Double-Edged Sword: The Anthropic AI UK Banks Are Chasing
By Ali Sadikin Ma · · Updated
Category: Technology
The AI model UK banks are racing to get can hack every system they own.
Not a hypothesis. Not a simulation.
It's been tested — and the results made the UK AI Security Institute react immediately.
But UK banks are still lining up to get access to Anthropic Mythos.
Andrew Bailey, Governor of the Bank of England, already told Bloomberg in April 2026 that Mythos could "crack the whole cyber risk world open" — opening gaps across the entire cyber risk landscape. That's not a compliment. That's a blunt warning from the UK's top financial regulator.
And there's one fact that almost never makes it into any headline:
8 out of 10 global financial regulators don't have the capacity to oversee what they're letting in.
So who's actually in control?
Why UK Banks Are Racing to Adopt Anthropic Mythos
Anthropic Mythos isn't just another new AI model. It's the first agentic AI system officially confirmed capable of running cybersecurity operations autonomously — including finding vulnerabilities that would take professional human teams days to uncover, according to a Computer Weekly report from April 2026.
On the defensive side, its potential is unmatched. Banks that use Mythos to strengthen their systems have an edge no one else in the industry has. In a world where a single cyberattack can destroy a reputation built over decades, a tool like this is worth billions of pounds.
That's why Anthropic launched Project Glasswing — a controlled-access programme giving selected UK banks access to Mythos starting April 2026, according to Disruption Banking.
But this isn't your typical open access.
Project Glasswing is deliberately designed to arm defenders before Mythos's offensive capabilities leak into the wrong hands. Key word: before it leaks. That means Anthropic itself acknowledges these capabilities have the potential to be misused.
And here's what you need to know before this story ends:
The biggest problem isn't at Anthropic. The biggest problem is somewhere much closer to home.
What Nobody's Telling You: Risks Even Regulators Can't Measure
Only 2 out of 10 global financial regulators report "advanced AI adoption" — while financial institutions are adopting AI twice as fast as their overseers, according to a Cambridge Centre for Alternative Finance survey covering 350 financial institutions, 140+ AI vendors, and 130 central banks across 151 countries (October 2025–January 2026). This isn't just a slow pace. This is total blindness to the technology reshaping the industry they're supposed to oversee.
The numbers get more alarming the deeper you look:
Only 24% of financial authorities collect data on AI adoption in the industries they oversee. And 43% have no plans to start doing so in the next two years.
Here's the thing:
Most regulators don't know what AI models the banks under their oversight are using — let alone what Anthropic Mythos can actually do.
Then there's an even deeper layer of risk.
The UK AI Security Institute confirmed that Mythos Preview successfully identified and exploited zero-day vulnerabilities across all major operating systems and browsers, according to Computer Weekly. Zero-day means vulnerabilities unknown to anyone — including the vendors who built the software themselves.
Banks that integrate Mythos into their systems but have weak access management are opening a door that can't be locked again from the inside.
The FCA has made it clear: damage from AI-based exploitation in banking is "essentially uninsurable under current market conditions", according to FStech.
Nobody knows the real cost if Mythos gets flipped into an offensive weapon. No precedent. No historical data. No insurance willing to cover it.
And that's what makes this situation different from every AI debate before it.
The Real Picture: What Anthropic Mythos Can Actually Do
Mythos is built with "agentic" capabilities — it can plan, execute, and adapt actions autonomously without needing human instructions at every step. In official testing by the UK AI Security Institute reported by Computer Weekly in April 2026, Mythos Preview successfully exploited zero-day vulnerabilities across every major OS and browser, at speeds that would take professional human teams "days" to match. On the defensive side, those same capabilities can simulate sophisticated attacks before real attackers even get the chance to try.
In that testing, Mythos successfully:
- Found zero-day vulnerabilities across every major OS and browser
- Exploited gaps that would take professional human teams days to find
- Adapted in real-time as system defenses were updated
This isn't a lab benchmark. These are real test results from a UK government institution — the UK AI Security Institute.
On the defensive side, those same capabilities can be used to:
- Simulate attacks before real attackers try them
- Find vulnerabilities in legacy systems that have been running for decades
- Respond to cyber incidents in minutes, not hours or days
That's why the Bank of England — through the Cross Market Operational Resilience Group — is having serious discussions with major banks about how to safely integrate Mythos, according to Bloomberg in April 2026.
But there's one structural detail that almost always gets missed in public discussion:
UK banking infrastructure largely still runs on legacy systems — IBM mainframes from the 1980s, COBOL code written before the internet existed, systems never designed to face modern cyber threats. Those systems are full of vulnerabilities that have never been patched because they're too risky to touch.
Mythos can find all those vulnerabilities — and fully document them — in a matter of hours.
The question now isn't whether Mythos is dangerous. The question is: who controls the AI that can map every weakness in the UK financial system?
As of April 2026: only Anthropic and the banks inside Project Glasswing.
Nobody else.
What This Means for UK Financial Leaders Right Now
If you work in risk, compliance, or technology at a UK bank, there are three realities you need to face right now — not next quarter, not after regulations are finalized.
First: your competitors may already be inside Project Glasswing. Access to Mythos isn't an open program. Banks that got in first have a real defensive edge over those that didn't.
Second: your regulator isn't ready. The 2026 Cambridge Centre for Alternative Finance data is clear — financial supervisors are far behind the institutions they oversee. That means you can't wait for comprehensive regulatory guidance before making decisions about Mythos. Those decisions have to be made now, with incomplete information.
Third: your legacy systems are the target. The FCA has already said AI-driven damage isn't insurable. But almost every UK bank still runs old infrastructure full of gaps. Mythos — in the wrong hands — can exploit all of it faster than you can imagine.
This isn't meant to scare you. It's the context you need to make the right decisions — and the three concrete steps below are where to start.
3 Steps UK Banks Must Take Before Using Anthropic Mythos
Before any bank — whether already inside Project Glasswing or just considering it — integrates Mythos into their operations, these three things need to be sorted first.
1. Audit Your Legacy System Vulnerabilities Within 30 Days
What to do: Run a full inventory of every system still running on legacy infrastructure — mainframes, COBOL, systems that don't receive regular security updates. You can't defend against an attack if you don't know where you're exposed.
How to do it: Form a small team from IT security and operations — just 3-5 people — tasked specifically with mapping all legacy systems within 30 days. For each system, log: age, vendor, last patch date, and who's responsible. Use the NIST Cybersecurity Framework as your audit structure. Build a simple spreadsheet with four columns: system name, last patch date, vendor support status, and risk level (low/medium/high). That's enough for your first-pass vulnerability map.
Real example: A mid-size UK retail bank that ran a similar audit in 2025 found 23 systems running on software that no longer received security support from its vendor. Two of them were directly connected to the national payment clearing system. Both were patched before external auditors found the gaps.
The result: You get a clear baseline — a complete map of what needs protecting before Mythos (or an attacker using Mythos) finds it first. Without that map, any defense strategy is just guesswork.
2. Build an AI Governance Framework Specific to Mythos
What to do: Create a policy document that explicitly governs how Mythos can and can't be used inside your organization — including who has access, for what purpose, and under what oversight.
How to do it: Start with these three questions and answer all of them before writing a single line of policy: Who in your organization is allowed to give Mythos instructions? Which systems can Mythos touch in audit mode? Who reviews all Mythos output before any action is taken? Answering those three questions is enough for a first-draft governance policy. The document doesn't need to be long — two pages with clear decisions is more useful than a 50-page guide nobody reads.
Real example: The Bank of England — through the Cross Market Operational Resilience Group — is building a similar governance framework for the entire industry, according to Bloomberg in April 2026. But that national framework isn't done yet. Banks waiting for regulation will fall behind those building their own internal governance right now.
The result: Clear governance is legal and operational protection. The FCA has already said AI damage may be uninsurable — but solid governance documentation is your first and strongest line of defense if something goes wrong.
3. Apply to Project Glasswing or Request an Official Briefing from Anthropic
What to do: If your bank isn't in Project Glasswing yet, start the process to apply — or at minimum, get an official briefing from Anthropic on Mythos's capabilities and limitations in a banking context.
How to do it: Contact Anthropic directly through their enterprise channels and express interest in joining the controlled-access programme. Include context: bank asset size, infrastructure you own, and the security team you have. While you wait, follow developments through the Bank of England Cross Market Operational Resilience Group — they're the official channel for regulatory updates on Mythos and the only forum where banks and regulators discuss these risks together.
Real example: Disruption Banking reported that Mythos access for UK banks was first announced in April 2026 through Project Glasswing — a programme explicitly designed to arm defenders before this AI's offensive capabilities spread further into unprepared hands.
The result: Banks that get into the programme early gain access to exclusive security briefings, defensive testing capabilities, and a far stronger negotiating position when Mythos regulation is finally codified by the FCA and Bank of England.
FAQ: Anthropic Mythos, UK Banks, and What Happens Next
What is Anthropic Mythos and why do UK banks want to use it?
Anthropic Mythos is an agentic AI model capable of running cybersecurity operations autonomously. UK banks are interested because of its defensive capabilities — Mythos can find system vulnerabilities in hours, far faster than any human team. Controlled access is available through Project Glasswing starting April 2026, according to Disruption Banking.
How big is the risk Anthropic Mythos poses to the UK banking system?
The risk is very real. The UK AI Security Institute confirmed Mythos Preview successfully exploited zero-day vulnerabilities across all major OSes and browsers. The FCA calls damage from AI-based banking exploitation "essentially uninsurable." And 43% of global financial regulators have no plan to oversee AI adoption in the next two years, according to the Cambridge Centre for Alternative Finance 2026.
What is Project Glasswing and who can apply?
Project Glasswing is Anthropic's controlled-access programme giving selected UK banks access to Mythos in a closely monitored environment. The programme is designed to arm defenders before this AI's offensive capabilities spread more widely. The Bank of England is actively involved in discussions about its usage framework through the Cross Market Operational Resilience Group, according to Bloomberg in April 2026.
Mythos Is a Mirror — Not Just a Weapon
Back to the original question: why are UK banks still willing to use an AI that could also be used to attack them?
Because not using it doesn't mean you're safe. If Anthropic Mythos already exists in the world — and it does — then not using it just means letting whoever does use it first.
Project Glasswing is the most sensible answer available right now. But it's an incomplete answer without regulators closing the oversight gap — and 43% of them haven't even started planning how to close it.
Your bank may soon have access to the same AI that could be used to attack it. The question isn't whether you'll use Mythos. The question is: are your risk framework, governance, and legacy systems ready for it?
If not — the three steps above are where to start, right now, before someone else makes that decision for you.
Follow our weekly AI in finance briefing for the latest on Anthropic Mythos UK banks developments, FCA regulation, and what it means for risk and compliance leaders. Sign up below.
Save this article and share it with your risk, compliance, and technology teams before your next AI strategy session — before Mythos lands on the discussion table without enough preparation.