Mythos AI: What Sitharaman’s warning means for banks

Why this meeting mattered even without an attack

India’s banking leadership met in New Delhi to discuss the cybersecurity implications of an advanced AI model called Mythos. The immediate backdrop was not a breach in Indian systems, but the possibility that AI can make cyberattacks faster and easier to execute. The week’s most notable detail, as the article’s framing underlines, was that nothing visibly broke. India’s payment rails continued to process more than 700 million transactions a day without disruption.

The Finance Minister’s intervention matters because it treats AI-linked cyber risk as a systemic issue, not a narrow IT problem. Mythos is presented as a shift in attack economics, not just another tool in the malware ecosystem. For a country running one of the world’s largest digital public finance stacks, that shift raises questions about preparedness, coordination, and incident response speed.

Who attended and what was discussed

The meeting included Finance Minister Nirmala Sitharaman along with the IT Minister, RBI, NPCI, CERT-In, and the chiefs of scheduled commercial banks. The government’s messaging, as cited in the material, focused on vigilance, preparedness, and better coordination across institutions. Sitharaman also indicated that global engagement is underway to understand how the risk could evolve.

The session did not claim an Indian banking breach had occurred. It did not point to a specific exploit underway. Its stated purpose was to assess implications and push pre-emptive measures so that detection and response can keep pace with threats that may become more automated.

What banks were directed to do

The directions described were procedural but specific. Banks were asked to take pre-emptive measures to secure IT systems and safeguard customer data. A real-time threat intelligence sharing mechanism with CERT-In was advised. The Indian Banks’ Association (IBA) was tasked with developing a coordinated institutional response, with reporting also noting the IBA is led by Challa Srinivasulu Setty.

Separately, the Finance Ministry and the RBI were described as studying the extent of the risk to the domestic financial sector. The article also notes MeitY’s active engagement with tech companies, authorities, and governments globally to understand preparedness needs.

What Mythos is, and why access is restricted

Mythos Preview is described as a frontier general-purpose language model from Anthropic that showed unusually strong capability in finding and exploiting vulnerabilities in software during testing. Anthropic chose not to release it publicly and restricted access to a controlled consortium of about 40 organisations through an initiative called Project Glasswing. Some reporting in the provided text also described controlled access being given to approximately 15-20 major technology and security providers.

Independent evaluation by the UK AI Security Institute found the model could autonomously execute multi-stage attacks against vulnerable networks under controlled conditions. At the same time, the evaluation noted that test environments lacked active defenders and detection tooling typically found in well-protected production systems.

What is still unknown about real-world danger

The most careful conclusion in the material is that the real-world danger is not yet fully known. But the direction of risk is clearer. Mythos-class capabilities can accelerate vulnerability discovery, lower the technical bar for exploitation, and shorten the time between a flaw existing in widely used software and a weaponised attack.

That compression of timelines is central for banks and payment systems, where patching cycles, vendor coordination, and change management are slower by design. Reuters was cited as noting regulators’ concern that AI systems like Mythos could identify and exploit vulnerabilities faster than institutions can repair them, especially where legacy infrastructure is common.

The “unauthorised access” detail regulators cannot ignore

The text repeatedly flags one point as more important than headline claims: reports of unauthorised access to Mythos. The argument is straightforward. Even when a safety-conscious lab restricts access to a few dozen partners, the practical proximity expands to thousands of people across ecosystems of vendors, contractors, and integrations. It only takes one weak link for a high-capability tool to leak or be misused.

This is why governance of who can use such models, under what controls, and with what monitoring, becomes part of financial stability thinking, not just corporate security policy.

India’s digital strength is also an exposure

India’s digital financial infrastructure is unusually interconnected at massive scale. UPI processed 22.64 billion transactions in March, a record. The Aadhaar-based authentication stack, NPCI rails, the account aggregator framework administered by Sahamati, and the embedding of digital identity into financial products increase efficiency. But the same interconnection expands blast radius when failures propagate.

The material highlights NPCI’s central position in the payments topology, with a “too big to fail” style systemic relevance. When risk shifts from isolated hacks to cross-layer vulnerabilities, shared rails can turn a local flaw into a broader operational event.

What changes for banks and fintech partners

For banks, the shift shows up in several practical ways mentioned in the text. Shared infrastructure deepens interdependence: shared cloud, shared core banking platforms, shared identity rails, and a shared payments backbone. Attribution becomes harder because advanced tools generalise, so observed breach patterns may not repeat in predictable ways. The supply chain widens with every vendor relationship, API, and managed service.

At the retail layer, the text anticipates risk showing up through fraud patterns that are subtler than current awareness campaigns address, including synthetic identity attacks exploiting eKYC, spear-phishing that mimics institutional language, and account takeover at machine speed.

What “AI-aware” preparedness looks like

The article points towards disciplines closer to environmental governance than deterrence analogies. One concrete prescription is AI-aware stress testing, where scenarios explicitly assume adversaries with advanced computational capabilities and test not only technology, but also whether human decision pipelines remain coherent under speed.

It also emphasises customer-facing resilience: clearer recourse mechanisms, real-time fraud reporting, and public communication that informs without alarming. In a system as digitised as India’s, trust and dispute resolution are core operational infrastructure.

Key facts at a glance

Market impact and why investors should track this

The immediate market signal in the provided text is continuity of operations, not disruption. Despite heightened scrutiny, there was no claim of a live breach of Indian banks, and India’s payment rails continued to run at very high daily volumes.

But the policy response indicates that regulators see AI-driven cyber risk as capable of spilling into market confidence if operational disruptions or large-scale fraud emerge. Reuters was cited as noting that cyber incidents in finance can rapidly spill over into market disruptions and undermine broader confidence in the system.

Conclusion

The Mythos episode moved AI-linked cyber risk from a future worry to a present coordination problem for banks, regulators, and shared payment and identity utilities. The government’s meeting focused on pre-emptive controls, real-time intelligence sharing, and an IBA-led institutional response, while the RBI and Finance Ministry study the risk landscape.

What comes next, based on the text, is tighter cross-institution coordination and more explicit stress testing of speed-driven failure modes, alongside stronger customer-facing fraud reporting and recourse mechanisms as threats manifest at the retail layer.