'revolutionise cybersecurity', can reportedly identify thousands of critical flaws in the world's most widely used software — enough that Anthropic has withheld public release and only shared the model with a small group of large firms to let software vendors patch the holes first. In the US, major bank CEOs have been summoned by the Treasury; JPMorgan chief Jamie Dimon said AI tools will intensify cyber risk, while Goldman Sachs' David Solomon confirmed Goldman has access to Mythos and is reinforcing infrastructure resilience alongside Anthropic.
Bank of England governor Andrew Bailey flagged cyber risk as the threat 'that never goes away' since the 2008 crisis. Banks' legacy IT systems (decades-old core software) are seen as particularly exposed because of layered modern tools and a highly interconnected sector sharing a narrow set of vendors for onboarding, KYC (Know Your Customer anti-money-laundering checks) and transaction processing. Michaud points to Europe's AI Act and DORA (the Digital Operational Resilience Act governing banks' IT-risk management) as defences. Source: Les Echos, 16 April 2026, Ingrid Feuerstein.
The story in one line: Global banking regulators — now joined by Europe’s EBA under new president François-Louis Michaud — have elevated Anthropic’s unreleased ‘Mythos’ model to a top-tier cyber threat for the financial system.
Key numbers
Mythos reportedly uncovers thousands of critical vulnerabilities in the world’s most widely used software.
Anthropic has not publicly released the model, sharing it only with a handful of large firms to patch before wider exposure.
US bank CEOs were summoned by the Treasury to discuss the risk.
JPMorgan, Goldman Sachs and several US peers confirmed they are testing the technology.
Bank of England governor Andrew Bailey called cyber risk the fastest-growing threat since the 2008 crisis.
Europe’s regulatory toolkit: AI Act and DORA (Digital Operational Resilience Act).
Why it matters
Banks run a patchwork of decades-old ‘legacy’ core systems layered with newer tools — a known source of vulnerabilities. The sector is also tightly interconnected through a narrow vendor set for KYC (Know Your Customer) onboarding, transaction processing and AML compliance, meaning a single exploited flaw can cascade. Mythos’s reinforced code-discovery capability raises the bar for both attackers and defenders; regulators are pushing banks and their IT suppliers to demonstrate resilience before the model is widely available.
Takeaway
Cyber supervision has moved from the periphery to the top of the banking regulatory agenda. Expect more intrusive stress testing of IT risk under DORA and closer scrutiny of bank-vendor dependencies over the next 12 months.
Source: Les Echos, 16 April 2026, Ingrid Feuerstein.