IMF Warns AI Cyberattacks Can Trigger a Global Financial Shock

On May 7, the International Monetary Fund (IMF) published an argument no major international institution had made quite this plainly before: AI-powered cyberattacks are no longer just an IT risk. They are a potential macro-financial shock, capable of triggering confidence crises, payment network failures, liquidity strains, and fire-sale asset dynamics across multiple institutions at once, faster than supervisors can coordinate a response. The blog was co-authored by Tobias Adrian, the fund’s Financial Counsellor and Director of the Monetary and Capital Markets Department, alongside researchers Tamas Gaidosch and Rangachary Ravikumar.

The catalyst the fund cited by name was Claude Mythos Preview, the most capable model yet from Anthropic, the AI safety company, which launched April 7 under controlled access. In the weeks after Mythos’s debut, Anthropic’s own red team catalogued thousands of previously unknown software flaws across every major operating system and web browser, including a 27-year-old vulnerability in OpenBSD that had survived decades of professional security review. That capability curve, the fund argued, is exactly why financial regulators need to stop treating cybersecurity as a technical matter and start treating it as a stability question.

From IT Problem to Systemic Risk

Financial regulators have issued cybersecurity warnings for years. What makes the May 7 blog distinct is its framing. Per the IMF’s financial stability analysis of AI-powered cyberattacks, the fund is not warning about isolated breaches. It is warning about correlated failures: a single weakness in a widely shared software stack or cloud platform that AI tools can expose simultaneously across dozens of institutions. When that happens, the resulting shock looks less like one bank’s outage and more like a broader market seizure, arriving without a recovery window.

IMF Managing Director Kristalina Georgieva had foreshadowed this framing in April, telling CBS News that the global financial system was not ready for the cybersecurity threats posed by AI and calling for global collaboration on guardrails. The May 7 blog was the technical elaboration. It pointed to the financial system’s shared digital infrastructure, the same software libraries, cloud providers, and payment networks sitting beneath most of the world’s banking, as the mechanism by which a local attack becomes a systemic one.

The regulatory consequence is significant. Classifying AI-cyber risk as a financial-stability concern, rather than an operational one, pulls it into banking supervision and macroprudential frameworks, not just IT audit checklists. Sam Woods, head of the UK’s Prudential Regulation Authority (PRA), said frontier AI models such as Mythos could materially disrupt UK financial services. India’s Securities and Exchange Board of India (SEBI) established a dedicated task force to assess AI-driven cyberattacks and directed market infrastructure institutions to report vulnerabilities on a priority basis.

That institutional geography matters. Adrian’s department, the Monetary and Capital Markets arm, is responsible for global financial stability oversight. Earlier IMF cyber advisories came from operational-risk and fintech teams. The May 7 blog coming from the stability directorate is itself a signal about where the fund has placed this threat on the severity scale.

What Claude Mythos Preview Exposed

• Thousands of zero-day vulnerabilities found autonomously across every major operating system and web browser within weeks of launch, across a corpus of open-source and commercial software
• 27-year-old OpenBSD remote-code-execution bug discovered; a 17-year-old FreeBSD network file system flaw was also found, now tracked as CVE-2026-4747
• 93.9% score on SWE-bench Verified, a standard software engineering benchmark; 82.0% on Terminal-Bench 2.0
• 89% rate at which Mythos’s vulnerability severity assessments matched expert human validators, across 198 manually reviewed reports processed by contracted security professionals

Claude Mythos Preview launched April 7 as an invitation-only release under Project Glasswing, Anthropic’s controlled partner program for 12 founding organizations and roughly 40 vetted critical-infrastructure operators. Access requires explicit approval and runs at $25 per million input tokens and $125 per million output tokens, five times the price of the next-tier Opus 4.7 model. Standard commercial API accounts cannot see the model identifier in the interface.

What made Mythos notable enough to appear by name in an IMF financial stability blog was not its benchmark scores but its autonomous behavior in real systems. Per Anthropic’s Frontier Red Team technical documentation, the model found and built exploits for previously patched vulnerabilities as well as new ones, including running against Firefox’s JavaScript engine in 181 separate tests. Human validators overwhelmingly confirmed the quality of the reports, agreeing with Mythos’s severity assessments in 89% of manually reviewed cases and within one severity level in 98%.

Anthropic’s stated rationale for restricted release centers on defense rather than offense. Project Glasswing exists, in the company’s framing, to give defenders a durable advantage. The model is available through Amazon Bedrock as a gated research preview, with access prioritized for defensive cybersecurity use cases. The IMF’s concern is different: the same capability is not permanently exclusive. As AI training diffuses and model capabilities spread, the defensive moat Anthropic is building today becomes the attacker’s toolkit of tomorrow.

The Mechanics of a Market Shock

The IMF’s core scenario involves shared infrastructure, not a targeted strike on a single institution. Banks, exchanges, payment processors, and insurers frequently run on the same operating systems, the same third-party software vendors, and, in many cases, the same handful of cloud platforms.

A vulnerability common across that shared layer gives AI-assisted attackers a leverage point that scales instantly, not sequentially. The table below maps the key sectors, their shared digital dependencies, and the consequence of a simultaneous AI-accelerated exploit reaching all of them at once.

Concentration is the multiplier. Reliance on a small number of cloud providers, software platforms, and payment networks increases the blast radius of any single exploited weakness. A flaw in a widely deployed library touches all users of that library simultaneously. Patching cycles, which typically run in weeks to months, have no realistic chance of keeping pace when AI can reduce the time from vulnerability discovery to working exploit to minutes.

Gartner projects global cybersecurity spending will exceed $200 billion in 2026, growing at 15.1% year over year. But spending growth and vulnerability-window compression are different problems. More budget buys more defensive tooling. It does not change the fundamental timing asymmetry that the IMF’s analysis identified, and spending alone does not buy speed.

OpenAI has separately introduced a restricted version of its GPT-5.5 model focused on defensive cybersecurity, operating under similar governance and trusted-access requirements to Glasswing. Two of the world’s most advanced AI labs are now explicitly in the defensive-cyber business, a market that simply did not exist in this form eighteen months ago.

The Capability Gap at Smaller Institutions

The Glasswing program’s design highlights a tension the IMF named but did not fully resolve. Access to Mythos’s defensive capabilities flows through a small approved list concentrated in the United States. VentureBeat reported that smaller critical-infrastructure operators in other geographies have no clear path to Glasswing access. That organizational and geographic tilt matters because the threat environment does not tilt the same way.

Allie Mellen, principal analyst covering enterprise security at Forrester Research, pointed out that access to cutting-edge AI defensive capabilities is “size-dependent.” A regional bank or credit union operates in the same threat environment as JPMorgan Chase while doing so with a fraction of the security headcount and tooling budget. US financial-sector cybersecurity spending in aggregate runs above $14 billion annually, but that figure is concentrated at the largest institutions. Security operations centers at major banks run on security information and event management (SIEM) platforms augmented by purpose-built AI assistants; smaller institutions often lack real-time monitoring of any kind.

Data from the RSM US Middle Market Business Index Cybersecurity report found that 81% of mid-market organizations across all industries planned to increase cybersecurity budgets this year. Willingness to spend, though, does not close the access gap. Glasswing pricing at $125 per million output tokens puts meaningful Mythos-level defensive scanning beyond most regional institutions’ operational reach without a significant dedicated program.

What the IMF Is Asking Regulators to Do

The fund’s blog was specific on supervisory posture. Rather than prescribing technical standards, the IMF outlined a shift in how financial authorities should conceptualize and act on cyber risk. Four areas emerge from the May 7 analysis:

• Treat cybersecurity as a core financial-stability concern under board-level oversight, not an IT-department function subject to periodic compliance audits
• Prioritize resilience and recovery planning on the assumption that defenses will eventually be breached, focusing supervision on containing how far incidents spread rather than preventing every intrusion
• Build close public-private collaboration on threat intelligence, with financial institutions and cloud providers sharing incident data quickly enough to matter operationally
• Pursue international coordination, with particular attention to emerging economies and developing nations where resource constraints leave defenses thinner and adversaries more likely to probe

Several regulators are already moving in this direction. The Bank of England indicated that AI cyber preparedness would feature explicitly in stress-test scenarios from late 2026 onward. Across European Union financial markets, the Digital Operational Resilience Act (DORA), the EU’s binding framework for ICT risk management in financial entities, is already setting minimum standards. The UK National Cyber Security Centre (NCSC) co-signed an international advisory on agentic AI risks across critical infrastructure, pointing toward a coordinated supervisory posture forming ahead of any formal global mandate.

The Geopolitics of an Unequal Defense

Anthropic has restricted Mythos access in certain geographies, a decision that limits offensive risk and, simultaneously, limits defensive access for institutions in those regions. The two effects are inseparable. As countries build their own frontier AI models — China’s DeepSeek, Europe’s Mistral AI — the geopolitical dimension of AI-enabled offense and defense becomes difficult to separate from financial stability policy. A financial institution relying on a foreign AI model for defense runs geopolitical and supply-chain risk alongside the cyber risk it is trying to mitigate.

The IMF’s geographic warning was explicit: emerging economies and developing nations may be “disproportionately exposed” to attackers deliberately targeting regions with weaker defenses and fewer resources. Shared infrastructure vulnerabilities do not discriminate by GDP. Capacity to detect, contain, and recover from a breach clearly does.

Geography also shapes the regulatory response timeline. The IMF’s May 7 blog called for international coordination, but the institutions best positioned to act on that call — the Bank of England, the European Central Bank (ECB), the US Federal Reserve — are also the ones whose largest supervised institutions already have the most defensive resources. The coordination gap and the capability gap map onto roughly the same set of countries.

The Bank of England’s AI cyber stress tests are scheduled to run from late 2026. If those exercises show that major institutions can absorb AI-accelerated breach scenarios without triggering systemic contagion, regulators will have credible early evidence that the architecture holds. If the simulations surface transmission channels that current resilience frameworks cannot contain, the repricing of that risk across financial sector equities, cyber-insurance premiums, and cloud-provider valuations is what follows.

Disclaimer: This article is for informational purposes only and does not constitute investment advice or a recommendation to buy or sell any security. Financial markets carry inherent risks, and readers should consult a qualified financial or legal professional before making any investment decisions. Figures cited reflect information available as of the date of publication.