After Anthropic Mythos

The implications of Claude Mythos, Anthropic’s agentic offensive security tool, are particularly significant for the financial sector. Such is the extent of the threat that François-Philippe Champagne, Canada’s Finance Minister drew a comparison with conflict in the Persian Gulf:  “the Strait of Hormuz – we know where it is and we know how large it is... the issue that we're facing with Anthropic is that it's the unknown unknown,” he said in an interview with the BBC.

While Mythos’ capabilities may be impressive, clearly there’s friction between the pursuit of autonomous AI and the non-negotiable requirement for regulatory transparency and auditability. This puts finance and banking leaders in a challenging position, caught between commercial imperatives that demand innovation and the need for rigor and compliance. 

However, there is a way forward. While much of the industry and wider economy have been experimenting with AI, for those in the financial sector now is the right time to move beyond curiosity to instead transform and rewire the infrastructure needed to both continue to secure critical financial systems and unlock the agility needed to deliver for customers. 

A new source of complexity

Managing complexity isn’t new to the finance sector. Indeed, it’s part of the service it provides to customers. However, with Mythos sending out a distinct signal of the extent of the risk that AI poses to software security, there’s now an additional layer for technology and institutional leaders to contend with. 

It undoubtedly complicates the picture when it comes to legacy systems. While caution and conservatism around core infrastructure and systems has long been understandable, the extent of Mythos' capabilities (if Anthropic’s claims are accurate) immediately changes things. 

The systems on which large banks and other institutions have depended for many decades may now be vulnerable when faced with automated, large-scale agentic threats. Vulnerabilities that may have been buried in the dusty corners of expansive systems and beneath layers of code can now be uncovered incredibly quickly. This means that modernizing existing systems is no longer just an option, but a fundamental step towards long-term security and resilience. 

The consequences for regulation

The precise consequences of Mythos on regulation isn’t yet clear. It’s encouraging that regulators around the world are actively monitoring the situation. That a number of banking institutions are partnering with Anthropic as the company tests Mythos Preview and Project Glasswing should also be seen as an indication that the sector is playing its part, even if questions about the possible competitive advantage are understandable. Ultimately, given the importance of the sector to the wider economy, it’s vital that BFSI organizations are at the heart of decisions that are made. How the sector responds will have consequences for everyone. 

But beyond what’s happening around Anthropic, for those leaders without Dario Amodei’s contact details, it’s critical to prepare for these changes and to avoid having to react to regulatory demands and legislative changes. Modernization is an important step, but it must be built on a rigorous and in-depth understanding of existing systems. This should go beyond mere compliance and auditability requirements and act as a foundation for future transformation and evolution.

From experimentation to production deployment at scale

Such a foundation is crucial if the sector is to evolve from experimentation and AI curiosity to something more substantial and committed. It will involve establishing frameworks and architectures that facilitate AI-assisted or driven change rather than tinkering at the edges or trying to force cutting-edge technologies into well-established existing systems. 

The idea of radical transformation might be met with caution by the sector. However, the change certainly doesn’t need to be risky, and won’t inevitably exacerbate today’s very real security and commercial concerns. With an iterative approach that is supported by knowledgeable and experienced technology partners, it’s possible to manage inflationary input pressures while also maintaining the necessary agility to evolve and adapt.

Yes there are many unknowns at play here as Champagne highlighted in his comments to the BBC. However, there is no need for panic. Deutscher Bank CEO Christian Sewing’s words to journalists, for instance, were a helpful contrast. Mythos is “certainly not something that's causing panic or setting off any alarm bells on our end right now,” he said, “but it's definitely ​something we need to keep in mind in our day-to-day risk management and that's exactly what we're doing." 

Considering day-to-day risk management is a good way to begin and to frame longer-term strategic thinking. It grounds your leadership in what you do know and what you and your teams actually can do. That’s essential if you’re to be effective.

The right time to rewire your foundations

AI models will get smarter and technologies like Mythos will proliferate, intensifying risk. Leaders should not panic but they do need to act. They also need to remain cognizant of the fact that there’s no end point when it comes to modern software security; what’s important is setting yourself up to adapt and evolve as threats change and as the market demands new things. 

Being reactive certainly won’t be a recipe for success; rewiring the foundations for an AI-accelerated future, however, will.