America's biggest banks are dealing with a problem most of their customers don't know about yet. Since April 7, JPMorgan Chase, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley have had access to Anthropic's Claude Mythos Preview, an AI model so capable that Anthropic refused to release it to the public.

What those banks found using it has sparked a scramble across some of the most powerful financial institutions in the world, as Reuters reported on May 12. At a May 5 financial services event in New York, Anthropic CEO Dario Amodei, appearing alongside JPMorgan CEO Jamie Dimon, put a hard deadline on all of it. Chinese AI models are "maybe six to 12 months" behind Mythos, he said, and there is "that same window" to fix what the model is finding.

What Mythos Is Doing Inside Bank Systems Right Now

Mythos's real threat isn't the volume of vulnerabilities it finds, but how it chains them together. Sources at major banks told Reuters on May 12 that the model is expert at taking individually low-risk weaknesses and linking them into a single high-risk attack path, turning flaws that once looked manageable into serious potential entry points for breaches.

That's forced urgent software upgrades across Wall Street. "This is a wake-up call because cyber risk is moving to machine speed, while much of bank defense still operates at human speed," said Nitin Seth, CEO of Incedo, a data and AI services firm.

Amodei at the May 5 event said that an earlier Claude model found roughly 20 vulnerabilities inside Firefox, while Mythos found close to 300. Across all software systems, the total now runs into the tens of thousands. Most of those vulnerabilities have not been publicly disclosed because they remain unpatched.

The pressure to patch vulnerabilities that previously took weeks to address now happens in days, which is raising the prospect of banks taking systems briefly offline more frequently to install fixes, though Reuters reported banks are looking to do so with minimal disruption to customers.

Why Most Banks Cannot Access Mythos, and Why That Is the Whole Debate

Access to Mythos is not open, and that gap is driving a split among cybersecurity experts. Mythos costs $25 per million input tokens and $125 per million output tokens, exactly five times the price of Anthropic's widely available Opus 4.7, according to Reuters. Smaller banks cannot afford it and do not have the processing power to run it, leaving them dependent on data the larger banks choose to share.

Anthropic has committed $100 million in usage credits to its roughly 40 Project Glasswing partners, but the divide between institutions with direct access and those without stays massive.

Some cybersecurity researchers applaud Anthropic's decision to limit who can access a tool that could be used to attack systems as easily as defend them. Others argue the restriction does more harm than good. "I don't think that choosing to share the model with such a small subset of companies helps us move forward," Pavel Gurvich, co-founder and CEO of security company Tenzai, told the New York Times on May 12.

OpenAI took a notably different approach, releasing its own cyber AI model, GPT-5.4-Cyber, to hundreds of organizations, with plans to expand access to thousands more partners in the weeks following.

That gap has fueled the policy debate reaching Washington. The New York Times reported on May 12 that the Trump administration is now weighing an executive order to create a formal government review process for powerful AI models, a reversal of its earlier hands-off position on AI regulation. Anthropic has confirmed in its Project Glasswing documentation that it plans to release a future Claude Opus model carrying Mythos-class capabilities, once it has developed and tested the additional cybersecurity safeguards required to do so.