​The Mythos Reality Check: Changing The Timeline Instead Of The Threat

Yinglian Xie is CEO and co-founder of DataVisor, a leading fraud detection company with solutions powered by transformational AI technology.

getty

For years, the financial services industry has operated under an unspoken assumption that high-end cyber offensive capabilities were the exclusive domain of nation-states and elite research labs. Many believed that "security through complexity"—the sheer difficulty of navigating legacy mainframes alongside modern cloud stacks—provided a natural moat.

The arrival of frontier models such as Claude Mythos threatens to drain that moat.

The U.S. Treasury's warning about these frontier AI capabilities might sound like the next cycle of tech-hype panic, but it's really a fundamental shift in the physics of financial crime. When an AI can autonomously discover and chain together vulnerabilities across a bank's entire technology stack in milliseconds, we're no longer in an arms race. We're in a structural paradigm shift.

Does Mythos mean the end of the 'vulnerability window'?

In the traditional security model, we relied on the "vulnerability window"—the time between a flaw being discovered and a patch being deployed. Human researchers typically took weeks to find these bugs; banks took months to patch them.

Mythos dramatically compresses that window. If Mythos industrializes the discovery of zero-day exploits, AI-driven offense can move at the speed of compute, while our defenses are still moving at the speed of bureaucracy. For a Tier 1 bank, a single unpatched kernel in a legacy payment gateway is no longer a "medium risk"; it's a wide-open door that an autonomous agent can find and walk through before your security operations center even finishes its morning briefing.

Why are safety filters a false sense of security?

Model alignment and export controls make it harder and more expensive to use AI in adversarial ways. More than ever, however, these controls are speed bumps, not walls.

While domestic labs such as Anthropic or OpenAI implement redlines to prevent their models from writing malicious code, we must assume that adversarial models—unmonitored and unaligned—will not. Our defense strategies must anticipate what's next: adversarial models that quickly achieve Mythos-like capabilities with no guardrails whatsoever.

Soon, all fraud will be 'zero-day' fraud.

As bad actors use frontier models to rapidly accelerate increasingly sophisticated attacks, we may soon see a day where every new attack is truly "zero-day"—meaning they're all novel and previously unknown.

Even before this happens, financial institutions are finding themselves in a very difficult position. They need to quickly make a series of massive technical and strategic pivots just to stand a chance. Legacy banking systems were built before cybersecurity was a design principle, and now they're converging. These systems can't be patched fast enough to keep up with AI-accelerated vulnerability discovery, and in many financial institutions, "fraud" and "cybersecurity" are still different departments with different budgets.

Mythos proves that distinction is dead. An AI that exploits a system vulnerability (cyber) to authorize a coordinated series of instant payments (fraud) requires a single, unified defensive view.

Banks are only as good as their many connections.

As JPMorgan Chase CEO Jamie Dimon pointed out, risks extend well beyond any single financial institution given the financial system's interconnected nature. Every API connection from banks to fintechs, payment processors and open banking partners is an attack surface, and many risk programs aren't evaluating those partners at the frequency that the threat environment now demands.

Unsupervised machine learning is the baseline.

If an attack is truly "zero-day," rules-based systems and supervised models alone will fail. Unsupervised machine learning (UML), which identifies patterns of abnormal behavior without needing a label or a history, can catch an autonomous agent in the act.

Real-time is the only time.

In a world of instant payments (FedNow, RTP), "near real-time" is just another way of saying "too late." Our defensive AI must be as autonomous and as fast as the offensive AI it's fighting.

The Mythos moment is your latest reality check

For every CISO and CEO in the banking sector, the democratization of elite offensive capabilities means that the sophisticated attacker is now everyone, everywhere, all at once.

Some of the biggest U.S. banks are already testing Mythos for self-auditing, but that's only the first step. It's time to move beyond using AI as a tool for documentation and start using it as the primary engine of our defense. The window for human-led triage is closing. In 2026, stopping a malicious AI will involve a faster, smarter and more unified defensive one.​

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?