Canadian financial institutions and regulators are intensifying discussions around the cybersecurity risks posed by Anthropic’s new artificial intelligence model, Mythos, amid concerns about its potential to identify and exploit software vulnerabilities at unprecedented speed and scale.
Mythos, developed by San Francisco-based Anthropic, has demonstrated the capacity to detect thousands of previously unknown flaws—known as "zero day" vulnerabilities—in widely used software systems, including major operating systems and web browsers. These flaws have no existing patches, making them highly valuable targets for cybercriminals. According to analyses, Mythos can autonomously conduct complex, multi-step network penetration tests that would normally require days of human effort.
The Canadian Financial Sector Resiliency Group (CFRG), which includes representatives from the Bank of Canada, the Department of Finance, the Office of the Superintendent of Financial Institutions (OSFI), and senior executives from major banks and financial institutions, convened last Friday to address the implications of Mythos. This follows similar dialogues held recently in the United States.
While Anthropic has engaged approximately 50 U.S.-based companies in Project Glasswing—a controlled rollout aimed at helping these organizations strengthen their cybersecurity defenses—no Canadian firms were reportedly included in this initial test phase. This has raised concerns about Canada’s preparedness to contend with the evolving threat landscape posed by AI-enabled cyberattacks.
Officials pointed to the competitive nature of the AI industry, where pressures from rivals such as OpenAI influence the pace at which powerful models like Mythos are released. Experts warn that the longer such tools remain exclusive to a small group, the higher the risk they could leak or fall into malicious hands.
Canadian cybersecurity professionals describe the problem as part of a growing "technical debt" in global digital infrastructure, where quick fixes like patches have accumulated over time, leaving systemic vulnerabilities. Some have compared the scale of this issue to major crises, emphasizing the need for an extensive overhaul of software codebases, which would be costly and complex.
Several experts voiced concerns over the fact that decisions about deploying and releasing potent AI models are currently left in the hands of private companies without mandatory independent oversight or regulatory frameworks. They argue that this lack of transparency and control potentially endangers public safety and critical systems. Calls are being made for governments to implement robust evaluation mechanisms and coordinate internationally to establish safety standards.
The Canadian government is reportedly preparing a national AI strategy that includes a focus on security, and officials have signaled openness to closer collaboration with AI developers like Anthropic. AI Minister Evan Solomon is expected to discuss access to models like Mythos with Anthropic representatives in upcoming meetings.
Major Canadian banks, several of which operate across the U.S. market and hold designations as globally systemically important financial institutions, have yet to confirm whether they have been granted access to Mythos or similar tools. The Canadian Bankers Association emphasized its members’ commitment to responsible AI adoption, though individual banks largely declined to comment on their involvement with Anthropic’s technology.
OSFI confirmed it is tracking developments related to Mythos and the Project Glasswing initiative but did not provide specific details. Analysts stress that collaboration between regulators, financial institutions, and AI developers is crucial to managing the risks and harnessing the security benefits that AI tools can offer.
As the debate continues, stakeholders agree that without equitable access to advanced AI cybersecurity tools, Canada may face challenges in defending its critical digital infrastructure from increasingly sophisticated attacks fueled by emerging technologies.