Claude Mythos: Why India’s Banks Are on Alert in 2026

A new AI model puts cyber risk on the policy agenda

Claude Mythos, Anthropic’s latest general-purpose AI model, is pushing governments and enterprises to rethink how they secure software and digital infrastructure. The concern is not only what the model can generate, but what it can do when connected to tools, networks, and operational systems. Experts describe Mythos as “agentic” AI, capable of more complex decision-making than traditional tools. That agentic capability, they argue, changes the speed and scale at which vulnerabilities can be found and exploited. In India, the model has triggered high-level discussions across finance and technology policy. The immediate focus has been on banking and digital payments, where trust and uptime are essential.

Sitharaman convenes banks and officials on Mythos risks

Earlier this month, Finance Minister Nirmala Sitharaman met officials from the Ministry of Electronics and Information Technology (MeitY), bank executives, and senior civil servants to discuss the risks linked to Mythos. Officials at the meeting pointed to Mythos’ ability to find vulnerabilities in legacy software systems. Sitharaman later flagged Mythos as an emerging AI-linked cybersecurity threat for the banking sector. She directed the Indian Banks’ Association (IBA) to help the sector strengthen defences, with the effort led by SBI Chairman Challa Srinivasulu Setty. Sitharaman also said global engagement is underway to understand how the risk may evolve and what preparedness looks like. The broader takeaway from the meeting was that models with similar capabilities are likely to proliferate, not remain unique to one provider.

Why banks and insurers are seen as the primary risk zone

Most experts cited in the reports place banking, financial services and insurance among the most exposed sectors if Mythos is misused. The logic is straightforward: financial systems run on interconnected software, shared platforms, identity rails, and large data stores. One weakness can cascade across multiple layers, especially where banks rely on shared cloud infrastructure, core banking platforms, and common payment backbones. One account framed the past week’s resilience with a striking data point: India’s payment rails carried more than 700 million transactions a day without faltering, even as policymakers debated the next class of threat. That contrast captures the challenge for regulators and lenders. The infrastructure works at scale, but its risk profile may shift if the economics of finding severe flaws changes.

“Minutes, not days”: speed becomes the core problem

Philippa Cogswell, managing partner for Japan and Asia Pacific at Palo Alto Networks’ Unit 42, described the shift as moving from a world of “N-days” to a critical window of minutes. In that framing, the main risk migrates from static infrastructure to the speed of the attack cycle. The concern is that machines can reason across identity, code and supply chains faster than human-led response cycles. Jameela Sahiba, associate director at policy think tank The Dialogue, said Mythos shifts the centre of gravity of the debate toward “capability risk.” In her view, systems with operational capacity can materially alter the security environment for governments, industries, and critical infrastructure. Another expert view in the reports argues that these models can rapidly discover and operationalise weaknesses faster than existing defensive and regulatory mechanisms can respond.

Anthropic’s Project Glasswing and the “dual-use” dilemma

Anthropic has announced Project Glasswing, under which it will work with multiple large partners to develop “defensive” applications for Mythos. Anthropic said Mythos Preview has already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. The company warned that, given the rate of AI progress, these capabilities could proliferate beyond actors committed to deploying them safely. Under Glasswing, partners will use Mythos for defensive security and share lessons globally, and they will get access to Mythos’ preview to find and fix vulnerabilities in their own foundational systems. Anthropic said expected focus areas include local vulnerability detection, black-box testing of binaries, securing endpoints, and penetration testing. The same features that make Mythos attractive for defence are also what heighten fears of malicious use.

Industry and policy voices push for broader inclusion

Nasscom, representing India’s IT industry, said it is imperative that Indian technology firms are included in Anthropic’s global industry consortium under Glasswing. The industry body framed participation as a way to strengthen global cyber resilience through responsible testing and shared learning. Separately, one policy argument in the reports emphasised dependence rather than threat: much of the substrate beneath India’s public digital infrastructure, including operating systems, cloud platforms, and AI model stacks, remains imported. In that view, resilience requires accelerated indigenous AI safety research, sovereign cloud capability, and well-resourced cybersecurity expertise inside the public sector. The reports also point to the need for updated governance frameworks that reflect AI-driven threats rather than conventional cyber playbooks.

What banks were asked to do: governance and operational controls

At Sitharaman’s meeting, banking executives were asked to take measures to secure their systems, data, and customers. Tarun Wig, cofounder and CEO of Innefu Labs, said AI can no longer be treated only as an efficiency layer and must be governed as a real-time cyber risk. He highlighted needs such as continuous cyber threat intelligence sharing, faster patch management, stronger identity security, tighter vendor controls, and AI-powered defence with human oversight. Chowdhry, cited in the reports, argued the wrong instinct is to “shoot the messenger,” and the right one is to harden the systems the messenger reveals. He also said no powerful model should be given direct authority over code execution, network administration, financial controls, or critical operations without independent evaluation, bounded permissions, human approval for consequential actions, comprehensive logging, and a duty to report serious incidents and near misses.

A coordinated ecosystem response, not isolated bank actions

Multiple accounts describe the need for coordinated mechanisms, including real-time threat intelligence sharing across the banking system and with national agencies. One report described a plan emphasis on sharing threat intelligence among banks, CERT-In, and other agencies. Another stressed that interdependence is a structural feature of modern finance: banks share infrastructure and vendors, so a vulnerability that crosses layers is different from one contained in a single system. That makes speed and coordination as important as individual bank hardening. The reports also note that international conversations are moving in parallel, including discussions in the US with Wall Street banks and indications that the White House may consider using Mythos within agencies to bolster cybersecurity.

Key facts at a glance

Why this matters for India’s digital financial stack

The reports frame Mythos as a stress test for how quickly institutions can adapt to machine-speed threats. For India, the issue is amplified by scale and complexity: digital identity, payments, banking, and government networks are deeply connected. Sahiba warned that if AI tools capable of identifying previously unknown vulnerabilities become concentrated among a small set of corporate or geopolitical actors, it creates structural asymmetry in cyber defence. She argued that equitable access to defensive capability becomes part of technological sovereignty. The operational message for lenders is immediate and practical: cyber risk needs board-level ownership, faster patch cycles, stronger identity and vendor controls, and coordination that matches the speed of modern attacks.

What to watch next

India’s next steps, as described across the reports, centre on strengthening bank-level controls and building more coordinated threat intelligence sharing with agencies. On the global front, the evolution of Project Glasswing, and who is included in the consortium, will shape how widely defensive learnings are shared. Officials also signalled that the world should expect more models with similar or greater capability, making this a continuing policy and operational challenge rather than a one-off episode. For banks, the practical near-term focus remains readiness: securing legacy systems, testing critical infrastructure, and ensuring incident processes work at the pace implied by agentic AI.