Treasury Secretary Scott Bessent gathered the CEOs of Goldman Sachs, Bank of America, Citigroup, Morgan Stanley, and Wells Fargo at Treasury headquarters this week, alongside Fed Chair Jerome Powell. The reason? Anthropic's unreleased Claude Mythos model. The AI has found thousands of security vulnerabilities in widely used software, some lurking undetected for 27 years. Anthropic published a blogpost earlier this month warning that AI models have surpassed "all but the most skilled humans at finding and exploiting software vulnerabilities." They weren't exaggerating for effect.
This is the first time Anthropic has restricted access to a product. Claude Mythos is limited to Amazon, Apple, Microsoft, Cisco, Broadcom, and the Linux Foundation. That restriction followed a recent leak of Claude's code, which likely spooked everyone involved. The US government separately designated Anthropic as a supply chain risk weeks ago, a classification the company is now fighting in court.
JP Morgan CEO Jamie Dimon couldn't attend but addressed the issue in his annual shareholder letter published this week. "Cybersecurity remains one of our biggest risks," Dimon wrote, "and AI will almost surely make this risk worse." He's right. The financial sector runs on software that, it turns out, nobody fully understood. An AI that can systematically map those weaknesses changes what a single breach looks like for banks running overnight settlement on code that hasn't been audited in years.
Some industry voices point to decades of neglected security debt as the deeper issue here. They have a point. The vulnerabilities existed before Claude Mythos found them. But now they're catalogued, and the question becomes who gets access to that catalogue. Anthropic's answer is Project Glasswing, a framework designed to turn vulnerability discoveries into actual patches. Without something like Glasswing, Mythos is just a very detailed map of everywhere we're exposed.