- Key insight: Anthropic's NDA carve-out lets JPMorganChase, the only bank among Project Glasswing's named launch partners, formally share Mythos-surfaced vulnerabilities with community and regional banks for the first time.
- What's at stake: Smaller banks outside Glasswing depend on partners like JPMorgan to surface Mythos-found vulnerabilities in shared software systems; the carve-out determines whether and how that intelligence now reaches them.
- Expert quote: Rep. Josh Gottheimer, co-chair of the House Democratic Commission on AI and the Innovation Economy: "No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks."
Overview bullets generated by AI with editorial review.
Anthropic has reportedly freed partners in its
The carve-out drops a nondisclosure agreement that had kept the findings inside the program since its April 7 launch, according to reporting from
The change came the same day Rep. Josh Gottheimer, D-N.J., and co-chair of the House Democratic Commission on AI and the Innovation Economy,
In a related development, the Bank of England, the Financial Conduct Authority (the U.K.'s main financial-services regulator) and HM Treasury (the British government's finance ministry) had told U.K. financial firms three days earlier, in a
What Anthropic changed, and what Gottheimer asked for
Gottheimer praised Anthropic for the carve-out.
"No entity should be contractually restricted from warning others, coordinating mitigations, or informing relevant and trusted stakeholders about urgent cyber risks," he wrote.
The letter offered a hospital-and-utility example: A large entity with Mythos access should be free to warn smaller peers running the same systems, he said.
Gottheimer also urged OpenAI to make the same change to its Trusted Access for Cyber program, an invite-only initiative that gives vetted cybersecurity researchers expanded access to OpenAI's most cyber-capable models for defensive work.
UK regulators put expectations on paper
The May 15 statement from U.K. regulators said the "cyber capabilities of current frontier AI models are already exceeding what a skilled practitioner could achieve, and at a significantly higher speed, greater scale and lower cost.
"Firms that have underinvested in core cyber security fundamentals are likely to become progressively more exposed," it warned.
It listed five domains for action: governance and strategy, vulnerability identification and risk management, third-party risk, protection, and response and recovery.
A footnote stresses that the statement does not impose new rules. It pulls together existing operational-resilience guidance.
The authorities pointed firms to a May 1
No U.S. financial regulator has put comparable expectations on the record.
What Mythos has surfaced
Mythos has identified thousands of previously unknown security flaws (known as zero-days) across major operating systems and browsers, and produces working exploits on the first attempt in more than 83% of cases, according to
Anthropic's Glasswing launch page committed to "report publicly on what we've learned" from the program within 90 days. The program launched April 7, so that report is due by July 6.
