The European Central Bank's Single Supervisory Mechanism has begun gathering information from euro-zone banks about their exposure to Anthropic's Mythos — the cybersecurity-oriented model whose release Anthropic has deferred on the grounds that it can identify and exploit vulnerabilities across every major software family, and whose current iteration, Claude Mythos Preview, is being privately evaluated through a program called Project Glasswing. [1] The ECB's approach is not an ad-hoc data call. It is being conducted via the regular supervisory dialogue with bank staff, one source familiar with the matter told Reuters on April 15. [1]

What is running through Brussels-adjacent Frankfurt this week is separate from the rate-limits file the paper covered at the weekend. The paper's continuing coverage of the Opus 4.7 token revolt concerns a different model, a different complaint, and a different constituency — users, not supervisors. Mythos is not rate-limited because Anthropic is not releasing Mythos generally. Anthropic announced Project Glasswing in April, inviting JPMorgan Chase, several cybersecurity vendors and dozens of other organizations to privately test the model and prepare defenses. [2] The U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened bank chief executives for an urgent meeting on the same file on April 10. [3]

The three-bloc sequence is the story. Britain's Technology Secretary Liz Kendall and Security Minister Dan Jarvis sounded a similar warning to businesses in early April. Bank of England Governor Andrew Bailey said last week that central banks and financial regulators "must quickly adapt" to a generation of AI models "becoming capable of doing work that previously required rare expertise: finding and exploiting vulnerabilities." [1] The U.S. Treasury move was explicit, convened, and calendared. The Bank of England intervention was public and framed as governor-level guidance. The ECB's version is the quietest — carried through the mechanism its supervisors use for bank governance reviews and internal-model assessments, without a separate announcement.

Which is what makes it durable. The U.S. convocation produces a press cycle and fades. The Bank of England statement produces a headline. The ECB's absorption of Mythos-risk into routine supervisory dialogue produces, over months, a set of bank-by-bank governance expectations that sit inside the Single Supervisory Mechanism alongside capital and cyber-resilience reviews. It becomes part of how euro-area banks are supervised on AI exposure. [4]

The framework is converging with the EU AI Act's classification of certain financial-AI uses as high-risk, which takes full effect in 2026. Bank executives are receiving detailed questionnaires from national supervisors, coordinated by the ECB, covering Mythos-related deployments. [4] Anthropic declined Reuters' comment request beyond its April 7 Project Glasswing announcement. [3]

What the ECB has not done is treat Mythos's non-release as a bounded constraint. The supervisory dialogue treats it as present but potentially impermanent — a working assumption that the model's capabilities, once evaluated through Project Glasswing, may leak or be replicated. European banks are being asked, in effect, to describe what they will do when such a model becomes generally available, and from whom.

-- HENDRIK VAN DER BERG, Brussels