Mythos goes to Tokyo: Japanese banks to get Anthropic’s vulnerability-hunting AI

At a glance:

• Anthropic's vulnerability-hunting AI model Mythos will be deployed to Mitsubishi UFJ Financial Group, Mizuho Financial Group, and Sumitomo Mitsui Financial Group within two weeks.
• This marks the first time Japanese companies gain access to the restricted Project Glasswing preview, previously limited to US and European partners.
• The move, conveyed during meetings with US Treasury Secretary Scott Bessent, highlights the geopolitical dimensions of AI-driven cybersecurity.

Anthropic's Mythos AI Expands to Japanese Megabanks

Japan's three megabanks are set to gain access to Claude Mythos, Anthropic's vulnerability-hunting AI model, within roughly two weeks, according to a source familiar with the matter. This would be the first time a Japanese company has been granted entry to the restricted preview, which has so far been confined to Anthropic's American and a handful of European partners.

Mitsubishi UFJ Financial Group, Mizuho Financial Group, and Sumitomo Mitsui Financial Group were informed of the move during meetings in Tokyo this week with US Treasury Secretary Scott Bessent. The three lenders are expected to be onboarded by the end of May, signaling a significant expansion of Anthropic's controlled rollout.

The decision underscores the growing importance of AI in cybersecurity, particularly for critical financial infrastructure, and sets the stage for broader adoption in the region.

Capabilities and Precedent: Mythos in Action

Mythos has been treated by regulators and chief executives as a category-shifting event since Anthropic disclosed its existence earlier this month. The model has discovered thousands of previously unknown zero-day vulnerabilities across every major operating system and every major web browser, and in internal testing it wrote working exploits, including chains that escape both renderer and operating-system sandboxes in a browser.

Mozilla last week shipped Firefox 150 with fixes for 271 vulnerabilities found by Mythos in a single evaluation pass. This case offers a template for how Mythos findings are handled: handed back to engineers under non-disclosure rather than published, enabling rapid remediation without exposing exploits to malicious actors.

The model's ability to identify and patch vulnerabilities at scale represents a paradigm shift in defensive cybersecurity, prompting both excitement and caution among industry stakeholders.

Project Glasswing: Controlled Rollout and Partners

Anthropic has not released Mythos publicly. Instead, it has run a controlled rollout under what it calls Project Glasswing, with 12 named launch partners, including:

• AWS
• Apple
• Cisco
• Google
• JPMorganChase
• Microsoft
• Nvidia
• Palo Alto Networks

Around 40 further institutions have been granted access on a case-by-case basis. Japan's inclusion comes weeks after the Fed and US Treasury convened American bank chief executives on the same cyber-risk briefing, and after UK regulators committed to briefing major British banks within days, highlighting a coordinated international effort.

Project Glasswing's structure reflects Anthropic's approach to balancing innovation with security, ensuring that powerful AI tools are deployed responsibly under strict oversight.

Geopolitical Tensions in AI Cybersecurity

The geopolitical layer is unusually visible. Bessent's role in conveying the access decision in Tokyo aligns Mythos rollout with US Treasury statecraft rather than with Anthropic's commercial channel, an arrangement that has drawn complaints from European capitals.

Eurozone finance ministers raised the issue at an Ecofin meeting last week, where no EU government had access to the model while the White House was reported to be blocking further expansion of the partner list. This has sparked debates over technological sovereignty and the strategic control of AI capabilities.

Tokyo is moving in parallel. Finance Minister Satsuki Katayama announced the formation of a 36-entity public-private working group on Mythos-class risks, comprising the country's major banks, the Bank of Japan, and the Japanese units of Anthropic and OpenAI. The group is chaired by Mizuho's chief information security officer and is charged with identifying exposures, implementing defensive measures, and drafting contingency plans for a co-ordinated patching push across the Japanese financial system.

These developments illustrate how AI cybersecurity is becoming a focal point of international relations, with nations vying for access and influence.

Industry Perspectives on Mythos and AI Risks

Industry views on Mythos remain split. Some cybersecurity researchers have argued that the vulnerabilities Mythos surfaced are reachable through clever orchestration of public models, and that the bigger story is the rate of improvement of frontier AI in offensive cyber, not Mythos itself.

Others, including Anthropic chief executive Dario Amodei, have described the moment as a "cyber moment of danger" that justifies the access controls. This divergence reflects broader tensions between innovation and risk mitigation in the AI sector.

The debate underscores the need for robust governance frameworks as AI capabilities advance, particularly in sensitive areas like cybersecurity.

Operational and Strategic Implications for Financial Sector

For the three banks involved, the immediate question is operational. Mythos under Glasswing terms is delivered with restrictions on output disclosure, with the model used to find vulnerabilities in a partner's own systems and to draft remediation, not to publish exploits.

The Mozilla case offers a clear template: 271 vulnerabilities patched in a single Firefox release after a Mythos sweep, with findings handed back under non-disclosure. This approach allows banks to strengthen their defenses without increasing systemic risk.

The public-private working group in Japan, chaired by Mizuho's CISO, will play a crucial role in co-ordinating responses and ensuring that the financial sector can adapt to the new threat landscape posed by advanced AI.

Looking Ahead: The Future of AI in Cybersecurity

The expansion of Mythos to Japanese banks signals a growing acceptance of AI-driven tools in critical infrastructure protection. However, the geopolitical tensions underscore the strategic importance of such technologies, with access becoming a matter of national security.

As more institutions gain access, the balance between security benefits and risks of proliferation will be closely watched. The rate of improvement in AI capabilities suggests that this "cyber moment of danger" may be just the beginning, requiring ongoing vigilance and adaptation.

Stakeholders will need to navigate regulatory landscapes, international cooperation, and ethical considerations as AI becomes integral to cybersecurity defenses, shaping the future of digital safety in an increasingly interconnected world.