Earlier this week, the Financial Times reported that senior US officials had raised concerns about the cybersecurity implications of a newly released artificial intelligence model from Anthropic, including its ability to identify software vulnerabilities at a scale that could outpace traditional defensive approaches. The report said US Treasury Secretary Scott Bessent convened a meeting with chief executives from several major US banks – including Bank of America, Citigroup, Goldman Sachs, Morgan Stanley and Wells Fargo – alongside Federal Reserve Chair Jerome Powell, to discuss emerging AI‑driven cyber risks. JPMorgan Chase was invited but unable to attend, the report added.
At the NetDiligence conference in Toronto, cyber leaders said Anthropic’s Mythos model and the associated “Project Glasswing” research should be seen as a genuine turning point rather than an abstract laboratory exercise. John O’Brien of Microsoft Canada told delegates that the findings effectively invalidate a long‑standing comfort that many organisations had relied upon: the idea that while software is riddled with vulnerabilities, most of those weaknesses could remain obscure or would demand prohibitive effort for attackers to uncover. In his view, Mythos demonstrates that advanced models can systematically scan code and surface large volumes of exploitable issues far more quickly than traditional methods, changing the basic calculus for both attackers and defenders.
“For those of you who haven’t read the Anthropic reports that came out yesterday… I think that should be a wake-up call for everyone in this room. We all understood that there were vulnerabilities in software. We assumed that no one had found them yet – which was probably a faulty assumption – but also that they wouldn’t be able to find them easily enough going forward.”
For organisations already struggling to keep pace with patches and upgrades, O’Brien argued, this shift could be profoundly problematic. Existing remediation processes, change‑control cycles and staffing models were largely designed for an era in which discovery was comparatively slow and uneven. If models like Mythos make vulnerability identification far faster and more scalable, defenders may find that the window between a flaw being introduced, discovered and weaponised is compressed to the point where familiar processes can no longer keep up. He framed this as a strategic warning for boards and executives, insisting that they must plan for a future in which the tempo of technical risk is much higher than they are used to.
At the same time, both O’Brien and Guillaume Clément of KPMG in Canada stressed that today’s most visible AI‑driven threat remains social engineering rather than a measurable surge of AI‑discovered zero‑day exploits. Clément pointed to a new generation of phishing and impersonation schemes whose language, context and presentation are far more polished. In many recent incidents, victims are subtly guided into carrying out the harmful action themselves – such as changing payment details or sharing credentials – without the crude hallmarks of older campaigns.
That combination of Mythos‑level capability on the horizon and AI‑enhanced social engineering already in circulation collides with a more basic weakness: uneven deployment of fundamental security controls. Clément noted that many organisations describe measures such as multi‑factor authentication and endpoint protection as being in place, but closer inspection reveals gaps in coverage for senior staff, legacy systems or third‑party accounts. Cyber insurance practices, he added, often reinforce this by asking binary questions about whether controls exist, rather than examining how completely they are implemented.
Both speakers concluded that in an environment where advanced models can accelerate both reconnaissance and exploitation, organisations can no longer lean on obscurity or slow discovery as a de facto safety layer. Instead, they argued that boards, CISOs and insurers must assume that vulnerabilities will be found and that breaches will occur, and shift their emphasis toward rapid detection, containment and operational resilience as the foundations of a modern cyber‑risk strategy.
