Banks Need Cyber AI, but They Should Fear the Monoculture

The scariest bank run of the AI age may not start with depositors. It may start with a model update.

I do not mean that as science fiction. On April 7, Anthropic announced Project Glasswing, a defensive cybersecurity effort built around Claude Mythos Preview, a frontier AI model the company says can find and help fix serious software vulnerabilities; the launch partners included Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, Nvidia and Palo Alto Networks, according to Anthropic’s announcement¹. Anthropic says Mythos has already found “thousands of zero-day vulnerabilities” across critical infrastructure and is available as a gated research preview through several major cloud and AI platforms, according to the same Project Glasswing materials¹.

That is why banks are paying attention. S&P Global reported on May 11 that regulators in the U.S., U.K. and EU have held discussions with bank executives about Mythos, that JPMorgan Chase was the only bank in the initial Glasswing group, and that Morgan Stanley, Goldman Sachs and BNY Mellon executives later said they had gained access to the model, according to S&P Global Market Intelligence³. The basic appeal is obvious. Banks run old systems, new systems, vendor systems, cloud systems and a lot of glue code in between. Attackers need one exploitable crack. Defenders need to find most of them before the attackers do.

My view is blunt: banks should use frontier AI for cyber defense, but regulators should treat shared cyber-AI models like critical financial infrastructure before the sector settles into dependence. The technology can reduce the odds that any one bank gets breached. It can also make the whole system more fragile if many firms rely on the same small set of opaque models for detection, triage and response.

The case for adoption is strong. Anthropic’s technical write-up says Mythos identified and exploited zero-day vulnerabilities in every major operating system and web browser during testing, including a now-patched 27-year-old OpenBSD bug, according to Anthropic’s Frontier Red Team². The company also says the model produced working exploits in a Firefox JavaScript-engine benchmark far more often than its prior Opus 4.6 model, according to the same technical assessment². These are vendor claims, so I would not treat them as neutral lab results. But even with a discount, they point to a real shift: frontier AI is no longer just summarizing alerts after a breach. It is moving toward vulnerability discovery, exploit reproduction, patch validation and live incident support.

Banks need that help because the human baseline is weak. ISC2 estimated the global cybersecurity workforce gap at 4.8 million people in 2024, up 19% year over year, according to its 2024 workforce study preview⁴. IBM’s 2025 breach report found that organizations using AI and automation extensively across security operations saved an average of $1.9 million in breach costs and reduced the breach lifecycle by an average of 80 days, according to IBM’s Cost of a Data Breach release⁵. In a bank, 80 days is not a rounding error. Shorter dwell time can mean the difference between an isolated intrusion and a material operational incident.

So the anti-AI answer fails. Telling banks to defend against AI-assisted attackers with understaffed human teams and brittle legacy workflows is not prudence. It is nostalgia dressed as safety.

But the pro-AI answer fails too if it stops at “better tools.” Finance has learned, painfully, that the same control can lower firm-level risk and raise system-level risk. A seatbelt helps one driver. If every car depends on the same remote software switch to make the seatbelt latch, the road system has a new single point of failure.

We already saw the non-AI version of this. On July 19, 2024, CrowdStrike released a Falcon content update for Microsoft Windows hosts with a defect that caused systems to crash, and the U.K. Financial Conduct Authority later used the incident as a lesson in operational resilience, according to the FCA⁶. CrowdStrike was not an AI model. That makes the warning cleaner. A conventional cybersecurity vendor, deployed widely because firms trusted it, became a broad operational disruption channel.

The AI version could be worse because it may fail quietly. A bad endpoint update turns screens blue. A bad cyber-AI model may suppress the same malicious behavior across banks, misclassify the same exploit chain as low priority, hallucinate the same bad remediation, or overreact to the same false signal and flood incident teams with junk. The first failure is visible. The second can look like calm.

The concentration risk is already visible in finance. The Bank of England and Financial Conduct Authority found in their 2024 survey that 75% of financial firms were already using AI and another 10% planned to use it over the next three years, according to the joint Bank-FCA survey⁷. A third of AI use cases were third-party implementations, and the top three model providers accounted for 44% of reported model-provider relationships, according to the same survey⁷. The survey also found that firms expected the biggest AI risk increases from third-party dependencies, model complexity and embedded or hidden models, while cybersecurity ranked as the highest perceived systemic risk, according to the Bank of England and FCA⁷.

That is almost the whole problem in one paragraph: many firms, third-party systems, concentrated providers, partial visibility and cybersecurity sitting at the center.

The technical risk is not theoretical either. NIST, the U.S. standards agency, describes adversarial machine-learning attacks including evasion, poisoning, privacy and abuse attacks, and says current defenses lack robust assurances that they fully mitigate the risks, according to NIST’s adversarial machine-learning guidance⁸. In plain English, attackers can try to trick a model at decision time, corrupt what it learns, extract sensitive information, or use the system itself for harmful ends. For bank cybersecurity, evasion and poisoning matter most. If many institutions use the same model family, a successful trick can become portable.

This is where ordinary vendor-risk management is necessary but not enough. U.S. banking regulators already tell banks to manage third-party relationships across the full lifecycle, including due diligence, ongoing monitoring and termination planning, according to Federal Reserve SR 23-4⁹. That framework should cover AI vendors. But frontier cyber models need extra rules because the failure mode is not merely vendor outage. It is shared judgment failure inside the security function.

The right rule is conditional acceleration. Banks should be allowed, even encouraged, to deploy frontier AI for vulnerability discovery, alert enrichment, code review, malware analysis and patch testing. They should not be allowed to hand critical security decisions to one black-box model without proving that the bank can survive the model being unavailable, compromised, poisoned or systematically wrong.

That means five concrete requirements. First, banks should inventory every AI-assisted cybersecurity function and classify which ones are critical. Second, regulators should require independent validation on bank-specific telemetry, not just vendor benchmarks. Third, model updates should be staged, reversible and logged by version, prompt context and action. Fourth, no AI system should be able to suppress critical alerts or launch destructive remediation without human approval unless the bank has separately validated that narrow use case. Fifth, supervisors should monitor concentration across providers, because resilience is a property of the system, not the procurement file.

The Financial Stability Board has already pointed in this direction. In 2024, it warned that rapid AI adoption could amplify financial-sector vulnerabilities including third-party dependencies, service-provider concentration, cyber risk, model risk and market correlations, according to the FSB¹⁰. That is the frame regulators should use for Mythos-class tools. They are not just software subscriptions. They are becoming part of the nervous system of finance.

The strongest counterargument is that waiting for perfect safeguards will leave banks exposed while attackers move faster. I agree with the premise and reject the conclusion. The choice is not deployment versus delay. The choice is observable, reversible deployment versus blind standardization. Banks can use these models today for supervised discovery and analysis while regulators set hard gates before they become automated triage engines or response commanders.

My prediction: by the end of 2026, at least one major bank supervisor will require explicit reporting of critical AI dependencies in cybersecurity. The indicator to watch is Anthropic’s promised Glasswing follow-up and whether it includes sector-style stress tests: common model outage, poisoned update, shared adversarial evasion and manual fallback drills. If the industry reports only bug counts and patch wins, it will be measuring the easy half of the problem. The hard half is whether every bank’s new cyber shield has the same crack in it.