Canada’s federal banking regulator warned the country’s largest financial institutions that Anthropic’s Claude Mythos and comparable advanced artificial intelligence models may intensify cyber threats and compress the window for discovering and fixing security weaknesses, according to documents obtained through an access-to-information request.
The Office of the Superintendent of Financial Institutions (OSFI) circulated the advisory by email to chief technology officers, chief information security officers and chief risk officers across Canada’s banking and insurance sectors. The communication, dated April 29, flagged the potential for frontier AI models to accelerate the pace at which vulnerabilities can be discovered and exploited.
In its message, OSFI said: "Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation." The regulator added that the bulletin was grounded in existing guidance and detailed practices institutions could adopt to speed and improve risk identification, mitigation and response. Portions of the email were redacted under sections of the Access to Information Act.
OSFI later posted a public bulletin on generative and agentic artificial intelligence after it received questions about the topic. In an emailed reply accompanying that bulletin, the regulator emphasized a technology-neutral, risk-focused stance: "Our focus is not the technology itself, but how federally regulated financial institutions govern and manage the risks associated with its use."
The April advisory and subsequent bulletin reflect a broader effort by regulators to understand and address cybersecurity implications posed by frontier AI systems. Cybersecurity specialists cited in the materials view Mythos as an especially capable model at identifying and exploiting cybersecurity weaknesses, raising particular concerns for banks that still operate significant legacy systems.
Industry engagement on the subject intensified in early April, when Canadian bank executives met with regulators to discuss the risks presented by Mythos. That round of talks came shortly after U.S. Treasury Secretary Scott Bessent and then-Federal Reserve Chair Jerome Powell called an urgent meeting with bank chief executives to warn about cyber risks linked to Anthropic’s latest model.
OSFI’s remit covers the regulation and stability of Canada’s financial sector, including banks and pension funds, and it is charged with identifying risks emerging from foreign interference, geopolitics and new technologies. The regulator’s April communication underlines the speed of change in the cyber threat landscape and the need for financial firms to accelerate defensive measures.
Access to some frontier AI systems has already been limited in parts of the financial world. The material notes that euro zone banks are currently excluded from Mythos, highlighting the sensitivity of the model’s cyber capabilities. The documents also reference Anthropic’s complicated interactions with the U.S. government: an initial blacklisting by the Pentagon in March was legally blocked by a judge, and tensions eased after the private release of Mythos.
Canadian banks themselves are advancing AI programs even as regulators issue warnings. Three of Canada’s big six banks - Royal Bank of Canada, TD Bank and BMO - have disclosed plans to monetize their AI investments, moving from pilot projects to production applications such as chatbots, internal tools and a reduced dependence on third-party solutions. Bank of Nova Scotia, CIBC and National Bank have likewise announced multiple AI initiatives.
The Canadian government has said it maintains access to Anthropic’s Project Glasswing, a conduit for authorized use of Mythos, although the documents stress it is unclear which, if any, Canadian banks are currently using that channel.
Some institutions deferred comment to the Canadian Bankers Association, which told regulators and stakeholders that banks have made substantial investments to secure the financial system and are complying with OSFI’s stringent cyber risk management and incident reporting requirements.
In a June interview, RBC’s chief technology officer Bruce Ross described Mythos as emblematic of a shift in the cyberattack environment, arguing that rapid response capabilities are now essential because attack methods can appear as soon as new vulnerabilities are identified. "The way we’re (the industry) dealing with it is, building our own AI defenses... we’ll continue to do that," Ross said.
While OSFI’s April advisory and the public bulletin are intended to guide federally regulated institutions toward better governance and faster mitigation, parts of the original communication remain redacted. The redactions leave some specifics of the regulator’s recommendations and internal assessments unavailable to public review.
Context and implications
The regulator’s caution underscores the tension facing financial firms: they are racing to deploy AI for efficiency and revenue, while also confronting models that can be repurposed to uncover and exploit system weaknesses. OSFI is urging institutions to focus on governance, incident readiness and the speed of detection and response rather than on singling out specific technologies.
Given the redactions in the correspondence and the ongoing evolution of AI capabilities, the full scale and nature of recommended measures remain partly opaque. OSFI’s public guidance and industry statements indicate, however, that banks are investing in in-house AI defenses and adapting cyber risk frameworks to account for a rapidly changing threat landscape.