The Plumbing Problem
On Mythos, the IMF, and the difference between a villain and a leak
I read the IMF’s actual blog post on this so you don’t have to, and somewhere around the third paragraph I started laughing for entirely the wrong reasons. Not because it’s funny… it categorically isn’t… but because of the gulf between what they’re describing and how they’ve chosen to describe it. Extreme cyber-incident losses could trigger funding strains, raise solvency concerns, and disrupt broader markets. Said with the same flat, unbothered tone you’d use to report a delayed train.
That’s the line every headline writer has been working from since, dressed up in significantly more breathless clothing. No robots. No Skynet. Just an institution whose entire professional personality is “calm, so you don’t have to be,” very quietly telling you the plumbing might be about to fail.
I want to sit with this one a while, because it’s a genuinely good example of the gap between what’s frightening and what’s reported as frightening, and those two things have less overlap than the algorithm would like you to believe.
What the IMF Is Actually Saying
Strip away the framing and the IMF’s argument is structural, not cinematic. The financial system relies on shared digital infrastructure that’s highly interconnected, including software, cloud services, and networks for payments and other data. Everyone’s using the same handful of cloud providers, the same handful of payment rails, increasingly the same handful of AI models. That’s not a flaw exactly… it’s how you build anything at scale… but it does mean a single weak point doesn’t stay single for long. AI may further concentrate risk and failures with one vulnerability rippling across many institutions. Reliance on a small number of software platforms, cloud providers, or AI models increases the impact of any single exploited weakness.
So the nightmare isn’t a hacker breaking into your bank. It’s a hacker breaking into the thing your bank, my bank, and forty other banks all quietly outsourced the same job to. These features elevate cyber risk to a potential macro-financial shock. Confidence effects, payment disruptions, liquidity strains, and fire-sale dynamics could follow if multiple institutions are affected simultaneously.
And here’s the bit that actually made me sit up… not the breach itself, but the maths behind how fast a breach now becomes a breach-shaped hole in everyone’s defences at once. Advanced AI models can dramatically reduce the time and cost needed to identify and exploit vulnerabilities, raising the likelihood of simultaneously discovering and targeting weaknesses in widely used systems. The word doing the damage there is “simultaneously.” We’ve spent decades building a financial system that assumes attacks happen one at a time, in sequence, with enough gap between them that someone, somewhere, can patch the hole before the next one comes. The IMF’s quiet point is that this assumption might be ageing badly.
Enter the Model Nobody Was Allowed to Use
You can’t write about this moment without writing about Mythos, even though I’d rather not give a product launch the dignity of a section header. In April, Anthropic announced it had built a model with such startling ability to find software vulnerabilities that they weren’t releasing it. According to Anthropic, the Claude Mythos model can find and exploit zero-day bugs in “every major operating system and every major Web browser.” To prove the point, the company said the model was quickly able to identify a 27-year-old flaw in OpenBSD.
Twenty-seven years. Sat there the whole time. Nobody noticed, including, presumably, several generations of extremely competent security researchers who had better things to worry about than a flaw that had survived since before some of them were born. That’s the detail that should unsettle you more than any of the “machine speed” language, because it’s not really a story about new vulnerabilities appearing. It’s a story about how much of our digital plumbing was always full of holes we simply hadn’t found yet, and now something has arrived that’s very good at finding them, fast, and at scale.
The response was, by tech-industry standards, almost graceful. Rather than release it into the wild, Anthropic built what they’re calling Project Glasswing: a consortium of some of the biggest software providers in the world who will endeavor to use the model for cybersecurity defense first, putting it to work on their software before adversaries can get a hold of the tool. Apple, Amazon, the big banks, all quietly given early access so they could find their own wounds before someone else did. There’s something almost monastic about that… a small group, sworn to a narrow purpose, working in private on something too dangerous for the rest of us to touch yet. I don’t know whether to find that reassuring or to find it the most 2026 sentence I’ve written all year. Possibly both.
The official assessment, when Anthropic eventually published it, leaned hard into caveats: Mythos Preview was not able to produce a functional exploit. Just the vulnerability, not the weapon built from it. A small mercy, and one that depends entirely on nobody downstream doing the second half of the job themselves.
The Bit Nobody Wants to Hear
Now here’s where I get contrarian, because that’s the entire point of having a blog rather than a press release.
A handful of cybersecurity researchers, once the dust settled, started asking an inconvenient question: was any of this actually new? Another cybersecurity firm, Aisle, found that many of Mythos’s headline results could be reproduced using cheaper models working in parallel, suggesting that scale and coordination were more important than having the latest model. Their founder put it rather beautifully: “A thousand adequate detectives searching everywhere will find more bugs than one brilliant detective who has to guess where to look.”
And Anthropic themselves, to their credit, didn’t really argue the point. In comments to CNBC, Anthropic didn’t dispute that earlier models were capable of finding software vulnerabilities. In fact, a company spokesperson said, Anthropic has been warning for months that AI’s cyber capabilities were advancing rapidly, pointing to a February blog post showing that Claude Opus 4.6, a widely available model, found more than 500 “high severity” vulnerabilities in open-source software.
Read that again. Five hundred high-severity vulnerabilities. Found by a model anyone could buy access to. Months before Mythos became the story everyone was telling at dinner parties.
So the “unprecedented threat” wasn’t unprecedented. It was just the first time it got a press conference. The capability was already loose, already accessible, already doing this work in the background while everyone was busy being alarmed about the sequel. That’s not a comforting correction, by the way… it’s a worse one. It means the moment of maximum public attention arrived roughly a year after the moment that actually mattered, which is precisely the kind of timing failure that makes financial regulators lie awake at night.
Theatre vs Plumbing
This is the distinction I keep circling, and it’s the one the IMF, buried under several layers of careful institutional language, is also circling: there’s the cinematic version of this threat and there’s the actual one, and they point in almost opposite directions.
The cinematic version has a villain. A single brilliant model, kept in a vault, occasionally let out to do something terrifying for the cameras. It has a release date and a press cycle and a man from NBC asking an Anthropic researcher how worried we should be, to which the answer was admirably blunt: Logan Graham, who leads offensive cyber research at Anthropic, said that even if Mythos were never to become public, he expects the company’s competitors, including those in China, to release models with comparable hacking ability in the coming months and years. Not a threat that goes away if you ban one company’s product. A threat that’s already distributed across an industry that doesn’t share a single command structure, a single ethics board, or a single set of incentives.
The plumbing version has no villain at all, which is exactly why it’s harder to write a headline about. It’s a payment network and a cloud provider and forty banks that all use the same third-party software for something boring like fraud detection, and a vulnerability that doesn’t care which logo is printed on the dashboard. Risks cut across sectors. The financial sector shares digital foundations with energy, telecommunications, and public services. That means AI-assisted attacks can propagate across sectors that rely on the same infrastructure. Nobody’s going to make a documentary about shared digital foundations. But that’s the bit that actually decides whether your wages clear on a Friday.
Where the IMF Lands, and Why It Matters That They Landed There
To their enormous credit, the Fund didn’t just wave its arms and leave. As AI reshapes the cyber landscape, the central question for authorities is whether the financial system can continue to function under severe stress. Answering that question requires putting systemic risk and the tools to manage it at the center of the AI-cyber conversation. Translation, for anyone who hasn’t spent a career reading institutional prose: stop treating this as an IT problem, and start treating it as the kind of problem that gets its own line in a stress test.
There’s also, buried further in, a genuinely useful bit of realism about who carries the cost of all this. Emerging and developing economies, which often have more severe resource constraints, may be disproportionately exposed to attackers targeting regions with weaker defenses. The countries with the least capacity to build elaborate AI-powered cyber defences of their own are the countries most likely to get used as the soft entry point into everyone else’s system. It’s the same shape as every other global crisis I’ve written about this year… the people with the fewest resources absorb the most risk, while the institutions with the resources to actually fix it spend their energy issuing careful blog posts about it instead.
I don’t say that to be glib. I say it because it’s the bit that gets left out when the story is “AI might crash the banks,” and it’s the bit that should probably be the headline instead.
So What Do You Actually Do With This
Nothing dramatic, which is rather the point of the whole essay. You don’t need to pull your savings out of the bank. You don’t need to learn what a zero-day is in granular technical detail. What you might want to do is notice the pattern, because it’s going to recur: a genuinely frightening structural risk gets translated, somewhere between the source document and your newsfeed, into a story about a single scary product, and the structural risk quietly survives the news cycle that was supposedly about it.
The IMF’s actual ask is almost boringly sensible: better international coordination, better information sharing, more investment in the unglamorous stuff like cyber stress testing, scenario analysis, and board-level oversight of cyber risk becoming, in their words, indispensable components of financial stability frameworks. Nobody’s going to put that on a magazine cover. But it’s the actual answer, in the way that most actual answers to actual problems are: slow, institutional, and devoid of a single dramatic villain you can point a camera at.
The robots aren’t coming for your bank account. They’re already in the walls, and they’ve been there longer than the headlines let on. The question was never whether the plumbing could fail. It’s whether anyone’s checking it before the water comes through the ceiling.
Until Next Time
Discover more from Dominus Owen Markham
Subscribe to get the latest posts sent to your email.
