Anthropic built a model it decided was too dangerous to release. What happened next is a case study in how fast AI risk has become a financial stability problem.

On April 7, 2026, Anthropic announced an AI model it refused to sell.

That decision alone was unusual. What followed was not.

Within 24 hours, the Federal Reserve Chair and the Treasury Secretary sat in a room with the CEOs of America's biggest banks. Within weeks, the International Monetary Fund issued a formal warning about AI-driven cyberattacks threatening the global financial system.

All of it traces back to Anthropic’s Mythos.

What Mythos Actually Does

Mythos is not a hacking tool. Anthropic did not build it to find vulnerabilities. Instead, it is a general-purpose AI model trained to reason and write code.

However, during internal testing, something unexpected happened. The model turned out to be extraordinarily good at finding security flaws that human researchers had missed for decades.

The numbers are striking. An earlier Anthropic model found about 20 vulnerabilities in the Firefox browser. Mythos, by contrast, found nearly 300. Furthermore, across every major operating system and web browser, the total now runs into the tens of thousands. Many of the flaws are 10, 20, even 27 years old.

Anthropic CEO Dario Amodei explained why his team has not disclosed most of them publicly. "If we announce something without it being fixed, then the bad guys will exploit it."

Why Access Is Restricted

Anthropic chose not to release Mythos to the public. Instead, the company launched Project Glasswing, giving roughly 40 organizations monitored access to find and fix vulnerabilities before attackers can exploit them.

Partners include Amazon Web Services (AMZN), Apple (AAPL), Microsoft (MSFT), Alphabet (GOOGL), Nvidia (NVDA), Cisco (CSCO), CrowdStrike (CRWD), JPMorgan Chase (JPM), and Palo Alto Networks (PANW). In addition, Anthropic committed up to $100 million in usage credits and $4 million in donations to open-source security organizations to support the effort.

The Emergency Meeting and the IMF Warning

On April 7, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell called an unannounced meeting at Treasury headquarters in Washington. In the room sat the CEOs of Citigroup, Morgan Stanley, Bank of America, Wells Fargo, and Goldman Sachs. The subject was Mythos and the cyber risks it represents. JPMorgan Chase CEO Jamie Dimon was invited but could not attend.

The International Monetary Fund echoed that urgency shortly after. It cited Mythos by name, warning that advanced AI discovers and exploits vulnerabilities faster than organizations can patch them.

Moreover, the IMF raised a systemic concern that extends beyond any single institution. Banks, payment networks, and energy firms all share the same cloud providers and software platforms. Consequently, one successfully exploited vulnerability can cascade across the entire financial system at once. The IMF called this concentration risk and called it urgent.

The Window Is Closing

Anthropic CEO Dario Amodei put a clear deadline on the threat. Chinese AI models sit roughly six to twelve months behind Mythos. Other frontier labs are closer, about one to three months behind. As a result, the gap is closing on two fronts simultaneously.

The problem, however, is not just who catches up. It is what happens in the meantime.

Security teams are already losing the race against time. Specifically, the average organization takes 60 days to patch a critical vulnerability after disclosure. Attackers, on the other hand, exploit those same vulnerabilities within an average of 4.5 days of a public proof of concept appearing. That leaves a 55-day window where systems sit exposed and attackers can walk right in.

Furthermore, according to Mandiant's M-Trends 2026 report, the situation is deteriorating. Exploits now routinely arrive before patches. Nearly 28% of known vulnerabilities faced active exploitation within 24 hours of public disclosure.

JPMorgan Chase CEO Jamie Dimon, who has repeatedly warned that cyberattacks represent the greatest long-term threat facing the banking system, agreed that the old response timelines no longer hold. "In the old days, you put out a patch, people had a week or two to fix it. Now you say it's got to be like minutes."

Meanwhile, OpenAI moved quickly to respond, releasing GPT-5.5-Cyber in limited preview to vetted security teams. OpenAI CEO Sam Altman has called Anthropic's public warnings "fear-based marketing." Similarly, some researchers note that existing public models can replicate comparable capabilities. In other words, the risk predates Mythos. Mythos simply makes it faster and harder to ignore.

What Investors Should Watch

Three things matter most in the months ahead.

First, watch for regulatory action. The Trump administration has discussed new oversight frameworks for frontier AI models. As a result, any formal guidance will directly affect costs and timelines across the entire sector.

Second, watch the patch cycle. Most Mythos-discovered vulnerabilities remain unpatched and undisclosed. Therefore, as fixes roll out, a wave of new CVEs will hit enterprise security queues. Consequently, slow movers face real and measurable exposure.

Third, watch the Glasswing advantage. Partners with early access hold a meaningful security edge right now. Nevertheless, that advantage is temporary. Within a year, comparable capabilities will likely reach both defenders and adversaries alike.

Above all, Amodei summed it up plainly. "There are only so many bugs to find. If we handle this right in six to twelve months, we could be in a better position than we started."

The window is open. The question is whether institutions move fast enough to use it.

Benzinga Disclaimer: This article is from an unpaid external contributor. It does not represent Benzinga’s reporting and has not been edited for content or accuracy.