It may seem reassuring that JPMorganChase, the largest U.S. bank, is among the 12 launch partners involved in Anthropic’s Project Glasswing. But given the stark cybersecurity warning the initiative represents, including a single financial institution is nowhere near enough.

Anthropic launched Glasswing on April 7 as a limited-access effort built around Claude Mythos Preview, which it describes as its most capable AI model yet and one that is especially adept at autonomous cybersecurity tasks such as finding and exploiting software vulnerabilities. Rather than release Mythos broadly, Anthropic says it is keeping access tightly controlled and using the model through Glasswing to help secure critical software before attackers can take advantage of the same kinds of capabilities.

While a growing number of organizations, including financial institutions, are being granted access to Mythos, greater and more diverse banking involvement needs to happen sooner rather than later. Banks already operate in one of the most heavily targeted cyber environments in the world. They manage enormous volumes of sensitive data and transactions while relying on a mix of cloud services, third-party vendors, open-source software, internal APIs and legacy infrastructure layered together over decades. 

That complexity has always created risk. What changes with a model like Mythos is the possibility that vulnerability detection and exploitation could be accelerated at a scale and speed the sector has never faced before. For instance, unlike previous AI models that assisted humans, Mythos can analyze code, find weaknesses and chain multiple vulnerabilities together to create working exploits without human intervention. No wonder the International Monetary Fund (IMF) recently identified the AI model as a major systemic threat to global financial stability.

When the creator of a frontier AI system decides its cybersecurity capabilities are sensitive enough to limit access, financial institutions should pay very close attention. The danger is not simply that attackers may get access to better tools. It is that the economics of cyber crime may be changing. Tasks that once required significant time, expertise and coordination — mapping environments, identifying weaknesses, testing exploit paths and combining vulnerabilities across systems — could become even faster, cheaper and more scalable than they already are with existing AI tools.

For an industry like banking, where trust, uptime and transaction integrity are everything, that matters enormously.

Financial institutions do not operate in neat, self-contained environments. They operate in interconnected ecosystems. A weakness in a third-party provider, a gap in an internal application or an overlooked vulnerability in older infrastructure can quickly become more than an IT problem. It can affect customer access, payment flows, fraud controls, operational resilience and institutional reputation. If advanced AI lowers the barrier to uncovering and weaponizing those weaknesses, the threat environment becomes more dynamic, more persistent and less forgiving.

This is why the banking narrative needs to be front and centre in any conversation about models like Claude Mythos. Cybersecurity in finance is not just about protecting systems. It is about protecting confidence.

Too much cybersecurity thinking is still rooted in a slower-moving world: periodic patching, annual audits, quarterly reviews and remediation after the fact. But if AI is compressing the timeline between vulnerability discovery and attempted exploitation, then banks need to evolve from a periodic security mindset to a real-time resilience mindset. 

That starts with accepting a simple reality: prevention alone is no longer enough. No institution can assume it will find and fix every weakness before an attacker finds a way to exploit it. The real test is whether suspicious behaviour can be detected as it emerges, whether malicious activity can be isolated quickly and whether damage can be contained before it spreads into payments, fraud or service disruption.

That is also why transaction visibility matters more than ever. In a more aggressive cyber environment, institutions need to close the growing latency gap between attackers and defenders. They need to understand what is happening inside transaction flows in real time. They need to be able to spot altered messages, unusual reversals, suspicious behavioural patterns, impossible geographies, abnormal terminal activity and signs that otherwise legitimate infrastructure is being manipulated. When attackers become better at finding technical weaknesses, defenders must become better at catching operational consequences in milliseconds.

Regulators and financial institutions should also stop treating AI-driven cyber risk as tomorrow’s problem. It is already a governance problem, a resilience problem and a systemic-risk problem. The sector needs clearer expectations around secure AI deployment, third-party dependencies, vulnerability disclosure, red-team testing and incident preparedness in an era of AI-assisted attacks. This is not just about individual firms hardening their own environments. It is about ensuring the broader financial ecosystem can withstand faster and more adaptive threats.

There is, of course, another side to this story. AI is strengthening defenders. Project Glasswing is built on exactly that premise: that powerful models can help trusted organizations identify and fix vulnerabilities faster. But banks do not get to experience only the upside. They have to manage the messy middle — the period where powerful cyber capabilities are advancing rapidly, safeguards are uneven and criminal incentives remain strong. That period appears to be in full swing: According to Nasdaq Verafin’s 2026 Global Financial Crime Report, global losses to fraud scams and bank fraud schemes have increased by 9.2 percent each year since 2023, reaching $579.4 billion USD in 2025. 

The debate is not really about one company or one model. It is about whether the financial sector is prepared for a world in which AI can expose hidden fragilities across digital infrastructure faster than many institutions can remediate them. What once required significant technical skill and time can now be executed in minutes: voice cloning needs less than a minute of audio, generative AI can produce highly convincing forged documents at scale and deepfake-driven social engineering is becoming increasingly targeted and believable. The result is not just more fraud, but faster, cheaper and harder-to-detect fraud.

In finance, trust is not a feature. It is foundational. Customers trust that their money will move safely. Institutions trust that their systems will function as intended. Markets trust that critical infrastructure will remain resilient under pressure.

If AI is testing those assumptions in new ways, banks cannot afford to respond slowly. The institutions that adapt now — with real-time transaction intelligence and a much more dynamic view of operational risk — will be far better positioned than those that continue to treat cybersecurity as a back-office IT issue.