Mythos Locked|Banks on Alert

The Model Nobody Can Touch

An AI model found a 27-year-old software vulnerability that every human auditor had missed. Then Anthropic locked it away. Mythos, the company's latest model, is not being released to the public — not because it failed, but because it worked too well. According to Fortune and Bloomberg reporting on Friday, Anthropic determined that Mythos is so capable at identifying and exploiting software vulnerabilities that releasing it broadly would hand attackers a systematic advantage over defenders. Instead, access is being limited to a small group of major technology companies whose software underpins most of the digital economy. The hope is that defenders can patch what Mythos finds before anyone else gets to use what Mythos knows.

That is not a routine product launch decision. Anthropic has now, in effect, concluded that one of its own models poses a threat serious enough to require sequencing — defenders first, everyone else never. No commercial release date has been given. That is new territory for an industry that has grown accustomed to racing models to market.

The Emergency No One Announced

On the same week that Anthropic made that call, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting at the Treasury's headquarters in Washington. In attendance: Citigroup CEO Jane Fraser, Morgan Stanley CEO Ted Pick, and the heads of most of the country's largest financial institutions. The subject was Mythos.

That combination — a sitting Treasury Secretary, the Fed Chair, and every major Wall Street CEO in the same room, unannounced, on a Friday — does not happen over a routine software update. What it signals is that regulators and the financial system's senior leadership believe the cybersecurity exposure created by models like Mythos is not theoretical. It is imminent enough to require coordination before the model is even public.

The connection between these two events is not coincidental. Anthropic restricted Mythos because of what it could do to software infrastructure. The Treasury and Fed called the meeting because that infrastructure includes the core systems of every bank in the country. The financial sector runs on the same codebases, the same legacy protocols, and the same decades-old software stacks that Mythos apparently knows how to break.

Iranian-linked hackers have already demonstrated this week that they are actively targeting US infrastructure — breaching FBI Director Kash Patel's personal email and claiming attacks on water, energy, and tourism networks, as Fortune reported. The attack surface is real, the adversaries are active, and now there is an AI model capable of accelerating the pace of discovery on both sides. The emergency meeting was the government's answer to the question of which side gets the head start.

What Comes After the Head Start

The decision to restrict Mythos buys time. It does not eliminate the risk. Anthropic itself acknowledged that other AI labs are producing models with similar capabilities, which means the window during which defenders have an exclusive advantage may be measured in months, not years. Once a comparable model is released commercially — or leaked — the sequencing advantage disappears.

For equity markets, the near-term read on this is more nuanced than it first appears. Cybersecurity stocks moved on Friday, but the broader question is larger than a single day's trade. If the working assumption has been that AI models accelerate productivity broadly, the Mythos episode introduces a counterweight: AI models may also accelerate the pace of systemic vulnerability discovery faster than institutions can respond. That shifts the risk calculus for any sector with concentrated exposure to legacy software infrastructure — and the financial sector is near the top of that list.

The AMD rally of 4% and Broadcom's 5% gain on Friday, driven by AI cloud demand, reflects one narrative: that AI infrastructure buildout continues regardless of safety concerns at the frontier. The Mythos episode reflects another: that frontier capability has now outrun the safety frameworks designed to contain it, enough to require emergency coordination between the central bank and the largest commercial banks.

Both things can be true. The weight of the evidence, though, leans toward this risk being underpriced in financial sector valuations. Banks carry cybersecurity risk as an operational cost. They do not yet carry it as a front-page systemic exposure. That framing may be shifting. The benchmark to watch is not a stock price — it is whether Congress moves to regulate AI model release timelines in the next 60 days. If legislation is introduced, the policy risk for AI infrastructure names crystallizes quickly. If the emergency meeting produces no regulatory response, the market will price this as a one-week headline and move on. The final tension here is that Anthropic does not know, and the government does not know, how many labs are six months behind Mythos. Neither does the market.