Anthropic Mythos and the New AI Cyber Risk Facing Banks and Accounts Payable
Anthropic’s new Mythos model is raising serious concern in banking and cybersecurity circles. Here is what Accounts Payable professionals should understand, without the hype.
Reuters reports that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell warned major bank CEOs about risks tied to Anthropic’s new model.
Accounts Payable professionals begin assessing what this could mean for payment systems, vendor workflows, and control design.
There are moments when technology improves gradually, and then there are moments when it changes the rules of the game.
This appears to be one of those moments.
Anthropic has introduced a new model called Claude Mythos Preview as part of its Project Glasswing initiative. According to Anthropic and its related security materials, Mythos is unusually capable at computer security tasks, including identifying serious software vulnerabilities. In internal testing, Anthropic indicated the model identified thousands of previously unknown vulnerabilities across widely used software systems, which is one reason the company is limiting access rather than releasing it broadly.
Anthropic says Glasswing launch partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks.
That should matter to Accounts Payable professionals, because AP sits directly on top of the systems that move money.
AP teams may not manage cybersecurity directly, but they depend on banking portals, ERP systems, payment integrations, browsers, cloud apps, vendor portals, and approval workflows. If those systems become easier to attack, AP becomes part of the blast radius.
What makes this different
Cyber threats are not new. Software vulnerabilities are not new. What appears to be changing is the speed, the scale, and the automation.
Traditionally, finding a major vulnerability required time, specialized expertise, and often a lot of patience. Exploiting one also required real technical skill.
AI changes that equation.
If a model can rapidly inspect code, reason through system behavior, identify weaknesses, and help generate exploit paths, the window between discovery and attack can shrink dramatically.
That is the real issue here. It is not just that vulnerabilities exist. It is that the time available to fix them may be getting shorter.
Why banks are on alert
Reuters reported that Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell warned major bank CEOs about cybersecurity risks linked to Anthropic’s new model. That is a strong signal that this is being taken seriously at the highest levels of the financial system.
That makes sense.
Banking infrastructure depends on a shared technology stack that includes operating systems, browsers, cloud platforms, APIs, authentication layers, internal applications, and third-party software libraries. If powerful AI tools can uncover weaknesses across that stack faster than before, then both banks and the companies that rely on them need to pay close attention.
Even if your own company is not directly using advanced cybersecurity AI, your AP workflows still depend on vendors, banks, software providers, and browser-based systems that may be affected by this faster threat cycle.
Where Accounts Payable fits into the picture
Accounts Payable is no longer just a back-office paperwork function.
In many organizations, AP now works through a connected ecosystem of systems and data flows.
That means AP is not just close to money. It is connected to the software layers through which money is approved, released, and recorded.
In practical terms, that makes AP a meaningful target area in any future wave of faster, AI-assisted cyberattacks.
What this could look like in the real world
Let’s bring this down to earth.
If vulnerabilities can be found and exploited faster, AP teams may feel the effect in very concrete ways:
1. Payment workflow compromise
A weakness in a browser session, plugin, or integration layer could potentially be used to interfere with payment approvals or session integrity.
2. Vendor portal manipulation
If a supplier portal has a serious flaw, vendor information could be altered, hidden, or rerouted in ways that standard controls may not immediately catch.
3. API-level risk
Many AP environments rely on integrations between ERP systems, banks, payment platforms, and approval tools. API connections can be efficient, but they also create technical paths that attackers may try to exploit.
4. Faster data theft
Vendor master data, invoice records, banking details, payment histories, and approval logs are all valuable. AI could make it easier for attackers to identify the weakest routes into those datasets.
5. More disruptive ransomware timing
Cybercriminals do not always need to shut down an entire company. They only need to interrupt the right systems at the right time, especially around payroll, month-end, quarter-end, or large payment runs.
What AP teams may notice soon
Most AP professionals are not going to log in one morning and see a message that says, “This happened because of Mythos.”
What you may see instead is:
- More frequent software patches and security notices
- New authentication requirements
- Updated browser or endpoint security policies
- Temporary downtime for banking or AP platforms
- Stricter controls around vendor changes and payment releases
- More questions from auditors, compliance teams, and insurers
In other words, even if the threat feels abstract, the operational consequences may become very concrete.
The good news
There is an important second side to this story.
The same AI capability that could make attacks faster can also help defenders find weaknesses sooner.
That is part of the logic behind Project Glasswing. Anthropic says the initiative is meant to help defenders secure critical software and gain a head start before comparable capabilities become more widespread.
If that effort works as intended, many organizations may benefit indirectly through faster remediation by software vendors, cloud providers, banks, and enterprise platforms.
So this is not a simple doom story. It is a race between defense and offense, and the pace is increasing.
- Do not ignore vendor security bulletins or platform update notices.
- Review dual approval controls for higher-risk or higher-value payments.
- Recheck vendor bank change procedures and callback discipline.
- Limit and separate banking credentials wherever possible.
- Watch for unusual workflow behavior, not just obvious fraud attempts.
- Coordinate with IT or security teams if banking portals or AP tools suddenly change login or security behavior.
- Document your controls, because audit and insurance scrutiny may increase.
Bottom line
This is not necessarily a panic-now event.
But it is a real warning sign.
AI appears to be crossing into a phase where it can materially accelerate both cybersecurity defense and cyber offense. For Accounts Payable, that means the systems behind invoices, approvals, vendor data, and payments are becoming more strategically important, and potentially more exposed.
AP professionals do not need to become cyber experts overnight. But they do need to understand that the old assumption, that security is somebody else’s problem until something breaks, is becoming more dangerous.
If your ERP, AP automation platform, bank portal, or payment workflow starts pushing security updates, stronger controls, or new access requirements in the coming weeks and months, pay attention.
That may be the earliest visible sign that this new phase has already begun.
Sources & Further Reading
- Anthropic, Project Glasswing: Securing critical software for the AI era
- Anthropic Security, Claude Mythos Preview
- Anthropic, Claude Mythos Preview System Card
- Reuters, U.S. officials warn bank CEOs about risks from Anthropic model
- Reuters, Officials question tech leaders on AI security ahead of Mythos rollout
