AI finds more security holes than banks can fix

Anthropic's Mythos model found software vulnerabilities across legacy banking infrastructure at a volume that sent US banks into emergency patch mode in April and May 2026. JPMorgan Chase and other large lenders began running Mythos under restricted access to audit their own systems. The output immediately exceeded what their security teams could absorb. Cybersecurity consultant Josh Harris, who advises banks and insurers, described conversations with financial institutions and regulators in recent weeks as "hysteria."

Banks' patching timelines haven't changed even as AI compressed the discovery window. Before Mythos, skilled researchers could find vulnerabilities faster than security teams could remediate them — patches often require taking systems offline, adding days or weeks of delay. Mythos brings discovery down to hours. Banks now carry a documented inventory of exploitable holes they have not yet closed, with adversaries who can use equivalent scanning tools running on the same clock.

Bank of England Governor Andrew Bailey flagged the situation publicly in late April, calling Mythos "a way to crack the whole cyber risk world open." By May 18, Anthropic was preparing to brief the Financial Stability Board — which covers central banks and finance ministries across G20 economies — at Bailey's request. The FSB briefing centres not on Mythos as a tool but on the patching backlog it surfaces across a financial sector that still runs on ageing infrastructure.