Anthropic to Brief FSB on Mythos, Inverting Cyber Supervision

Anthropic will brief the Financial Stability Board (FSB), the Group of Twenty’s standing watchdog on global financial risk, on cyber weaknesses its unreleased Claude Mythos Preview model has dug out of the software the global banking system runs on, the Financial Times reported on May 18. The briefing was requested by Bank of England Governor Andrew Bailey, who chairs the FSB, and who told a New York audience three weeks earlier that the model may have “found a way to crack the whole cyber risk world open.”

This is the first systemic cyber-risk briefing from a private AI lab to the G20’s financial-risk body on a vulnerability surface the lab discovered before any regulator did. The flow of supervisory information has, at least for this round, reversed.

The Briefing Anthropic Is About to Give

The FT, which broke the story citing people familiar with the plan, did not give a date for the closed meeting. Reuters reported on May 18 that it could not immediately verify the FT account, and Anthropic has not publicly confirmed the briefing.

What the meeting will cover, per the FT account, is the operational picture from Anthropic’s frontier cybersecurity research: how the unreleased model behaved in red-team conditions, which classes of vulnerability it surfaced in the kinds of software banks and exchanges depend on, and what the lab now thinks regulators should be watching across third-party providers.

Briefings at this level are how a topic moves from analyst note to standard-setter agenda. The FSB is not itself a rule-making body; it coordinates the Basel Committee on Banking Supervision, the International Organisation of Securities Commissions (IOSCO), finance ministries and central banks across G20 economies, then publishes the consensus those bodies later turn into national rules.

Bailey’s April Warning From Columbia

The trail back to this briefing runs through a single set of remarks. On April 23, speaking at a Columbia University event on global financial conditions, Bailey raised the model unprompted in a comment on geopolitical risk.

It would be reasonable to think that the events in the Gulf are the most recent challenge to us in this world, until, I think it was last Friday, you wake up to find that Anthropic may have found a way to crack the whole cyber risk world open.

The governor, who took the FSB chair from Klaas Knot in mid-2025, framed the concern in supervisory terms moments later. “The issue is,” he said, “to what extent is this new version of the product going to be able to, in a sense, identify vulnerabilities in other systems which can be exploited for cyber attack purposes.” The FT, citing people familiar with the plan, says it was Bailey who then asked Anthropic to come present to FSB members.

That request matters because the Bank of England, separately, has been running a Financial Policy Committee workstream on AI-related operational risk since 2023. The Columbia comments turned a sectoral concern into a personal alarm and then, within weeks, into the institutional ask the FT is now reporting.

What Mythos Found in Three Weeks

Anthropic announced the model, Claude Mythos Preview, on April 7. In the lab’s own writeup of Claude Mythos Preview, the lab said the model was “not planned to be made generally available” because the offensive-side risk was too high. The numbers behind Bailey’s reaction sit in that writeup.

• On a Firefox exploitation benchmark, the model produced 181 successful exploits, against 2 successful attempts out of several hundred for the prior-generation Opus 4.6.
• On the OSS-Fuzz benchmark suite, it reached tier-5 (full control-flow hijack) on 10 targets where Opus 4.6 managed only single tier-3 crashes.
• Across 198 model-flagged vulnerabilities sent to expert contractors for severity review, the reviewers agreed with the model’s call 89% of the time.
• In one case, engineers without formal security training asked the model overnight for a remote code execution exploit and woke to a working one.

The Bugs That Made Headlines

The patched discoveries are the ones the lab is willing to talk about. They include a 27-year-old OpenBSD SACK flaw in the operating system’s TCP implementation, a 16-year-old codec bug in the FFmpeg H.264 decoder, and CVE-2026-4747, a remote code execution vulnerability in FreeBSD’s Network File System (NFS) server that had sat in production code for 17 years.

The chained exploits are where the briefing is likely to draw the most regulator attention. In one demonstration, the model assembled a JIT heap spray that escaped both a browser’s renderer sandbox and the underlying operating system sandbox in a single chain. In another, it built a 20-gadget Return-Oriented Programming (ROP) chain spread across multiple network packets. Human penetration testers asked to estimate the same work said weeks; the model did it in hours.

What the Validation Process Says

Anthropic says it ran a containerised agentic scaffold for the research and used a second model to triage and filter findings before they reached a human reviewer. Over 99% of discovered unpatched bugs remain unreported, per the lab’s own writeup, with responsible disclosure proceeding through vendors. The 89% expert-agreement rate is the figure Anthropic is leading with when arguing that the model’s severity calls are not noise.

The Forty-Org Whitelist

The model is not on sale. It is being distributed through the Project Glasswing distribution programme, an Anthropic-led initiative that began with 12 named founding partners and has since extended access to roughly 40 organisations maintaining critical software infrastructure.

Only one Wall Street bank, JPMorganChase, sits in the founding twelve. Reuters has separately reported that Goldman Sachs, Citigroup, Bank of America and Morgan Stanley were added to the wider 40-organisation access list in the weeks after the April 7 announcement, when the US Treasury Department began urging top-tier banks to test the model in controlled environments.

Anthropic has put $100 million in model usage credits behind Glasswing, with $2.5 million going to the Alpha-Omega open-source security project and $1.5 million to the Apache Software Foundation. Within 90 days of pilot start, the lab has committed to publishing aggregate findings.

The geographic skew is the part regulators outside the United States are watching. European, Japanese and emerging-market banks are reading FSB summaries about a US lab whose access list determines which institutions can audit themselves first.

The Inversion: Labs as Source of Systemic Disclosure

Most financial-stability work since 2008 has run one direction. Regulators identify a fragility, write a standard, push it down through national supervisors, and the regulated entities adapt. The FSB’s October 2025 paper on AI adoption and related vulnerabilities listed cyber risks and third-party concentration among its four headline concerns, but framed them in the usual register: things supervisors should watch, not things a private lab would brief them on first.

The Anthropic briefing flips the arrow for a single round. The disclosure is moving from the private lab up to the supervisor, and the supervisor is being asked to absorb the picture without the capacity to independently verify what the model can do.

Three near-term consequences are worth flagging:

• Information asymmetry now sits with the lab. Anthropic decides what FSB members learn, what stays under responsible-disclosure embargo, and what the wider supervisor community sees only at the headline level. There is no equivalent of a Suspicious Activity Report regime for AI-derived vulnerability findings.
• The “third-party dependency” risk the FSB has been tracking since 2024 now has a tangible vector. The third party is not a cloud provider or a vendor; it is the model lab whose access list determines which institutions can audit themselves first.
• Cross-jurisdictional fairness is now a live question. The Glasswing founding twelve are overwhelmingly US-headquartered, and a single US bank is in the room.

The Mythos briefing is the closest thing yet to a live case study of the picture the October 2025 paper sketched in the abstract.

What FSB Members Will Walk Out Knowing

The briefing will not be a model demonstration. FSB members are not going to watch a frontier model find a zero-day on the Bank of England’s network in real time, and Anthropic is not going to hand over architectural detail that would help adversaries reproduce the capability.

What the meeting will produce, in practice, is a shared baseline: members agreeing on which classes of legacy software are most exposed, what disclosure cadence to expect from labs operating at this level, and where the line sits between voluntary engagement and a future supervisory ask.

The output that matters lands later. The FSB’s published 2026 work programme, dated 3 February, schedules a “Report on sound practices for AI adoption, use, and innovation by financial institutions” for October 2026. That report is the obvious vehicle for whatever consensus the Mythos briefing produces. The Basel Committee, separately, is updating its principles on operational resilience on a parallel track.

Outside the FSB process, regulators in Sydney, Seoul and Singapore have already started moving. The Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority have flagged engagement with overseas counterparts; South Korea’s Financial Supervisory Service convened domestic financial-security officials in late April; the Monetary Authority of Singapore (MAS) has told local institutions to “redouble efforts” on cyber defences.

If the FSB walks out of this briefing with a mandate to standardise lab-to-regulator vulnerability disclosure, the Mythos briefing will read in twelve months as the moment global financial supervision absorbed AI cyber risk as a recurring agenda item. If it walks out with a polite thank-you, it will read as a courtesy call.