Claude Mythos Preview Shows How AI Collapses the Distance Between Discovery and Exploitation in Financial Systems

Earlier this week, US financial regulators convened major bank CEOs to assess the cybersecurity risks of the Claude Mythos Preview in interconnected systems.

Scott Bessent, US Treasury secretary, and Jerome Powell, Federal Reserve chair, called the meeting on short notice in Washington, DC to brief bank leadership on the model’s capabilities and its implications for financial systems. The focus was on its ability to identify and potentially exploit vulnerabilities at scale.

The meeting illustrates growing concern over how AI systems could introduce new forms of cybersecurity exposure across financial institutions. It also reflects warnings from industry leaders and policymakers that these tools lower the barrier to sophisticated attacks while expanding the range of actors able to carry them out.

AI Drives Transformation While Expanding Cyber Risk

Claude Mythos is built to identify vulnerabilities across software and infrastructure, including issues that have persisted under standard testing and audit cycles. The capability increases the rate and coverage of discovery while reducing the time between identifying a weakness and acting on it.

Anthropic has made the Preview accessible to a limited group of organizations focused on vulnerability discovery and remediation, rather than releasing it broadly. Nevertheless, the capability marks an inflection point for financial systems, where tools designed to identify weaknesses can also be used to map systems and identify paths to exploitation.

The same approach that surfaces critical flaws can also be used by internal or external threat actors to map systems and identify paths to exploitation.

As Susan Galbraith, a finance and GRC expert at SAPinsider, puts it, AI is a “two-sided coin,” enabling transformation across systems while exposing gaps in those systems. Tools that accelerate discovery also make weaknesses easier to identify and exploit.

That changes how security, governance, risk, and compliance teams need to model exposure, particularly in financial institutions where systems are highly interconnected and operate under high regulatory thresholds.

AI Adoption Increases Cyber Risk Exposure in Finance

The speed of the response reflects how seriously regulators are treating this new capability from Claude Mythos Preview. Still, the underlying concern is not new.

Jamie Dimon, CEO of JPMorgan Chase, said in his 2025 annual letter to shareholders that the bank would incorporate AI “in everything we do,” while warning that the technology could create cybersecurity vulnerabilities.

That dynamic is already visible in SAPinsider industry research.

Preliminary data from a report by Galbraith on Finance in the age of AI shows that 48% of organizations are using or implementing AI across finance, with 31% citing cybersecurity risk as a direct pressure. Many of those environments operate across multiple ERP systems, where integration points, access models, and data consistency are not fully aligned.

“If you don’t act on AI, AI will act on you,” Galbraith warns. Internal and external threat actors can now move more quickly across systems, test more conditions, and identify viable paths to exploitation with less effort. That compresses the time between exposure and impact, increasing pressure on financial institutions to detect and respond in real time.

ERP Complexity Defines the Risk Surface

The Claude Mythos Preview has sharpened the focus on capabilities that can identify and exploit vulnerabilities across interconnected financial systems. Regulators, banks, and policymakers are treating this class of capability as a potential source of systemic financial risk, where those tools operate across systems that are already highly connected.

Many finance environments already carry integration and data quality debt. Preliminary SAPinsider data from Galbraith shows more than 40% of organizations run multi-ERP landscapes, which often rely on manual or custom methods for master data consistency.

In practice, that means vulnerabilities are distributed across systems, access models are not consistently enforced, and activity is not always visible end to end, making it harder to detect how exposure develops across the environment. That expands attack surfaces, with more entry points, inconsistent entitlements, and uneven visibility across systems.

Robert Holland, vice president and research director at SAPinsider, notes that AI adoption remains more conservative within SAP environments, and the finance industry, while AI adoption across the broader enterprise is advancing more quickly overall.

For example, data from the company’s AI Adoption and Maturity in the SAP Ecosystem report shows 71% of respondents use Microsoft Copilot and 52% use ChatGPT—rates that exceed AI adoption within SAP environments.

Most of that adoption is still ad hoc or foundational, while 32% report integrated or transformational use. Still, that creates an asymmetry where AI capabilities are advancing across the enterprise ahead of system-level integration and governance.

As AI-driven risk frameworks become more common, organizations will be expected to demonstrate control over data and identity governance, auditability, and scenario planning for vulnerabilities across authorization models, integration layers, and APIs.

A version of this article was first published by SAPinsider on April 10, 2026.