• Laura Eshelby, Head of Economic Crime at Clue


• 01.05.2026 02:45 pm
#FinancialAI #IndustryInnovation

Anthropic’s recent update to its Claude Mythos AI model has been a wake-up call for financial institutions. The company has warned that the model can identify and exploit previously unknown vulnerabilities in major operating systems and web browsers, which is the core infrastructure underpinning the financial system.

This marks a step-change in cyber risk, where attacks could emerge and scale faster than human defenders can respond. The real concern is no longer just what this technology can do, but whether existing controls, governance and defensive capabilities can keep pace with the speed of progress.

While Mythos was designed to uncover deep software weaknesses before they could be exploited, those same capabilities highlight how easily power could be misused by bad actors. 

This has unsettled financial institutions and regulators worldwide. In the UK, the Bank of England, FCA and HM Treasury held urgent discussions with the National Cyber Security Centre, warning that frontier AI will rapidly expose long-standing cyber defence weaknesses and calling for coordinated action.

What Mythos means for the industry 

Mythos marks a shift in how cyber risk materialises, with the system identifying and exploiting vulnerabilities more quickly than before. This increases exposure to fraud, service disruption and data compromise, particularly where systems are customer-facing or operationally critical.

AI intensifies known risks and vulnerabilities, such as approvals, payments, supplier interactions or access decisions, where behaviour looks legitimate, and controls are followed. Deception can be personalised, convincing and scalable. Communications appear routine, instructions sound credible, and decisions seem reasonable. By the time something looks wrong, loss has often already occurred.

Why the industry still isn’t ready 

Despite increasing awareness, many firms remain underprepared. Underinvestment in cyber skills remains a major constraint. Few organisations have enough engineers, threat analysts and incident responders to fix issues at the speed now required, leaving smaller banks and fintechs particularly exposed.

Legacy technology adds to the problem, with ageing infrastructure often too slow and complex to patch. Compensating controls that were acceptable in the past are harder to justify when weaknesses can be identified and exploited far more quickly.

Most importantly, governance has not kept pace with the drive for frictionless customer journeys. Financial services have prioritised speed and growth, often at the expense of resilient controls. AI-enabled cyber risk exposes this tension, particularly where challenger banks have scaled rapidly without the depth of oversight, ownership and third-party controls needed to manage emerging threats.

The response must start with governance. Boards should treat AI-accelerated cyber and corruption-linked risk as strategic business issues, supported by clear accountability and faster decision-making.

This also requires a shift towards intelligence-driven, investigation-led security. Rather than reacting to growing volumes of alerts, firms need to understand how harm unfolds across people, processes, suppliers and systems. Capturing context, joining information early and making decisions deliberately will matter as much as any technical control.

Ultimately, Claude Mythos marks an inflection point for financial services. These risks cannot be managed in isolation or within silos. Getting ahead will require stronger intelligence sharing, deeper collaboration across industry and government, and a more coordinated, system-wide approach to resilience.