Bank of Canada Governor Tiff Macklem in Ottawa in September, 2025.Blair Gable/Reuters
Bank of Canada Governor Tiff Macklem said governments and regulators need to move quickly to get a handle on the cybersecurity risks posed by powerful new artificial intelligence tools such as Anthropic’s Claude Mythos model.
The emergence of new AI models adept at hacking into secure systems was widely discussed at the spring meetings of the International Monetary Fund and World Bank in Washington over the past week, Mr. Macklem said.
San Francisco-based Anthropic announced the Mythos model earlier this month, but opted not to make it widely available because of the risks it presents. The model has shown unprecedented skill at finding and exploiting vulnerabilities in software, according to Anthropic.
“This isn’t a one-off. Mythos has arrived, it’s a lot more powerful than what came before. But something else will come that’s even more powerful than that,” Mr. Macklem told reporters on a call from Washington.
“As a [financial] system, both within Canada, but internationally, we’re going to need to come to grips with how we’re going to manage this on an ongoing basis.”
Artificial Intelligence Minister says Anthropic taking ‘responsible’ approach with Mythos
Mr. Macklem said he discussed Mythos with U.S. Federal Reserve Chair Jerome Powell this week, while Finance Minister François-Philippe Champagne talked to his counterpart U.S. Treasury Secretary Scott Bessent.
He also said the Canadian Financial Sector Resiliency Group (CFRG), which is chaired by the Bank of Canada and includes representatives from other regulators and Canada’s big banks, met a second time this week to discuss the financial system security implications of Mythos.
Questions about the potential impact of Mythos on the financial system emerged last week after Mr. Powell and Mr. Bessent convened a meeting of top U.S. bank CEOs to discuss the issue.
News of the meeting sent central banks and regulators around the world scrambling to understand the nature of the threat. It has also prompted deeper reflection on cybersecurity in the age of AI, said Mr. Macklem, who also chairs the vulnerability assessment committee of the Financial Stability Board, a global institution that helps manage financial sector risks.
“At the moment, there is no actual live cyber incident,” Mr. Macklem said. “But the potential for Mythos, and just new AI large language models in general, is that they can expose the vulnerabilities much faster and exploit them much faster. And that really puts a premium on having a mature cybersecurity posture.”
Speaking to reporters from Washington earlier in the day, Mr. Champagne said addressing cybersecurity risks in the rapidly changing technological environment will require international co-operation.
“This has been something that has been talked about by many in terms of the measures that we need to take, not just in North America, but in G7 countries and beyond, to maintain the integrity of our financial institutions,” Mr. Champagne said.
He said the emergence of Mythos is a “test case” for how quickly governments, companies and regulators can respond to fast-evolving technology.
“I’m also mindful of the next wave, which could be when you couple AI, quantum [computing] and cyber together,” he said.
Anthropic has made a preview version of Mythos available to a select group of companies involved in maintaining critical digital infrastructure, including Amazon, Microsoft, Apple, Google, CrowdStrike, Palo Alto Networks and JPMorganChase.
Dubbed Project Glasswing, the initiative is intended to help companies bolster their defences before AI-enabled cyberattacks are able to exploit what one expert described as infinite zero-day vulnerabilities. (A zero-day vulnerability is an undiscovered flaw in an application or operating system for which no patch or fix is yet available.)
Anthropic said Mythos has already found thousands of vulnerabilities, including in “every major operating system and web browser.”
Federal AI Minister Evan Solomon met with Anthropic officials on Tuesday and discussed Mythos, following a separate meeting between the company and representatives from Innovation, Science and Economic Development on Monday.
Mr. Solomon said afterward that Anthropic’s decision to limit the release of a preview version of Mythos was the “responsible” approach. His office did not answer follow-up questions about whether he pressed Anthropic to also provide access to Canadian companies and institutions.
Opinion: Canadian companies need access to Anthropic’s Mythos before hackers arrive
The AI Security Institute in Britain published an assessment of Mythos on Monday and found that it was more capable than other models at autonomously – that is, without being guided by humans at every step – exploiting software vulnerabilities, particularly in weakly defended systems. Researchers could not say for certain whether Mythos would be able to attack more robust systems, however.
Adam Evans, chief information security officer at Royal Bank of Canada, said Mythos attacks systems using the same pathways that human attackers do. What’s different is the speed and scale of those attacks, Mr. Evans said Friday during an event hosted by the Rogers Cybersecure Catalyst at Toronto Metropolitan University.
“It can attack, simultaneously, multiple weaknesses that it detects in the environments that it targets,” Mr. Evans said.
“There is a shift coming for everybody in that we have to be able to detect and respond in near-real time, at machine speeds, at an enterprise scale, which creates a tremendous amount of operational risk for an organization, because we are not prioritizing, testing, piloting, rolling out. This is about the mass deployment of fixes into the enterprise in very short time windows,” he added.