Latest AI models could threaten world banking system, financial officials warn

Global financial officials are warning that a new class of highly capable “cyber” AI models could materially raise systemic risk by helping attackers find and exploit vulnerabilities in bank and market infrastructure much faster than current defenses can adapt.

What’s actually being claimed

• Senior finance ministers, central bankers and regulators at the IMF–World Bank Spring Meetings have flagged new offensive-capable AI models (notably Anthropic’s Claude Mythos) as a potential threat to global banking stability.

• Concerns focus on models that can autonomously discover software flaws at scale, generate exploit code, and assist in complex cyber operations against banks, payment systems, and market infrastructure.

• Officials are not saying “the system will collapse now,” but that the risk profile has shifted enough that they want rapid assessment, scenario analysis, and coordinated oversight before broad deployment.

Why these models worry regulators

• Anthropic has said Mythos identified “thousands of high‑risk vulnerabilities,” including in all major operating systems and web browsers, and warned that such capabilities will likely proliferate and could have severe economic and national security impacts if misused.

• Finance chiefs fear that if tools like Mythos or OpenAI’s reported GPT‑5.x “Cyber” systems are widely available, sophisticated criminals or state actors could: identify weak points in legacy bank systems, generate tailored malware, and chain exploits in ways that overwhelm existing cyber defenses.

• Andrew Bailey (BoE governor and FSB chair) said the speed of AI progress is a “very serious challenge,” emphasizing the need to understand what these models mean for cybercrime risk to core IT systems used in banking.

• Christine Lagarde and other officials have stressed that even responsibly developed tech can be dangerous “if it falls in the wrong hands,” likening this to a dual‑use cyber capability.

What officials and banks are doing now

• The Bank of England has launched scenario analysis and simulation testing focused on AI‑enabled cyber threats and is coordinating with other central banks on the impact of AI agents in trading and market microstructure.

• US Treasury has privately warned major banks about the risks posed by Mythos‑style models and urged them to assess their own systems before wider model access.

• Regulators in the UK, US and Canada have held crisis‑style briefings; large banks like JPMorgan are being given controlled access to Mythos to probe their own defenses.

• Anthropic has said it will limit access to Mythos and is exploring safeguards, but officials worry similar models from other firms might be released with fewer guardrails.

How this differs from “normal” AI risk talk

• Earlier regulatory AI guidance (e.g., OCC, FSB) emphasized explainability, bias, model risk, and governance for AI used inside banks (credit scoring, chatbots, fraud detection). Those concerns continue but are more incremental.

• The new warnings are about AI as an offensive cyber weapon against financial infrastructure, not just an internal risk‑management tool: the fear is amplification of cyberattacks’ speed, scale, and sophistication against high‑value, tightly interconnected systems.

• Systemic angle: a well‑coordinated AI‑assisted attack could simultaneously hit multiple banks or critical service providers, stressing payment systems, liquidity, and confidence more than typical “one‑off” breaches.

How worried should the industry be?

• Regulators are signaling “urgent but not panicked”: they are raising flags early, convening senior bank executives, and pushing for joint testing, rather than claiming imminent collapse.

• Large banks already treat cyber as a top‑tier risk; recent surveys show boards and executives rank AI‑enabled fraud and cybersecurity attacks above competitive AI threats.

• The practical implication is likely: tighter expectations on AI model access and use, expanded red‑team testing using these tools, enhanced third‑party/vendor risk scrutiny, and eventual new supervisory guidance specifically on AI‑driven cyber capabilities.