EU in Talks With Anthropic to Test European Banks for Claude Mythos Vulnerabilities

What Happened

The European Union is in talks with Anthropic to deploy Claude Mythos for testing European banks for security vulnerabilities, according to Bloomberg reporting on May 4, 2026. Bloomberg’s article is behind its paywall, so specific details — which banks, the regulatory framework hosting the program, the specific Mythos access tier offered, and the exact EU body leading the talks — should be confirmed against the original Bloomberg report.

Why It Matters

Anthropic has restricted Mythos access tightly throughout 2026, citing concerns about its cyber-attack capability documented in evaluations from the UK AI Security Institute. The EU’s interest in flipping that posture — using the same model defensively to find vulnerabilities at regulated banks — recasts Mythos as cybersecurity infrastructure rather than research curiosity. The timing matters: AISI reported May 1 that OpenAI’s GPT-5.5 matches Mythos on multi-stage cyber-attack simulations, which means the capability is no longer single-vendor and the policy question shifts from “should this exist” to “who gets to use it.”

Technical Details

The Bloomberg report does not specify the exact technical scope of the proposed program. Based on UK AISI’s published Mythos evaluation methodology — and parallel red-teaming arrangements between AI labs and government cybersecurity bodies — the likely program shape includes Mythos running against simulated bank environments (cyber ranges) rather than live production systems, with Anthropic engineers and EU regulators jointly reviewing findings. AISI’s “The Last Ones” benchmark, which Mythos solved in 3 of 10 attempts, models a 32-step attack across four subnets and roughly 20 hosts; a banking-focused equivalent would adapt those primitives to financial-services architectures including SWIFT, payment-processing systems, and regulator-facing reporting infrastructure.

Open questions for confirmation against the original Bloomberg article: whether the program is run under the European Banking Authority, the European Central Bank, ENISA (the EU’s cybersecurity agency), or a new joint body; whether participating banks volunteer or are designated; whether the findings are kept confidential or published in summary form; and how the program intersects with the EU AI Act’s high-risk-AI provisions for financial services.

Who’s Affected

European banks are the most directly affected: the largest tier — including BNP Paribas, Deutsche Bank, ING, UniCredit, Santander, and HSBC’s European operations — face the prospect of EU-mandated red-teaming using a model with documented frontier cyber-attack capability. Anthropic gains a significant policy and revenue position: positioning Mythos as defensive cybersecurity infrastructure for regulated industries is the strongest argument the company can make for continued restricted access in the face of capability parity from competitors. ENISA, ECB, and EBA gain a new technology basis for ongoing cyber-resilience programs. OpenAI faces parallel pressure: with GPT-5.5 at comparable capability, similar EU programs using OpenAI models could follow.

What’s Next

Confirmation of the program’s structure from EU and Anthropic official channels is the next material step. Watch for whether other regulators — UK PRA/FCA, Singapore MAS, Hong Kong HKMA, U.S. OCC and Fed — pursue similar arrangements with Anthropic or other frontier labs. The program also tests whether Mythos restricted access remains tenable: if Anthropic provides Mythos to EU red-teaming work, the case for continued restrictions on commercial use becomes harder to maintain.