The Asymmetry the Advisory Does Not Address
An earlier note in this series examined the April 30 CISA/NSA/Five Eyes joint advisory "Careful Adoption of Agentic AI Services" - five risk categories for organizations deploying agentic AI systems, covering privilege escalation, design and configuration exposure, behavioral unpredictability, structural dependencies, and accountability gaps. The advisory is a careful document. It addresses the risks that accrue to any organization that deploys an agentic system. It does not address what happens when a small subset of organizations gains access to a capability that materially changes the security posture of every organization that does not.
That gap is now a live regulatory question.
Access as a Structural Variable
On April 7, 2026, Anthropic announced Claude Mythos Preview via its research blog at red.anthropic.com. The model sits above the Opus tier in Anthropic's frontier lineup. Its documented capabilities include autonomous identification and exploitation of zero-day vulnerabilities across major operating systems and web browsers. Access is restricted to approximately fifty partner organizations through a program Anthropic calls Project Glasswing. The model is listed on Anthropic's system cards and Transparency Hub as of April 2026.
Among the Glasswing partners: JPMorgan Chase (the only named bank in the initial launch), later joined by Goldman Sachs, Citigroup, Bank of America, Morgan Stanley, and BNY Mellon, confirmed through a Reuters wire report on May 12, 2026 by Azhar, Bautzer, Price, and Canepa, and via earnings-call disclosures as reported by S&P Global Market Intelligence on May 15, 2026. The Reuters story describes banks running Mythos against their own infrastructure and patching, in days, vulnerabilities that had previously required weeks to address.
The April 30 advisory's five risk categories are organized around the deploying organization as the unit of analysis. Each category asks: what risk does this organization face by running an agentic system? That framing is correct for the world in which AI capabilities are broadly and evenly distributed. It is incomplete for the world that Glasswing created: one in which the capability to autonomously discover unknown vulnerabilities in production systems is available to a named list of organizations, and not to the rest.
When access to a capability of that kind is unevenly distributed, the regulatory question does not disappear. It migrates. It shifts from "is your AI safe to operate" to "is your access to AI sufficient for the supervisory standard that regulators will eventually set."
What Glasswing Does and Does Not Solve
The restricted-access model reflects a considered judgment. Anthropic's own classification of Mythos under RSP v3.0 CB-1 risk controls - documented on its system cards page - signals that the company treated this capability as qualitatively different from prior releases. Limiting access to a vetted partner set is a defensible approach to a system that produces working exploits for unknown vulnerabilities. The alternative - broad API release - carries obvious systemic risk.
But Glasswing's defensive value is bounded by its membership list.
Banks inside Glasswing can identify vulnerabilities in their own systems before adversaries do - or at least faster than they could before. The Reuters reporting is specific: remediation timelines compressed from weeks to days. That is a material security improvement for the institutions on the list. The Federal Reserve speech delivered by Vice Chair Bowman on May 1, 2026 confirms that Treasury Secretary Bessent and Fed Chair Powell convened the largest U.S. banks specifically to discuss Mythos and its cybersecurity implications. The meeting's occurrence - at that level, with that urgency - is itself a data point about how regulators read the capability gap.
Banks outside Glasswing patch vulnerabilities on the old timeline: waiting for disclosure, then waiting for vendor remediation, then scheduling the work. That timeline has not changed. What has changed is that the adversary population now includes at least some state actors and well-resourced criminal organizations who may possess parallel capabilities - systems that can find the same zero-days Glasswing banks are finding. The BBC's April 17, 2026 coverage of the IMF meetings noted Bank of England Governor Bailey's public warnings about Mythos alongside Barclays CEO CS Venkatakrishnan's and the Canadian Finance Minister's statements - a cross-border regulatory chorus that underscores that the asymmetry is not perceived as a U.S.-only problem.
The perimeter of the defensive advantage is now defined by a list. Everything outside the list patches on the old schedule.
The Regulatory Gap the OCC Did Not Close
On April 17, 2026 - the same day the BBC ran its Mythos coverage - the OCC published revised model risk management guidance co-issued with the Federal Reserve and FDIC. The revised guidance explicitly excludes generative and agentic AI systems from its scope and announces that AI-specific guidance is forthcoming.
That announcement is notable for what it defers. The OCC's existing model risk framework was designed for statistical models: scoring models, pricing models, stress-testing models. The validation and documentation requirements assume a model that produces determinate, auditable outputs from defined inputs. An agentic system that autonomously traverses infrastructure, identifies vulnerabilities, and triggers remediation workflows does not fit that frame. The OCC's decision to exclude agentic AI from the current guidance while promising new guidance is a candid acknowledgment that the supervisory tools do not yet match the operational reality.
What the OCC guidance does not address - and what the April 30 advisory also does not address - is the question of access disparity. Neither document provides a framework for evaluating whether an institution's security posture is adequate given the existence of asymmetrically distributed adversarial and defensive capabilities. Neither document tells a non-Glasswing institution what standard it must meet if some of its counterparties and competitors are patching on a fundamentally different timeline.
The congressional letter sent to ONCD on May 13, 2026 makes the coordination gap explicit. Signed members requested that ONCD convene a federal-industry process specifically for AI-discovered vulnerability coordination, citing systems of the Mythos capability class and the lack of any existing mechanism for ensuring that findings made by frontier AI systems reach the institutions that cannot make the same findings themselves.
The letter frames this as a gap in disclosure infrastructure. It is also a gap in supervisory infrastructure.
The Attestation Problem
The April 30 advisory's fifth risk category - Accountability - addresses the challenge of attributing actions taken by an agentic system. The advisory asks: when an agent acts, who is responsible, and how is that established?
In the banking context, that question surfaces a specific problem that the Reuters story illustrates without fully naming. The wire report describes banks running Mythos against their own systems and finding vulnerabilities. It does not describe how a bank's examiner distinguishes a Mythos-attributed finding from a finding produced by a conventional red-team engagement, a third-party penetration test, or a different AI tool. It does not describe what documentation standards apply to a Mythos-generated vulnerability report submitted to a supervisor during an examination.
This is not a hypothetical concern. Model risk management in banking has for decades required that institutions document what a model does, validate that it does it correctly, and explain why its outputs were accepted or rejected. When the same model class can both discover a vulnerability and generate the code to remediate it - a capability Anthropic's system card materials gesture at - the documentation requirement becomes more complex, not less. Which version of the model produced the finding? With what context window? Under what operator configuration? Against which system state?
The S&P Global Market Intelligence reporting from May 15, 2026 notes that ENISA has been engaged on these questions at the European level. The engagement signals that supervisory bodies recognize the problem. It does not signal that they have resolved it.
The accountability category in the April 30 advisory names the structural issue. It does not address the specific form that accountability must take when an agentic system is operating inside supervised financial infrastructure - let alone the form that accountability takes when the regulator cannot verify the finding's provenance because it lacks access to the system that produced it.
The Coordination Problem Underneath
The Deloitte Insights guidance published May 14, 2026 addresses accelerating remediation for banks - how to compress timelines, prioritize findings, and integrate AI-driven vulnerability outputs into existing patch management workflows. It is a practical document aimed at institutions that already have the access. It does not address the institutions that do not.
The congressional letter's request for a federal-industry coordination process - and the ONCD's silence on the mechanism so far - points at a structural gap that neither the advisory nor the OCC's placeholder guidance fills: there is no defined process for ensuring that AI-discovered vulnerabilities of systemic relevance reach institutions that cannot discover them independently. The information sharing infrastructure for traditional vulnerability disclosure - CVEs, ISACs, CISA advisories - was built around a world in which vulnerability discovery was a slow, human-intensive process. A system that discovers vulnerabilities in production infrastructure autonomously, at machine speed, does not fit that process without modification.
The CNBC coverage from May 8, 2026, which documented expert pushback on what it characterized as "Mythos cybersecurity hysteria," is worth noting for what the pushback was not: the expert skeptics did not dispute that the access asymmetry existed. They disputed the severity of the near-term risk. The structural question - whether the regulatory and coordination infrastructure is adequate for a world in which a model of this capability class exists and is unevenly distributed - was not engaged by either side of that debate.
The Open Question
The April 30 advisory is a framework for the deploying organization. The OCC guidance defers the agentic AI question to future guidance. The congressional letter requests a process that does not yet exist. The Federal Reserve speech confirms that the largest institutions and their regulators are aware of the capability and have engaged on it at the highest level. ENISA is engaged at the European level.
What none of these documents address is the threshold question: at what point does the gap between Glasswing institutions and non-Glasswing institutions become a supervisory variable? At what point does a regulator ask a non-Glasswing bank not just "how did you manage your AI risk" but "how did you manage your exposure to AI-discovered vulnerabilities in systems you cannot autonomously audit?"
That question is not in any current guidance. It is not foreclosed by any current guidance either.
The deeper structural issue - the one that neither accelerated patching programs nor disclosure coordination mechanisms fully address - is one of decision-making speed. When machine-speed systems operate on both sides of a security posture, the supervisory frameworks that were designed around human-speed disclosure cycles and examination schedules face a timing problem. Whether instrumented oversight can operate at the speed of the loops it is meant to oversee remains the unanswered question underneath every document cited above.