Bank of England Governor Calls for Urgent Assessment of Cyber Risks to Banks from Anthropic's Mythos AI Model

Andrew Bailey, Governor of the Bank of England, has called on global regulators to quickly assess the threat that Anthropic's Mythos AI model could pose to banks. This statement itself is important not merely because of the mention of a specific company or model. It signals that the discussion of artificial intelligence in the financial sector is shifting from questions of efficiency and automation toward concerns about cyber resilience and systemic risk.

For central banks and supervisory authorities, the focus is now not only on AI's potential but on how rapidly it could change the threat profile for the largest financial organizations. Bailey heads one of the world's key central banks, and his public warnings are typically interpreted as a signal to the broader regulatory community. When it comes to cyber risk, the concerns are not about abstract "machine uprisings" but about more concrete scenarios: accelerated phishing attacks, automation of vulnerability reconnaissance, generation of malicious code, circumvention of internal procedures, and reduced costs for sophisticated attacks by malicious actors.

Banks are particularly sensitive to such changes because they simultaneously manage money, critical payment infrastructure, and vast troves of confidential data. Significantly, Bailey is talking specifically about a global regulatory response. Major banks operate across multiple jurisdictions, rely on international cloud services, are connected to shared payment channels, and use long supply chains of external technology vendors.

If a powerful AI system lowers the barrier to entry for cyberattacks or accelerates the preparation of complex operations, the problem does not remain localized. A weak link in one country or with one contractor can quickly become a problem for cross-border financial flows. This is why the idea of rapid assessment sounds like a call for coordination, not simply another internal report.

The mention of Mythos is also telling. Regulators often discuss AI as a class of technologies but rarely publicly point to a specific model requiring urgent risk assessment. This indicates that the focus is gradually shifting from general principles to practical analysis of a product's capabilities: how autonomously it can execute action chains, how well it handles technical tasks, whether it can use external tools, how it scales potential misuse, and how rapidly its capabilities improve from version to version.

Such an approach does not equate to accusing the developer of creating a dangerous tool. Rather, it reflects the recognition that model capabilities themselves are becoming a matter of financial supervision. For banks, such signals mean that formal cybersecurity hygiene alone is no longer sufficient.

They will likely need to reassess access controls, processes for employee use of external AI services, contractor vetting, fraud scenario testing, protection of internal code repositories, and the quality of monitoring for unusual activity. At the same time, AI complicates the picture because the same technologies can simultaneously strengthen both defense and attack. Systems that help analysts quickly detect anomalies and automate investigations could potentially also accelerate the preparation of more precise and large-scale attacks.

Because of this, the old model of infrequent audits and slow requirement updates appears increasingly insufficient. Bailey's statement can be read as an early marker of a new phase of regulation: AI in finance is now being viewed not only through the lens of innovation but also through the lens of operational resilience. If global regulators truly accelerate such an assessment, banks will likely face stricter requirements for testing, disclosure, and management of external technological dependencies.

If not, the advantage in speed may lie with the attackers. The core question here is not whether the financial sector needs AI, but whether rules and protective measures can keep pace with the speed of development of the models themselves.