Major U.S. banks are moving quickly to address multiple vulnerabilities identified through Anthropic’s artificial intelligence (AI) security tool Mythos.

A Reuters report cited by fintech outlet Finextra on May 14 said some major U.S. banks with access to Mythos have identified dozens of security vulnerabilities and are bringing forward patch and software upgrade schedules.

Banks say Mythos is finding hundreds to thousands of vulnerabilities classified as low to medium. They see some of them as potentially leading to greater damage when combined. As vulnerabilities that appeared low priority on their own were found to be exploitable in a chain, a view has emerged that the existing gradual approach to security fixes is hard to sustain.

These banks are also sharing related information with smaller lending institutions that do not have access to Mythos. The aim is to help other financial firms check and respond to the same types of vulnerabilities.

A similar warning has been issued to euro zone banks. European Central Bank Executive Board member Frank Elderson urged banks in the euro area to prepare quickly for possible cyberattacks aided by Mythos or similar tools.

Elderson said a lack of access cannot be a reason for delayed action. "Not having access cannot be an excuse," he said. "Rather, banks should be more proactive," he added. Even if they cannot use Mythos directly, the message is that banks cannot leave existing security systems unchanged as the threat structure is already shifting.

Pressure on banks is also tied to aging technology environments. Mythos is seen as strong at finding vulnerabilities in both in-house code and open-source code. As a result, banks are under pressure to replace or upgrade old technology stacks and software more quickly. As the scope of checks expands beyond closed internal systems to external open-source components, the breadth of security responses has widened.

Other risks are also being raised as banks speed up security measures. Warnings have emerged that if banks move faster than usual with patches and upgrades, the heavier workload could lead to service disruptions. They cannot leave vulnerabilities unaddressed, but they also need to carry out fixes without undermining the stability of financial services in operation.

In this situation, the U.S. banking sector’s response is increasingly likely to go beyond simple security checks and lead to a broader overhaul of operating systems. With confirmation that even low-risk vulnerabilities can be combined to create bigger attack paths, banks are reprioritising based on actual exploitability rather than individual severity ratings. Attention is expected to focus on how quickly fixes at major banks spread to regional banks and whether upgrades to aging systems can proceed while maintaining service stability.