Reserve Bank of India (RBI) has entered high-level talks with global regulators and Indian lenders to assess the significant cybersecurity risks posed by Anthropic’s “Mythos” AI model.
Released in a limited preview on April 7, 2026, Mythos is reportedly the most powerful “agentic” AI model to date, specifically optimized for defensive security but possessing a high dual-use risk for offensive exploitation.
1. The RBI’s Core Concern: “Zero-Day” Acceleration
The primary alarm raised by the RBI is that Mythos can identify and exploit software vulnerabilities at a speed that traditional defensive patching cannot match.
- Collapsing the “Patch Window”: Traditionally, when a bug is found, companies have weeks or months to fix it before it is widely exploited. Mythos can reportedly discover thousands of vulnerabilities across “every major operating system” in hours, allowing attackers to strike before a patch is even developed.
- Legacy Systems: The RBI is particularly concerned about India’s Public Sector Banks (PSBs). While their digital front-ends are modern, their core back-end architecture often relies on decades-old code that Mythos could easily “shred” through autonomous reconnaissance.
- Malware Generation: Preliminary assessments suggest the model can assist even novice actors in creating “no-code” malware that can bypass standard antivirus detection by constantly rewriting its own signature.
2. Regulatory Response & NPCI Involvement
The RBI is not acting in isolation; it has joined a global “cyber-alert” group to manage the fallout.
- Consultations with the Fed & BoE: RBI officials have held multiple meetings with the U.S. Federal Reserve and the Bank of England over the past fortnight to coordinate a unified banking response.
- NPCI Access Denied: The National Payments Corporation of India (NPCI) reportedly sought early access to Mythos to “stress-test” the UPI and Aadhaar infrastructure. However, access was denied because the systems are hosted on strictly controlled servers in the U.S., raising concerns about data localization and foreign jurisdictional control.
- New Guidelines: The RBI is currently drafting a fresh set of guidelines for Indian banks that partner with frontier AI models (like Claude and Mythos), insisting on strict local data processing and real-time anomaly detection.
3. The “Mythos” Threat vs. Defense Balance
Experts are debating whether Mythos is a “firefighter” or an “arsonist.”
| Feature | Defensive Potential | Offensive Risk |
| Vulnerability Scanning | Can patch thousands of bugs in minutes. | Can find “unpatchable” holes in minutes. |
| Autonomous Action | Can actively block incoming “agentic” attacks. | Can launch multi-step, self-correcting attacks. |
| Accessibility | Limited to 40 “Project Glasswing” companies. | Fears of a “leak” or a “jailbreak” by state actors. |
4. Advice for Indian Financial Entities (2026)
Following the RBI’s warning, banks and NBFCs are being urged to:
- Reduce Patch SLAs: Move from a 30-day patching cycle to a 24-hour cycle for critical internet-facing systems.
- Adopt “Project Glasswing” Standards: Align internal security with the global consortium (including Google and Microsoft) specifically designed to defend against Mythos-class threats.
- AI Red-Teaming: Conduct mandatory “AI-on-AI” red-teaming exercises to identify how an autonomous agent might navigate their internal network.
