India’s banking system is being forced to confront a new kind of systemic risk: not a bad loan cycle, not a liquidity shock, not a market crash, but the possibility that advanced artificial intelligence could compress the time between discovering a software vulnerability and weaponising it.
Finance Minister Nirmala Sitharaman has warned that the emerging threat from advanced AI models such as Anthropic’s Claude Mythos is “unprecedented” and requires “a very high degree of vigilance, preparedness and better coordination across financial institutions and banks.”
She has advised the Indian Banks’ Association to develop a coordinated institutional mechanism for swift response, while banks have been asked to secure IT systems, protect customer data and report suspicious activity to agencies including CERT-In.
The concern arises from Anthropic’s own disclosure. The company says Claude Mythos Preview is an unreleased frontier model whose coding and agentic capabilities allow it to “surpass all but the most skilled humans at finding and exploiting software vulnerabilities.”
Anthropic has said Mythos has already found thousands of high-severity vulnerabilities, including flaws in major operating systems and web browsers, and that the economic, public safety and national security fallout could be severe if such capabilities proliferate without safeguards.
For banks, the danger is structural. Modern finance runs on dense layers of core banking software, mobile applications, APIs, payment switches, cloud infrastructure, third-party vendors and legacy systems. A model that can autonomously identify weaknesses across this stack could radically reduce the defender’s traditional advantage: time.
What once required a skilled attacker, weeks of reconnaissance and specialised tooling could increasingly be automated. The threat is not merely that Mythos itself may be misused; it is that Mythos-class capabilities may soon diffuse across the AI ecosystem.
Anthropic’s position is not that Mythos should be released freely, but that its capabilities must be channelled into defence. Under Project Glasswing, Anthropic is giving restricted access to selected partners, including AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, Microsoft, Nvidia and Palo Alto Networks, to secure critical software.
The company describes Mythos as a “gated research preview” and says it has committed $100 million in usage credits to support defensive work.
This is why the debate must remain balanced. Mythos is not simply a “hacking AI”; it is also potentially a powerful defensive instrument. The same capability that can find vulnerabilities before attackers do can also help banks audit code, patch exposed systems, accelerate red-teaming and strengthen cyber resilience.
Anthropic has also said that broader Mythos-class release will depend on testing safeguards on less capable models, including systems designed to block prohibited or high-risk cybersecurity use.
Other major AI developers are moving in a similar direction. OpenAI has framed its cybersecurity strategy around “trusted access,” offering more capable cyber models to vetted defenders while maintaining baseline safeguards for general users. It says the goal is to empower defenders who are often outnumbered and under-resourced.
Google DeepMind’s Frontier Safety Framework explicitly treats sophisticated cyber capabilities as a severe-risk domain requiring proactive evaluation and mitigation. Microsoft, meanwhile, has described the emerging environment as an “AI-accelerated threat landscape” and says it is using AI to speed up vulnerability discovery, remediation and defence under its Secure Future Initiative.
Western financial regulators are reacting with similar urgency, though not always with panic. Reuters reported that banks and regulators in Europe and the United States are assessing Mythos-related cyber risks and industry preparedness.
Deutsche Bank CEO Christian Sewing said the issue was “not something that’s causing panic,” but added that it was something banks must keep in mind in daily risk management. He also said banks were in close contact with European watchdogs and that limited access to Mythos was appropriate for now.
In the United Kingdom, a Bank of England co-chaired group with UK Finance said the financial services industry was prepared for frontier AI developments and emerging cyber risks, but emphasised that firms must continue focusing on effective practices, including using AI to strengthen cyber defence and automate mitigation and response.
The European Central Bank has also been reported to be preparing to question bankers on whether models such as Mythos could supercharge cyberattacks, particularly against legacy technology systems.
The issue is also one of regulatory capacity. A Reuters report citing Cambridge Centre for Alternative Finance research noted that financial institutions are adopting AI at more than twice the rate of supervisors, while only a minority of regulators report advanced AI adoption.
That mismatch creates a governance problem: if banks, attackers and technology firms are moving faster than supervisory institutions, regulators may struggle to understand the risks they are expected to police.
The banking system’s vulnerability is therefore not only technical but institutional. It lies in outdated systems, fragmented vendor chains, uneven cyber maturity, delayed patching, insufficient real-time intelligence sharing and the shortage of specialised cyber talent.
Jamie Dimon, chairman and CEO of JPMorgan Chase, captured the broader anxiety in his 2025 shareholder letter when he wrote that cyber risk “remains one of our biggest risks” and that “AI will almost surely make this risk worse.”
For India, the policy response must go beyond warnings. Banks need continuous vulnerability discovery, red-team exercises using controlled AI tools, mandatory vendor-risk audits, real-time coordination with CERT-In, stronger board-level cyber accountability, and sector-wide simulation drills for AI-enabled attacks. The RBI, NPCI, IBA, CERT-In and the Ministry of Finance will have to operate less like separate institutions and more like a financial cyber command network.
The central lesson from Mythos is stark: artificial intelligence is turning cybersecurity into a race of machines against machines.
Banks cannot defend 21st-century finance with 20th-century response cycles. The prudent approach is neither techno-panic nor complacency. It is controlled access, strong supervision, rapid patching, shared intelligence and the use of defensive AI at the same speed with which offensive AI may emerge.
