Treasury Secretary Scott Bessent and Fed Chair Jerome Powell held an urgent meeting with Wall Street leaders this week, bypassing the routine briefing cadence and pulling bank CEOs into a direct conversation about AI-driven cyber risk. Reports noted that the meeting aimed to ensure banks understood the risks posed by Mythos and similar models and were already taking defensive steps. When the Treasury secretary and the Fed chair jointly pull bank chiefs into an urgent room, they are communicating that the risk is systemic.

The irony running through this episode is sharp. On March 2, the Treasury, State, and HHS moved to stop using Anthropic products, acting on a presidential directive, with Bessent publicly stating that Treasury was terminating all use. On March 9, the General Services Administration terminated Anthropic's government-wide contract. On April 8, a federal appeals court declined to block the Pentagon's blocklisting of Anthropic while litigation continues. So, in the same week, officials were managing an active procurement and national security dispute with Anthropic, while also warning the country's largest banks to prepare for the risk posed by Anthropic-class capabilities. This duality reveals the complex landscape regulators must navigate as they seek to address both immediate cybersecurity threats and broader systemic risks.

Mythos, according to its creator Anthropic, has uncovered thousands of high-severity vulnerabilities across major operating systems and web browsers, with over 99% of these flaws remaining unpatched. This capability compresses the timeline between vulnerability discovery and potential weaponization, raising alarms among regulators. The evidentiary basis for the official alarm rests on Anthropic's own materials, which are more specific than typical model launch claims. Anthropic claims that Mythos can identify and exploit zero-day vulnerabilities across those platforms, which could potentially lead to significant operational disruptions.

Anthropic has responded by restricting access to its model through Project Glasswing, limiting it to select partners including major tech firms and critical infrastructure organizations. This step signals a recognition of the high risks associated with releasing such powerful tools without adequate safeguards. The model’s ability to identify vulnerabilities across a broad attack surface highlights the urgency for banks to enhance their cybersecurity measures. Many banks rely on shared software and infrastructure, making them particularly vulnerable to a cyber capability that can exploit widespread vulnerabilities.

The implications for banks are significant. The Treasury's Financial Services Sector Risk Management Plan identifies cloud concentration and software supply chains as top sector risks, emphasizing how shared software and infrastructure can lead to cascading failures. Given that banks rely on common vendors and technologies, a cyber capability that can exploit widespread vulnerabilities poses a substantial threat to the interconnected financial system. This interconnectedness means that a single cyber vulnerability can affect multiple institutions simultaneously, amplifying the risk.

As AI technology continues to evolve, the urgency for banks to enhance their cybersecurity measures grows. The Treasury has initiated a public-private partnership aimed at developing practical tools to address AI-specific cybersecurity challenges. This initiative, alongside the launch of the AI Innovation Series by the Treasury and the Financial Stability Oversight Council, aims to reinforce resilience in the financial sector as AI becomes more integrated into core functions. The focus of these initiatives is not only on immediate responses but also on long-term strategic planning to mitigate future risks.

Powell and Bessent's decision to engage directly with bank leaders underscores a critical shift in how financial regulators view cyber threats related to AI. The urgency of this meeting suggests that officials believe the risks associated with AI capabilities like Mythos require immediate attention and coordinated action. In an era where financial systems are increasingly vulnerable to sophisticated cyber threats, the need for robust defenses has never been more pressing.

Looking ahead, the financial sector must prepare for the reality that AI-driven vulnerabilities could lead to significant operational disruptions. The potential for tighter supervisory expectations and regulatory scrutiny looms large, with the possibility of new requirements around software provenance and incident reporting on the horizon. How banks respond to these challenges will determine their resilience in an increasingly complex cyber threat landscape. The proactive measures taken now will be crucial for safeguarding the financial system against emerging threats.

In a scenario where AI models with comparable offensive capabilities enter the market, the pressure on banks and regulators could intensify. The urgency conveyed by the Treasury and Fed's proactive approach may set a precedent for how institutions prepare for and manage AI-related risks in the future. As the balance between offensive and defensive capabilities shifts, the financial sector's ability to adapt will be crucial in maintaining operational continuity and market confidence.

MORE FROM COINTIMES

US Officials Confront Tech Giants Over AI Security Risks

US officials are proactively addressing AI security risks with tech giants ahead of Anthropic's Mythos model release, highlighting regulatory concerns.

The challenges posed by AI-driven vulnerabilities are further compounded by the regulatory landscape. The Treasury's January 2025 Financial Services Sector Risk Management Plan has identified emerging technologies, including AI, as top sector risks. The implications of this identification are profound, as it signals a shift in regulatory focus towards the systemic vulnerabilities introduced by AI technologies. This shift is not merely a reaction to technological advancements but reflects a broader understanding of the interconnected risks that these technologies can create.

The Federal Reserve's July 2025 cybersecurity report emphasizes the importance of assessing AI risks, bolstering cloud resilience, and exercising cyber-incident response plans. These priorities highlight the need for a comprehensive approach to cybersecurity that encompasses both technology and organizational readiness. Moreover, the growing recognition of AI's potential risks has led to increased collaboration between public and private sectors, as seen in the public-private initiative launched by the Treasury on February 18, 2026.

This initiative is explicitly designed to develop practical tools for financial institutions to manage AI-specific cybersecurity risks, reflecting a commitment to not only understanding the risks but actively addressing them. The AI Innovation Series, launched on March 23, 2026, further underscores the importance of linking AI adoption to resilience and stability within the financial sector. The insights gained from these initiatives will inform ongoing efforts to reinforce the financial system's resilience against emerging threats.

The juxtaposition of Washington's procurement retreat and the financial stability warning is noteworthy. The decision to cut government contracts with Anthropic on supply-chain or national-security grounds flows through a distinct set of channels compared to the assessment of a frontier model's cyber capabilities. This delineation emphasizes the complexity of managing technological risks within the financial ecosystem. The Treasury and Fed's response reflects a coordinated effort to address systemic risks while simultaneously navigating the intricacies of procurement decisions.

The meeting convened by Powell and Bessent serves as a critical moment in acknowledging the operational consequences of AI capabilities like Mythos. Their decision to engage directly with bank CEOs signifies a recognition that the risks associated with these technologies are not only theoretical but pose real threats to the financial system's stability. This acknowledgment is crucial as it sets the groundwork for a more proactive approach to managing systemic risks in the face of evolving threats.

As the financial sector navigates this new landscape, the potential outcomes of these initiatives must be carefully considered. In the bull case, Project Glasswing performs as designed, with Anthropic and its partners identifying and patching material vulnerabilities before copycat capabilities reach open access. In this scenario, banks could treat the experience as a structured resilience exercise, reinforcing their cyber defenses in the face of emerging challenges.

Conversely, the bear case presents a more concerning picture. If additional frontier models emerge with comparable or greater offensive capabilities, or if disclosures around Mythos reveal a more compressed attack timeline than currently acknowledged, the regulatory landscape could shift dramatically. In such a scenario, Treasury, the Fed, and financial regulators may move from private warnings to implementing stricter supervisory expectations. This could include tighter software provenance requirements, mandatory vendor concentration reviews, and more rigorous operational resilience standards for banks sharing common cloud or software dependencies.

The Financial Stability Board (FSB) and Treasury materials already provide a conceptual and regulatory basis for this potential escalation. The International Monetary Fund (IMF) has found that cyberattacks on financial firms account for nearly 20% of all incidents studied, with extreme loss estimates reaching $2.5 billion. This data reinforces the urgency for financial institutions to enhance their cyber defenses as they navigate a landscape increasingly characterized by sophisticated cyber threats.

In this context, Powell and Bessent's urgent meeting with bank CEOs is the clearest official acknowledgment that U.S. officials believe that the distance is narrowing faster than the financial system's existing cyber posture can absorb. The proactive engagement reflects a recognition that the financial sector must not only respond to current risks but also anticipate future challenges posed by rapidly evolving technologies. As the landscape continues to shift, the resilience of the financial sector will depend on its ability to adapt to emerging threats and strengthen its defenses against potential cyber vulnerabilities.