On April 7, 2026, U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned the CEOs of Bank of America, Citigroup, Wells Fargo, Goldman Sachs, and Morgan Stanley in Washington. This was not a monetary policy meeting. The purpose was to issue a warning regarding an artificial intelligence model from Anthropic, named Claude Mythos Preview, launched that same day to a select group of companies.
The alarming capability is concrete: Mythos detects extreme vulnerabilities in software, browsers, and security systems with unprecedented commercial precision. Anthropic does not mince words: if this tool falls into the wrong hands, it offers potential attackers an edge in stealing data or disrupting critical infrastructure. This is why the launch is restricted. This is why the government summoned the bankers. And this is why this issue deserves attention beyond the cybersecurity headline.
What Mythos Reveals About the Banking Innovation Portfolio
The five summoned banks collectively manage over $20 trillion in assets and account for more than 40% of the U.S. banking market share. JPMorgan Chase, the largest absentee (its CEO Jamie Dimon could not attend), processes over 20 billion daily transactions. These are institutions whose technological infrastructure is, by definition, the most profitable target for any sophisticated attacker.
The sector has already paid dearly for its exposure: security breaches cost an average of $5.9 million per incident in 2025, and total losses in the U.S. banking system from cyberattacks that year reached around $12 billion. In light of these figures, the arrival of an AI that automates vulnerability detection is not just an academic novelty; it is a lever that redistributes who holds the advantage in offensive and defensive warfare.
The structural problem that the April 7 meeting exposed is this: large banks invest massively in cybersecurity—JPMorgan allocates $15 billion annually to technology—but they do so based on a mature business logic where the goal is to protect existing revenue engines with standardized processes, cyclical audits, and regulatory compliance. Mythos does not fit this model. It is an active vulnerability exploration tool, not a passive defensive maintenance measure. Absorbing it correctly requires an organizational design that most of these institutions do not have in operation.
Anthropic Built a Company Within Its Company, and the Banks Did Not
The most revealing part of this case lies not in the government warning but in the contrast between how Anthropic executed the launch and how the financial system is positioned to respond.
Anthropic launched Mythos under a restricted access model to selected partners. It was not released to the market. It was not integrated into an existing product suite. It was treated as what it is: a high-potential, high-risk capacity that requires controlled validation before scaling. This is precisely the behavior of an organization that manages innovation as if it were an autonomous unit with its internal operating rules, separate from the core business. The backing from Amazon and Google for over $8 billion provides the capital to sustain that discipline without immediate monetization pressure.
The banks, on the other hand, operate under an inverse logic. Their innovation units, internal labs, and advanced cybersecurity teams often report to the same metrics as any mature business line: quarterly return on investment, measurable cost reduction, compliance with audits. When a technology like Mythos emerges on the radar, the standard process is to send it to the compliance department, wait for legal approval, assess compatibility with legacy systems, and, if it survives that bureaucratic transit, integrate it eighteen months later into a diluted version of its original potential.
The Federal Reserve already has supervisory personnel embedded to evaluate the internal systems of these banks. This presence is not new, but the focus is: they are now auditing capabilities, systems, and defenses against AI-driven threats. What they will find, in most cases, is a gap between the speed at which the threat evolves and the speed at which institutions can adapt their defenses when those defenses are trapped within governance structures designed for a different type of risk.
The Cost of Measuring Exploration with Exploitation Metrics
The global market for AI applied to cybersecurity reached $24.8 billion in 2024 and is projected to grow at a compound annual growth rate of 24.5% until 2030. These numbers describe a sector that is shifting from reactive detection tools to proactive offensive analysis systems. Mythos is not the endpoint of that curve; it is the signal that the curve has accelerated ahead of expectations.
For banks, the cost of not repositioning their technological risk management model is twofold. First, the direct cost: if sophisticated attackers gain access to capabilities equivalent to Mythos—through unrestricted versions, open-source derivatives, or state actors with similar resources—the exposure of institutions processing tens of billions in daily transactions multiplies non-linearly. Analysts estimate that AI-augmented attacks could double the current losses in the sector.
Second, the opportunity cost: banks that manage to integrate tools like Mythos into their defensive operations in a functional manner—not as a decorative pilot project, but as a real operational capacity—will gain an asymmetric advantage in detecting and closing vulnerabilities before they are exploited. This reduces cyber insurance premiums, which already rose by 25% in 2025, and decreases the likelihood of systemic events triggering obligations under regulations like Dodd-Frank.
The obstacle is not the willingness to invest. Budgets exist. The obstacle is that integrating an active exploration tool within a structure designed for operational stability requires creating a unit with real autonomy, its own metrics—validated learning, detection speed, reduced attack surface—and protection against the approval cycles that slow down any initiative that does not generate visible short-term income.
The Differentiation Window Closes Sooner Than It Appears
Jamie Dimon's absence at the April 7 meeting does not indicate strategic negligence from JPMorgan. However, it illustrates a dynamic that the financial system cannot afford to ignore: when threats evolve at the speed of an AI release cycle, preparedness cannot depend on whether the CEO was available that Tuesday.
Anthropic built a launch mechanism that separates risk from learning. Banks need to build an equivalent mechanism that separates defensive innovation from ordinary corporate governance cycles. Not as a temporary exception, but as a permanent design. Those who achieve this before Mythos—or its successor—hits the open market will have turned compliance costs into measurable competitive advantage. Those who fail to do so will continue to pay higher premiums to protect systems whose vulnerabilities they will discover too late.
