Barclays CEO warns Anthropic's Mythos AI model poses a serious systemic threat to global banking as Anthropic enters EU regulatory dialogue on cyber security models
Barclays Chief Executive C. S. Venkatakrishnan has publicly described Anthropic's frontier AI model Mythos as a serious threat to the global banking system, adding that it is likely to be followed by even more powerful cyber threats. The statement, made in Washington, marks a significant escalation in senior banking leadership's public engagement with AI-specific systemic risk — framing an AI model not merely as a tool but as an active threat vector. Separately, the European Commission confirmed that Anthropic is in active discussions with Brussels on its range of AI models, including its cyber security models, which are not yet available in the EU. Anthropic has already committed to respect the EU's General Purpose AI (GPAI) code of practice, a voluntary framework under the EU AI Act that applies to developers of large-scale foundation models. The convergence of these two stories creates a clear legal architecture: Barclays's concerns map directly onto the EU AI Act's systemic risk provisions, which require GPAI model developers to conduct adversarial testing, report serious incidents, and maintain cybersecurity protections specifically designed to prevent their models from being used to destabilise critical infrastructure — including financial services. For UK lawyers, the UK AI Safety Institute and the FCA's own model risk guidance become directly relevant as the question of AI-generated cyber threats to banks moves from theoretical to board-level concern.
Why this matters
The Barclays CEO's statement transforms AI cyber risk from a compliance checkbox into a boardroom priority, generating immediate demand for legal advice on AI governance frameworks, incident reporting obligations under the EU AI Act, and the intersection of AI risk with existing PRA (Prudential Regulation Authority) operational resilience requirements. Anthropic's EU engagement on its cyber security models signals that the GPAI code of practice is becoming a live regulatory instrument rather than a theoretical framework — law firms advising AI developers and financial services clients will need to build expertise in both. The 'why now' is the deployment of genuinely frontier models with documented capability for cyber offence: Mythos represents the first time a specific named AI model has been identified by a major bank CEO as a systemic risk.
On the Ground
A trainee working on an AI governance matter for a financial services client would assist with AI governance policy drafting — mapping the client's internal AI use cases against EU AI Act classification requirements — and prepare regulatory impact assessment memos on how the GPAI systemic risk provisions apply to models the client is procuring or deploying. They would also mark up data processing agreements with AI vendors to ensure contractual protections against adversarial model misuse.
Interview prep
Soundbite
When a FTSE 100 bank CEO names a specific AI model as a systemic financial threat, the EU AI Act's incident reporting regime becomes urgent — not theoretical.
Question you might get
“Under the EU AI Act, what obligations apply to a company like Anthropic as a developer of a general-purpose AI model with systemic risk classification, and how would those obligations be enforced against a US-headquartered company?”
Full answer
Barclays CEO C. S. Venkatakrishnan has named Anthropic's Mythos model as a serious systemic threat to global banking, while Anthropic is simultaneously in dialogue with the European Commission on its cyber security AI models under the EU AI Act's GPAI framework. This matters because it collapses the distance between AI regulation theory and banking operational resilience practice: the EU AI Act's systemic risk provisions — requiring adversarial testing and incident reporting for frontier models — were designed precisely for scenarios where AI capabilities could destabilise critical financial infrastructure. The wider picture is that the GPAI code of practice, which Anthropic has committed to, will now be stress-tested by real-world concerns from major financial institutions. This suggests that the intersection of AI regulation and financial services risk will be one of the most active areas of legal advisory work in 2026 and 2027.
Sources
My notes
saved