Jamie Dimon says Anthropic’s Mythos reveals ‘a lot more vulnerabilities’ for cyberattacks

Jamie Dimon, the influential chief executive officer of JPMorgan Chase & Co., delivered a stark warning on Tuesday, indicating that while artificial intelligence (AI) tools hold immense promise for bolstering defenses against cyberattacks in the long run, they are currently exacerbating vulnerabilities within the financial sector. His remarks, made during the bank’s quarterly earnings call, underscored a growing apprehension among industry leaders regarding the immediate challenges posed by rapidly advancing AI technologies. Dimon’s comments arrive amidst a heightened period of concern regarding cyber resilience, particularly after Treasury Secretary Scott Bessent convened a meeting with leading bank CEOs just last week to discuss these very risks, prominently featuring a powerful new AI model from Anthropic.

The discourse around AI’s dual nature in cybersecurity has been intensifying across industries, but its implications for the financial sector are uniquely profound due to the critical infrastructure it represents and the vast sums of capital it manages. Financial institutions are consistently among the most targeted entities by cybercriminals, nation-state actors, and hacktivist groups, with the average cost of a data breach in the financial sector significantly exceeding the cross-industry average. According to IBM’s 2023 Cost of a Data Breach Report, the financial industry faced an average breach cost of $5.9 million, a testament to the high stakes involved. The introduction of sophisticated AI tools into this already volatile landscape presents both an opportunity for innovation and a formidable new layer of risk.

The Immediate Threat: AI as an Offensive Weapon

Dimon articulated the immediate challenge with unreserved clarity. "AI’s made it worse, it’s made it harder," he told analysts, adding, "It does create additional vulnerabilities." This perspective aligns with analyses from cybersecurity experts who have observed a rapid evolution in offensive cyber capabilities, partly fueled by accessible generative AI models. These models can be leveraged by malicious actors to create highly convincing phishing emails, generate sophisticated malware variants that evade traditional detection, and even automate parts of the reconnaissance and exploitation phases of an attack. The ability of AI to rapidly analyze vast datasets to identify weaknesses, craft tailored social engineering schemes, and produce polymorphic code represents a paradigm shift in the attacker’s toolkit.

JPMorgan Chase, as one of the world’s largest financial institutions, is at the forefront of grappling with these emerging threats. Dimon confirmed that the bank is actively testing Anthropic’s latest model, known as the Mythos preview, which was announced by the AI firm just the previous week. This engagement is part of JPMorgan’s broader strategy to harness the benefits of AI while simultaneously developing robust defenses against its misuse. When pressed by a reporter about Mythos, Dimon alluded to Anthropic’s own findings regarding the model’s capabilities. Anthropic had warned that Mythos, in its testing phase, had already uncovered thousands of previously undetected vulnerabilities in corporate software. "I think you read exactly what is it," Dimon stated, underscoring the gravity of the findings. "It shows a lot more vulnerabilities need to be fixed."

This revelation from Anthropic, a leading AI research company, serves as a significant wake-up call for the industry. While the primary intent of such models is often to aid in defensive "red-teaming" – simulating attacks to find weaknesses before adversaries do – the very existence and capability of Mythos demonstrate the powerful offensive potential of advanced AI. It confirms that the technological gap between defenders and attackers is dynamic, with AI providing new avenues for both.

A Proactive Regulatory Stance: The Treasury Meeting

The urgency surrounding AI’s cybersecurity implications was further underscored by the meeting convened by Treasury Secretary Scott Bessent last week. This high-level gathering brought together CEOs from major U.S. banks to specifically address the risks posed by advanced AI, with particular focus on models like Mythos. Such proactive engagement from a key government body like the Treasury Department highlights the recognition at the highest levels of government that AI-driven cyber threats are not merely a corporate IT issue but a matter of national financial stability.

The chronology of events reveals a rapid escalation of concern:

• Early 2020s: Growing adoption of AI across various industries, including finance, for efficiency and data analysis. Simultaneously, cybersecurity experts begin to theorize and demonstrate AI’s potential for offensive cyber operations.
• Late 2025/Early 2026: Advanced generative AI models demonstrate unprecedented capabilities in language, code generation, and vulnerability discovery, making headlines.
• Week of April 7, 2026: Anthropic publicly announces its Mythos preview model, detailing its ability to uncover thousands of software vulnerabilities, signaling a new era of AI-powered cyber tools.
• April 10, 2026: Treasury Secretary Scott Bessent summons U.S. bank CEOs to discuss AI-related cybersecurity risks, directly mentioning Mythos, indicating deep government concern.
• April 14, 2026: JPMorgan Chase CEO Jamie Dimon publicly confirms the bank’s testing of Mythos and warns of AI’s current exacerbation of cyber vulnerabilities during the bank’s Q1 earnings call.
• April 15, 2026: Goldman Sachs CEO David Solomon also confirms his bank’s testing of Mythos during their earnings call, echoing the industry’s cautious engagement with the technology.

This rapid sequence of events indicates that the financial sector and its regulators are acutely aware of the immediate threat landscape. The Treasury’s intervention signals a potential push for greater inter-agency collaboration, industry-wide standards, and perhaps even new regulatory frameworks to manage AI-specific cyber risks. It underscores the "too big to fail" principle applied to cybersecurity – a systemic breach could ripple through the global financial system, causing widespread economic disruption.

JPMorgan’s Multi-faceted Defense Strategy

For years, JPMorgan Chase has been renowned for its substantial investments in technology and cybersecurity. Dimon reiterated this commitment, stating, "We spend a lot of money. We’ve got top experts. We’re in constant contact with the government. It’s a full-time job, and we’re doing it all the time." The bank’s approach involves a multi-layered defense strategy, encompassing cutting-edge technological solutions, a highly skilled workforce, and continuous engagement with government agencies and intelligence communities to share threat intelligence and coordinate responses.

However, Dimon also highlighted that the risks extend beyond the perimeter of any single institution, given the intricate and interconnected nature of the global financial system. "That doesn’t mean everything that banks rely on is that well protected," he warned. "Banks are attached to exchanges and all these other things that create other layers of risk." This speaks to the concept of systemic risk, where a vulnerability or breach in one part of the ecosystem – a third-party vendor, a payment processor, or a critical financial market utility – could cascade, impacting numerous institutions and ultimately the broader economy. This interconnectedness makes collaborative defense and shared intelligence paramount.

Jeremy Barnum, JPMorgan’s Chief Financial Officer, further elaborated on the industry’s long-standing awareness of AI’s dual utility in cybersecurity. "These tools can make it easier to find vulnerabilities, but then also potentially be deployed by bad actors in attack mode," Barnum explained on the earnings call. He clarified that recent advancements from companies like Anthropic have not fundamentally changed this understanding but have rather intensified an existing trend, pushing the boundaries of both offensive and defensive capabilities.

Beyond AI: The Enduring Importance of Cybersecurity Hygiene

Amidst the discussions of advanced AI models and sophisticated threats, Dimon also brought the conversation back to fundamental cybersecurity practices, emphasizing that "old-school" hygiene remains critically important. "A lot of it is hygiene… how do you protect your data? How do you protect your networks, your routers, your hardware, changing your passcode?" he queried. "Doing all those things right dramatically reduces the risk."

This perspective underscores a crucial point: while AI introduces novel threats and offers powerful new defensive tools, many successful cyberattacks still exploit basic security weaknesses, human error, or a lack of adherence to best practices. Strong authentication, regular software updates, network segmentation, employee training, and incident response planning are foundational elements that, when neglected, can render even the most advanced AI-powered defenses less effective. The human element, both as a potential vulnerability and a critical line of defense, remains indispensable.

Industry Reactions and Broader Implications

JPMorgan is not alone in its cautious embrace of AI. Goldman Sachs CEO David Solomon confirmed on Monday during his bank’s earnings call that they too were testing Mythos, though he declined to elaborate further. This shared sentiment across major financial institutions indicates a collective recognition of the transformative, yet perilous, phase the industry is entering. The cautious but active engagement with tools like Mythos suggests a proactive approach to understanding and mitigating risks rather than simply reacting to them.

The implications of AI’s role in cybersecurity extend far beyond individual banks. Regulators globally are grappling with how to effectively supervise AI adoption while mitigating its inherent risks. Frameworks like the NIST AI Risk Management Framework, and emerging regulations in the EU and other jurisdictions, aim to provide guidelines for responsible AI development and deployment. However, the rapid pace of AI innovation often outstrips the ability of traditional regulatory processes to keep pace.

Furthermore, the rise of AI-powered cyber threats necessitates greater collaboration between the private sector, government agencies, and academic researchers. Sharing threat intelligence, developing common standards, and investing in advanced cybersecurity research become even more critical. The financial sector, by virtue of its importance, often serves as a testing ground for both advanced cyber threats and innovative defensive strategies. The lessons learned here will inevitably inform cybersecurity practices across other critical infrastructure sectors.

In conclusion, Jamie Dimon’s recent remarks serve as a potent reminder that the age of artificial intelligence, while promising unprecedented advancements, also ushers in a new era of complex and rapidly evolving cyber threats. For the financial sector, a prime target for malicious actors, navigating this dual-edged sword requires colossal investment, relentless vigilance, strong foundational security, and unparalleled collaboration across the industry and with government partners. While AI holds the potential to build more robust cyber defenses in the future, the immediate challenge lies in addressing the vulnerabilities it currently creates, demanding a strategic, comprehensive, and adaptive response from all stakeholders to safeguard the integrity and stability of the global financial system.