A central bank just put an AI model on its watchlist because it's too good at breaking code.
The Summary
- The Reserve Bank of Australia is monitoring Anthropic's new Mythos AI over fears it can enable sophisticated cyberattacks
- AI tools are already finding thousands of software vulnerabilities at scale, with one bug-tracking program identifying 200 serious issues in roughly a week
- The RBA's move signals that financial regulators now see AI-powered exploit discovery as a systemic risk, not a theoretical one
The Signal
Anthropic's Mythos model has crossed a threshold that matters: it's capable enough at finding security vulnerabilities that a major central bank is treating it as a potential financial stability threat. The Reserve Bank of Australia doesn't monitor software releases. It monitors things that could take down payment systems or destabilize banking infrastructure.
This isn't science fiction risk modeling. AI is already discovering software flaws at industrial scale. One bug-tracking program found 200 serious vulnerabilities in a week. That's the velocity before Mythos. The implication: we're entering a phase where the offense-defense balance in cybersecurity tilts heavily toward whoever deploys AI agents first.
"A bug-tracking program found 200 serious issues in roughly a week."
What makes this different from previous AI capability jumps is the asymmetry. Finding exploits scales differently than patching them. An AI can scan millions of lines of code, test edge cases, and identify zero-days faster than any red team. But fixing those flaws still requires human developers to understand context, rewrite functions, test regressions, and deploy updates across legacy systems that weren't built for rapid iteration.
The RBA's concern isn't just about Mythos itself. It's about what happens when this capability becomes commoditized:
- Nation-state actors run these models against critical infrastructure
- Ransomware groups automate the discovery of high-value targets
- The window between vulnerability discovery and exploitation shrinks from months to hours
Financial institutions are particularly exposed. Banks run on code written across decades, with layers of technical debt and third-party dependencies. The RBA monitoring Anthropic's model suggests they're war-gaming scenarios where an AI agent finds a critical flaw in payment settlement systems faster than anyone can patch it.
The Implication
If you're building infrastructure, assume AI agents are already probing it. The security posture that worked when humans were the bottleneck doesn't hold when agents can test thousands of attack vectors in parallel. Companies need their own AI agents running continuous audits, not annual penetration tests.
For regulators, this is the start of a new game. When AI models become dual-use tools for both security research and weaponized exploit development, the line between responsible disclosure and containment gets thin. The RBA won't be the last institution monitoring AI releases as potential systemic threats.