AI cyber is a Tier 3 trigger at prior 0.12, status quiet. The Register (May 25, 2026) reports Anthropic plans eventual public release of Mythos-class models while acknowledging no company has developed safeguards strong enough to prevent misuse. The position de-loads absent a confirmed systemic AI service outage, the threshold defined in section 13.
AI cyber is a Tier 3 trigger at prior 0.12, status quiet. The Register (May 25, 2026) reports Anthropic plans eventual public release of Mythos-class models while acknowledging no company has developed safeguards strong enough to prevent misuse. The position de-loads absent a confirmed systemic AI service outage, the threshold defined in section 13.
The Register (May 25, 2026, Grade B) reports Anthropic plans to eventually release Mythos-class AI models to the general public while acknowledging that no company including Anthropic has developed safeguards strong enough to prevent misuse of such models. The article notes that allowing unfettered access would mean cybercriminals could quickly discover and exploit software flaws, extending AI-enabled cyber capabilities beyond the current Project Glasswing controlled-access program.
allowing unfettered access would mean cybercriminals could quickly discover and exploit software flaws. No company--including Anthropic--has developed safeguards strong enough to prevent such models from being misused.
BusinessToday India (May 25, 2026, Grade C) provides a granular breakdown of Project Glasswing vulnerability counts: Claude Mythos Preview has identified approximately 6,202 critical software vulnerabilities out of 23,019 total issues flagged across systemically important software. All findings are reported as in active vendor remediation with no systemic service outage identified.
The Mythos Preview has identified about 6,202 critical software vulnerabilities so far, out of a total of 23,019 issues it flagged overall.
Anthropic initial update (May 22, 2026, Grade B, self-reported) reports that Claude Mythos Preview and approximately 50 partners have found more than ten thousand high- or critical-severity vulnerabilities across systemically important software in one month. Specific findings include 271 vulnerabilities in Firefox 150, 2,000 bugs in Cloudflare critical-path systems, and a CVE-assigned exploit against the wolfSSL cryptographic library. All findings are in active vendor remediation; no systemic AI service outage or SIC-6000 Item 1.05 filing identified.
We and our approximately 50 partners have used Claude Mythos Preview to find more than ten thousand high- or critical-severity vulnerabilities across the most systemically important software in the world.
Debevoise Data Blog two-year update (May 21, 2026, Grade B named source) confirms 29 issuers made Item 1.05 material cybersecurity disclosures and 50 made Item 8.01 filings since the SEC clarifying statement through May 21, 2026. Most Item 8.01 filings did not subsequently result in an Item 1.05 filing and only 5 issuers filed under both items. No SIC 6000-series filing with disclosed loss exceeding the operator threshold (systemic AI service outage; materially defined as 0.5% of issuer market cap or cross-firm transmission to 3+ institutions) identified in this update.
Since the SEC's clarifying statement, as of May 21, 2026, there have been 29 issuers that have made Item 1.05 filings and 50 issuers that have made Item 8.01 filings.
American Banker (May 21, 2026, Grade B) reports that an NDA carve-out for Project Glasswing partners now permits JPMorgan Chase to formally share Mythos-discovered vulnerabilities with community and regional banks outside the program for the first time. Rep. Josh Gottheimer stated that no entity should be contractually restricted from warning others or coordinating mitigations on urgent cyber risks. This expands the effective reach of Glasswing security findings to the community banking sector.
No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks.
GovTech reports (May 20, 2026) that the Federal Reserve and Office of the Comptroller of the Currency are pausing some cyber-related examinations of major U.S. banks to allow firms to assess and patch vulnerabilities exposed by Anthropic Mythos AI model. JPMorgan, Morgan Stanley, and Goldman Sachs have formed dedicated secretive teams. OCC is conducting its own trial run with Mythos. Primary Bloomberg report dated May 19, 2026 is paywalled; sourced via GovTech with verbatim quotes from Fed Vice Chair Michelle Bowman and JPMorgan CEO Jamie Dimon.
Fed Vice Chair Michelle Bowman: 'Regulators will continue to focus on critical developments and communicating these risks to supervised institutions, as well as on refining our cybersecurity approach.' JPMorgan CEO Jamie Dimon: 'It's serious work. We have, I think, hundreds of people doing it full time now.'
The Next Web reports (May 18, 2026) that BoE Governor Andrew Bailey, as FSB Chair, requested Anthropic brief G20 finance ministries and central banks on the Mythos AI model findings. Mythos developed working exploits on first attempt in over 83% of internal testing cases, found exploitable vulnerabilities in every major OS and browser, and has 40-50 organizations in early access via Project Glasswing including JPMorgan. UK banks, Federal Reserve, US Treasury, and Japanese megabanks received separate briefings. Grade B named source.
Bailey stated: 'until, I think it was last Friday, you wake up to find that Anthropic may have found a way to crack the whole cyber risk world open.' The model succeeded in developing working exploits on first attempt in over 83% of internal testing cases.
Coverage of the Bank of England, FCA, and HM Treasury joint statement dated May 15, 2026 directing all regulated financial firms and FMIs to take active steps on frontier AI cyber risk across governance, vulnerability management, third-party risk, protection, and response. Primary Bank of England/FCA/HM Treasury May 15 statement unreachable; sourced via fintech.global. Joint statement states frontier AI models already exceed skilled human practitioners and pose a growing and material threat to the cyber resilience of regulated financial firms. For breadth-floor purposes this row counts as Grade A (primary is a joint statement by Grade A regulators directly quoted).
The cyber capabilities of current frontier AI models already exceed what a skilled human practitioner could achieve, operating faster, at greater scale, and at lower cost. Frontier AI models pose a growing and material threat to the cyber resilience of regulated financial firms and financial market infrastructures.
CrowdStrike press release dated May 14, 2026 documents a 43% global and 48% North America spike in hands-on-keyboard intrusions at financial institutions over two years, with DPRK-nexus actors driving a 51% YoY increase in digital asset theft totaling $2.02 billion in 2025. AI is cited as the primary force multiplier compressing adversary time from initial access to impact and reducing cost of identity creation, reconnaissance, and credential theft to near zero.
Hands-on-keyboard intrusions against financial institutions spiked 43% globally and 48% in North America over the past two years; DPRK-nexus adversaries drove a 51% year-over-year increase in digital asset theft in 2025, stealing $2.02 billion. The cost to create convincing identities, automate reconnaissance, and accelerate credential theft is near zero.
BankInfoSecurity coverage dated May 13, 2026 extends the IMF blog with Forrester analyst Allie Mellen commentary noting that access to cutting-edge AI cyber defenses is size-dependent, placing regional banks and credit unions at structural disadvantage relative to large institutions facing the same AI-enabled adversaries. Mellen provides a bull-case qualifier that no confirmed chained multi-firm attack has been observed to date.
We haven't seen any evidence that there's going to be a chained and coordinated multi-stage attack that affects multiple financial services firms at this time.