Goldman Sachs CEO ‘Hyper-Aware’ of Anthropic Mythos Cyber Risk as UK Regulators Convene

TL;DR: Goldman Sachs chief executive David Solomon told analysts the bank is working “closely” with Anthropic on defences against its new Mythos model, which the UK’s AI Security Institute has flagged as a step-change in autonomous cyber-attack capability. UK regulators are convening a Cross Market Operational Resilience Group (CMorg) meeting within the fortnight.

Solomon made the comments on a Monday earnings call, saying the bank already has the model and is “accelerating” cyber investment. The statement follows a US Treasury summit last week at which secretary Scott Bessent convened the CEOs of systemically important US banks to discuss Mythos.

Context and Background

The UK side of the response is now visible. On Monday AISI published findings that Mythos is the first AI model to complete its 32-step simulated cyber-attack challenge, succeeding on three of ten attempts. AISI said the model can perform multi-step attacks autonomously and “discover weaknesses in IT systems without human intervention” — tasks that normally take human professionals days. AISI could not confirm whether Mythos can breach well-defended systems, noting its test environments lack full defensive tooling.

CMorg — whose members include bank chief executives plus officials from the Treasury, Bank of England, FCA and National Cyber Security Centre — is expected to meet within the next fortnight. The composition matters: it puts the Mythos risk squarely on the operational-resilience agenda that already governs how systemically important UK banks must withstand severe-but-plausible cyber scenarios.

For UK financial services firms outside the G-SIB perimeter, Solomon’s “working closely with Anthropic” framing sets an implicit benchmark. Access to the Mythos model itself appears restricted to the 40-odd organisations Anthropic has disclosed as holders of a limited version — including JP Morgan, Google and Nvidia — so mid-tier UK banks and building societies will likely be briefed through regulator-led channels rather than direct vendor access.

Looking Forward

The practical question for UK boards is now timeline. If CMorg’s meeting produces supervisory expectations — rather than just awareness — on how banks should demonstrate readiness against autonomous-agent cyber attacks, that will feed into the FCA and Bank of England’s operational-resilience assessment cycle. Firms running tabletop cyber exercises this spring should revisit assumptions about attacker patience and multi-step reconnaissance.