EU Economy Minister Valdis Dombrovskis confirmed Monday night that the European Commission is in active talks with Anthropic about gaining access to Mythos, the company's superhuman cybersecurity model, to test European banks and companies for vulnerabilities the model can identify, a development that transforms Mythos from a privately distributed research tool into the first AI system being actively recruited by a major regulatory body as an inspection instrument for financial infrastructure.
The facts established so far make the story easier to read precisely. Mythos launched on April 7 to approximately 40 organisations through Anthropic's Project Glasswing initiative, with JPMorgan Chase as the only publicly named bank partner and Bank of America confirmed as a second through subsequent reporting. Goldman Sachs, Citigroup, and Morgan Stanley have since been reported as testing the technology. The model identified a 27-year-old flaw in OpenBSD and a 16-year-old vulnerability in FFmpeg during internal evaluation, demonstrated autonomous discovery and exploitation of zero-day vulnerabilities across every major operating system and web browser, and was assessed by the UK's AI Security Institute as "substantially more capable at cyber offence than any model we have previously assessed." That assessment, contained in an open letter from the British government to Anthropic's leadership dated April 15, established the public regulatory record that has driven the European response. The Bank of England, the European Central Bank, and the Bundesbank have all initiated formal or informal assessments of bank preparedness since that letter was published. Bundesbank chief Joachim Nagel went further, publicly urging that all institutions receive Mythos access to maintain a level competitive field and prevent misuse through information asymmetry.
The EU's position is structurally distinct from the individual central bank responses because the European Commission is the party with legislative authority over both the AI Act and the Digital Operational Resilience Act, the regulation that sets mandatory ICT risk management standards for EU financial institutions. DORA came into full effect in January 2025 and requires financial entities to conduct threat-led penetration testing and to assess their resilience against advanced persistent threats on a defined schedule. A model that autonomously identifies novel vulnerabilities in legacy banking infrastructure is directly relevant to DORA compliance testing, and the Commission's dialogue with Anthropic about access for European banks is, among other things, a question about how a private American AI company's capabilities fit within a mandatory EU regulatory testing regime. Anthropic has signed the EU's General-Purpose AI Code of Practice under the AI Act, and the Commission's AI Office is in ongoing dialogue with the company about implementation. The Mythos access negotiation is happening within that existing regulatory relationship, not as a new and separate intervention.
The competitive dimension is where this becomes interesting for enterprise AI beyond financial services. Anthropic is navigating a posture that no previous foundation model company has attempted: actively engaging regulators as partners in model access decisions rather than treating regulatory engagement as a compliance burden to be minimised. The controlled release through Project Glasswing, the proactive publication of a detailed system card documenting Mythos's offensive capabilities, the open letter response from the UK government, and now the EU access negotiation are all consistent with a strategy of making transparency and regulatory alignment part of the product proposition rather than an obstacle to deployment. That posture is expensive in the short term because it delays broad commercial access and requires significant legal and government affairs infrastructure. It is potentially transformative in the medium term because it positions Anthropic as the counterparty of choice for regulated institutions that cannot deploy AI without regulator engagement and approval.
The comparison with OpenAI and Palantir, the two most active competitors for enterprise AI contracts in regulated sectors, is worth making. OpenAI's enterprise strategy is primarily direct: launch models, sell API access and enterprise agreements, and engage regulators reactively as compliance requirements emerge. Palantir's strategy is government-first: build relationships with defence and intelligence agencies, establish security clearances and classified deployment infrastructure, and translate that credibility into commercial enterprise sales. Anthropic's Mythos strategy does not exactly resemble either. It is deploying a capability that regulators are frightened of, in a controlled way, while actively negotiating with those regulators about how access should work. If the EU access negotiation results in a framework where Anthropic provides Mythos testing capability to European banks under regulatory supervision, Anthropic becomes simultaneously a tool vendor to the banks and a de facto inspection partner to the regulators who supervise them. That dual relationship creates switching costs and information advantages that no amount of model performance can replicate.
Switzerland's FINMA has cautioned against rapid broad access to Mythos on the grounds that widespread bank access would create severe systemic risk, essentially arguing that giving every bank an autonomous vulnerability scanner also gives every bank an autonomous vulnerability exploitation capability that could be misused, mishandled, or leaked. That concern is legitimate and points to the governance question that sits underneath the access negotiation: Mythos is not like most enterprise AI tools where the risk of misuse is bounded by the user's ability to prompt the model into harmful outputs. It is a system that can autonomously identify and demonstrate exploits in critical infrastructure. Securing its deployment requires a framework that most enterprise software procurement processes have not previously needed to develop. The EU negotiation is, at least in part, about who owns that framework and what it looks like in practice, questions that will not be resolved before the first European banks get access, and that will almost certainly need to be revised once that access is in use.
","excerpt":"EU Economy Minister Valdis Dombrovskis confirmed Monday that the European Commission is in talks with Anthropic to use Mythos, its superhuman cybersecurity model, to test European banks and companies for software vulnerabilities, making it the first AI system being actively recruited by a major regulator as a financial infrastructure inspection tool.
Also read: Long Lake Is Paying $6.3 Billion to Take Amex GBT Private and the AI Travel Thesis Behind It Is More Interesting Than the Price • The White House Is Now Considering Vetting AI Models Before Release and Every Startup Building on API Access Should Pay Attention • An Nvidia VP Just Said AI Costs More Than the People It's Supposed to Replace and Every Founder Selling Labor Replacement Should Read That Carefully
