There’s a quiet anxiety spreading through the executive floors of Australia’s biggest banks. It’s not about interest rates or a softening economy. It’s about a new breed of artificial intelligence, one capable of finding the cracks in digital defences that human security teams have spent years trying to find and seal.
The model at the centre of this unease is Mythos. Developed by US AI company Anthropic. Earlier this month, Anthropic made the unusual decision to keep Mythos from public release. The delay was not because it wasn’t ready, but because it was too capable. This new model has demonstrated a remarkable ability to identify unknown vulnerabilities in software systems and the risk of it falling into the wrong hands was judged too great. The global financial system, among many other industries, Anthropic concluded, needed time to prepare.
That decision has sent ripples through the Australian banking sector.
A tool that cuts both ways
The uncomfortable truth about Mythos and about advanced AI security tools generally, is that they are inherently double-edged. The strength in capabilities that allow a model to detect hidden flaws in code can just as easily be turned around and used to exploit them.
Stephen O’Reilly, a cybersecurity specialist, put it plainly, “legacy software carries vulnerabilities that existed for years without anyone knowing, simply because the tools available weren’t creative or fast enough to find them”. Modern AI changes that equation dramatically. Once those hidden pathways are exposed, a bad actor with access to a capable AI model has something bordering on a master key.
Robert Di Pietro, who leads PwC’s local cybersecurity practice, sees Mythos as a genuine inflection point. Australian banks, especially the larger institutions, have long invested heavily in vulnerability and patch management. The question now isn’t whether they’re well-resourced, it’s whether they’re built for speed and agility. The world is shifting, he says, from periodic cyber risk management to something that needs to run fast, agile and continuously.
The race for access
With Mythos with held from general release, Anthropic has quietly extended preview access to a small group of organisations through a programme called Project Glasswing. Roughly 40 American businesses have been given preview access, among them Amazon, Microsoft and Google. The explicit purpose: to let trusted partners probe their own defences before similar tools become available to criminal groups.
Australia’s major banks, nor any other Australian organisation, is in that circle … but they want to be.
National Australia Bank has been working its existing relationships with technology partners who are connected to Project Glasswing, hoping to gain insight into Mythos’ capabilities. Patrick Wright, NAB’s executive for technology and enterprise operations, acknowledges the bank is investing significant effort into monitoring new AI developments and the risks and opportunities they bring.
Only a handful of financial institutions globally, such as JPMorgan and Morgan Stanley, have been granted their own preview access so far. Anthropic has said it is working to expand the programme to include Australian banks, though it has stopped short of committing to any timeframes and Australian businesses.
Westpac’s chief information security officer, Richard Johnson, framed the situation with measured optimism. “Yes, more sophisticated AI models raise the threat level. But they also raise the ceiling on what defenders can do. The same technology that makes systems more vulnerable also makes it possible to identify and close those weaknesses faster than ever before”. He also added that Westpac, is actively engaging with partners across the security ecosystem to understand how models like Mythos are being applied.
Commonwealth Bank, which interestingly enough holds a shareholding stake in Anthropic, has been more circumspect, confirming only that it is closely tracking developments with its strategic partners.
Beyond the boardroom
The implications of Mythos extend well beyond the banks themselves. At a workforce summit in Sydney this week the ACTU secretary Sally McManus used the model’s emergence to make a broader point about AI regulation. Advanced AI, she argued, is neither purely beneficial nor purely harmful. It can be both simultaneously, and often at scale. Her call was for a regulator with genuine authority to protect workers and industries from the harms that accompany the benefits.
It’s a sentiment many in the security industry would understand well. The same tool that helps a bank patch a vulnerability on Monday could help a criminal group find a new hole on Tuesday.
What this means for security teams
If there’s a common thread to all of this, it’s urgency. The arrival of AI models capable of autonomous vulnerability discovery means Australian security teams can no longer afford to think in quarterly cycles. Defences need to be living, breathing systems. Systems that need to be constantly tested and constantly updated.
For Australian banks, the hope is that access to Mythos through Project Glasswing will be given to them to provide the head start they need. The alternative will be to wait for Mythos or similar tools to appear in the wild, in the hands of those who mean harm. This is not a strategy anyone is comfortable with.
Anthropic has said it plans to expand access safely, in co-ordination with governments and financial institutions. For the banks, the sooner that happens, the better.
