Canada's OSFI Warns Banks That Claude Mythos Could Shrink Cyber Response Windows
Canada's banking regulator has privately warned major banks that Claude Mythos and similar frontier AI models are shrinking the time institutions have to detect and patch vulnerabilities, a signal GCC compliance teams should expect regulators closer to home to echo soon.

Illustration of a bank security operations centre representing AI driven cyber risk to financial institutions, referencing Canada's OSFI warning on Claude Mythos.
Canada's federal banking regulator has become the latest financial watchdog to formally flag the cybersecurity risks posed by Anthropic's Claude Mythos, warning the country's largest banks and insurers that advanced AI models are compressing the window defenders have to patch vulnerabilities before attackers exploit them.
According to documents obtained through an access to information request, the Office of the Superintendent of Financial Institutions (OSFI) sent an email in April to chief technology officers, chief information security officers and chief risk officers across Canada's banking and insurance sectors. The email named Claude Mythos specifically as an example of a model capable of eroding the traditional patch cycle that security teams rely on.
OSFI told executives that such systems "significantly compress the timeframe for effective risk mitigation," and said its forthcoming guidance was designed to help institutions speed up how quickly they identify, contain and respond to emerging threats. The regulator has since followed up with a public bulletin on generative and agentic AI, describing its approach as technology neutral and focused on how institutions govern the risk rather than on any single vendor or model.
The warning lands as regulators globally race to work out what frontier AI models capable of autonomous vulnerability discovery mean for critical infrastructure. The shrinking gap between vulnerability discovery and exploitation has already been flagged as one of the defining cyber risks of 2026, a concern the IMF has separately tied to systemic financial stability, warning that AI accelerated attacks on shared banking infrastructure could cascade into liquidity and solvency problems well beyond a single institution.
Canadian bank executives met with regulators in early April to discuss the risk, shortly after senior US officials held a similar urgent meeting with major American bank chief executives. Three of Canada's largest lenders, Royal Bank of Canada, TD Bank and BMO, have all outlined plans to expand their own AI investment, while Scotiabank, CIBC and National Bank have disclosed separate AI initiatives of their own.
Ottawa has said it holds access to Anthropic's Project Glasswing, the controlled access programme through which a limited number of organisations can use Mythos class models, though it remains unclear whether any Canadian bank is using it directly. Banks approached for comment deferred to the Canadian Bankers Association, which said the sector continues to invest heavily in cyber defence and complies with OSFI's existing requirements on risk management and incident reporting.
The episode reflects a broader pattern security vendors have been racing to address all year, as the contest to build the defining AI native security platform intensifies alongside the threat itself. Speaking in June, one Canadian bank's AI lead said the shift in the attack landscape meant organisations had to build their own AI defences at the same pace attackers are building offensive tools.
For GCC financial institutions watching from outside Canada's regulatory perimeter, the OSFI bulletin is a useful early signal of where prudential supervisors elsewhere are likely to land. Gulf regulators have already begun reflecting AI accelerated cyber risk in their own supervisory expectations, and a Canadian regulator formally naming a specific frontier model in guidance to its banks suggests the conversation is moving from abstract risk framing to concrete, vendor level scrutiny, a shift GCC compliance teams should expect to see mirrored locally before long.
Layla Haddad
Cyber Policy & Digital Risk CorrespondentLayla Haddad covers cybersecurity regulations, data protection laws, and digital transformation initiatives across GCC and North Africa. She has worked closely with compliance teams, fintech startups, and government advisory groups. Her articles explore how cyber policy, AI governance, and privacy frameworks shape the region’s digital future.