Japan’s three megabanks set to access Anthropic’s Mythos within two weeks
TL;DR:
- Mitsubishi UFJ Financial Group, Mizuho Financial Group and Sumitomo Mitsui Financial Group are expected to gain access to Anthropic’s Mythos cybersecurity model in around two weeks, a source with direct knowledge told Reuters.
- Japanese Finance Minister Satsuki Katayama met US Treasury Secretary Scott Bessent on Tuesday and confirmed a public-private working group will start meeting this week to address cyber risks Mythos poses to the Japanese financial system.
- Anthropic has stated it aims to expand Mythos access to European and UK banks among other organisations — putting UK regulators in a near-identical sequence to BaFin and Japan’s Financial Services Agency.
The Tokyo move follows the deployment of Mythos to US banks including JPMorgan, Goldman Sachs, Citi, Bank of America and Morgan Stanley, and parallel rollout at the Pentagon — all part of Anthropic’s “Project Glasswing” controlled-release programme for defensive cybersecurity. Cybersecurity experts see Mythos as posing significant challenges to bank legacy IT, prompting a series of warnings from regulators and policymakers.
Why Tokyo moved first on a working group
Japan establishing a public-private working group in the same week megabanks gain access is institutional speed seldom seen outside of an active incident. Katayama’s intervention, coordinated with US Treasury at ministerial level, reflects the seriousness Tokyo attaches to the Mythos rollout: the threat is not the model itself but the gap between model capability and bank patching cadence. The working group’s first meeting on Thursday is timed to start before the megabanks actually have hands-on access — a pre-emptive rather than reactive posture.
UK position and the next step
The UK is conspicuously absent from named Mythos-access tranches so far. Anthropic’s stated intent to extend access to UK banks means the Bank of England’s Prudential Regulation Authority and the FCA have a narrow window to settle whether they want to mirror Japan’s public-private working group model, BaFin’s “IT spotlight” inspection regime, or develop something specific. Sam Woods at the PRA has already warned of “significant disruption”, and the absence so far of named UK banks in Project Glasswing tranches is itself a signal — UK lenders are likely waiting on regulator-coordinated access rather than going first.
Cross-source context
The Japanese rollout fits a pattern: in roughly six weeks, Mythos has progressed from US-only restricted access to US Defense Department deployment, to top US banks, to Japan, with European companies (via OpenAI’s rival Trusted Access for Cyber programme) and presumably UK banks next. Each tranche has triggered regulator action — Pentagon dual-track procurement, BaFin inspections, Japan working group. The UK’s turn to choose a model is approaching.
Looking forward
Expect the FCA, Bank of England and HM Treasury to publish a joint position on AI-driven cyber vulnerability discovery in the financial sector before the end of the summer — Tokyo’s speed creates regulatory pressure to not be visibly slower. For UK banks not yet running Mythos-equivalent testing, the time to model the patching-cadence cost is now, before regulators ask for evidence that the work is under way.