After Mythos: Rethinking Banking and Security for an AI‑Exposed World

Everybody is trying to remotely dissect Mythos from every technical angle. What matters now is what Mythos has revealed about both the global banking system and the security industry that protects it and what that means for how institutions are designed, how security is run and how the wider ecosystem responds. 

For the first time, an AI system has been able to map vulnerabilities across interconnected financial infrastructures at a speed and scale that human adversaries could never match. It has shown that vulnerabilities, once treated as a low priority, isolated or theoretical, can be connected into feasible attack paths across banks, vendors and critical infrastructure. That does not just raise the threat level; it exposes a structural mismatch between how organizations and security functions are built, and the kind of risk environment they now inhabit. 

Addressing that mismatch requires three major shifts: how we run and measure day‑to‑day operations, how we use AI and talent in defense, and how we govern cyber risk at a system level. 

When KPIs meet Mythos: an operating model built for the wrong world

One of the clearest implications from Mythos is not just the list of vulnerabilities it surfaced, but the pressure it has placed on already stretched security teams. In many institutions, teams no longer believe they can meet their normal operational targets because such a large share of their capacity is being pulled into Mythos‑related work. 

This looks less like a temporary spike and more like evidence that the current operating model and performance framework were built for a different world. Most large banks have grown through successive waves of strategy, regulation and technology, each adding systems, interfaces and obligations. KPIs were designed for that accumulated environment: keep availability high, keep incidents low, process volumes up, costs down. Security was expected to protect this machine while also enabling digital programes and regulatory change. 

Mythos upends those assumptions. It shows that the number of plausible attack paths through an organization is far greater than previously assumed, and that the effort required to analyse, prioritize and mitigate those paths at scale is beyond what existing teams and processes were ever designed to handle. 

If the same people are expected to maintain the same KPIs while absorbing the additional work Mythos has exposed, the organization is, in effect, raising its risk tolerance without acknowledging it. Something will give: perhaps hygiene tasks slip, monitoring slows, or recovery work is delayed. 

The response cannot simply be to request more budget or another tool. It requires a redesign of how work, accountability and measurement are structured. That means re‑examining KPIs so they reflect realistic trade‑offs between ‘business as usual’ and continuous hardening; treating cyber resilience as a core element of operational design rather than a specialist overlay; and bringing technology, security, risk and operations together to prioritize based on critical services instead of organizational silos. 

In short, Mythos forces a difficult but necessary question: are current organizational structures and KPIs still appropriate for an environment of connected, AI‑amplified risk – and if not, what are leaders willing to change? 

AI, talent and the case for a new cross‑sector taskforce

Mythos also exposes a second uncomfortable truth: human‑only defense cannot keep pace with AI‑enabled discovery of vulnerabilities, yet poorly governed use of AI in defense can create new problems faster than it solves old ones. 

Early experiments show that automated remediation can introduce fresh weaknesses the underlying model does not understand. These tools are powerful pattern recognizers, not flawless engineers. They do not naturally ask the right questions about business context, architectural dependencies or long‑term resilience. To navigate this, banks and their security partners need a new blend of capabilities and mindset, and, at sector level, a new kind of taskforce. 

First, there must be a deeper, end‑to‑end understanding of how the organization actually works. Very few people genuinely grasp a bank’s processes, systems and dependencies from front to back. Yet that understanding is precisely what is needed to decide where AI can be safely applied, where manual control must be retained, and where deliberate break‑points or ‘kill switches’ should be built into critical processes. Without it, AI – or isolated teams – are being asked to manage risk in a system they only partially see. 

Second, there is a need for multidisciplinary teams that combine banking, security and AI expertise. This cannot be left to traditional functional silos. It requires people who can connect regulatory obligations, business services, threat models and AI capabilities into a coherent picture, and then redesign value streams and controls accordingly. Simply optimizing existing structures will not be enough; there has to be room for people who are prepared to challenge the assumptions those structures were built on. 

Third, these capabilities need formal structures and real authority. Inside firms, that means elevating cross‑functional resilience and AI‑for‑security groups so they can shape investment and prioritization, rather than offering advice from the margins. Across the ecosystem, it points towards a permanent, cross‑sector taskforce: bringing together leading practitioners from banking, cybersecurity and AI, alongside offensive specialists who understand how determined attackers think and operate. 

The objective is not another committee that produces reports, but a body with the mandate to experiment, test and recommend concrete changes to how organizations are designed and how AI is deployed in defense. 

Beneath this sits a simple question: who will take responsibility for assembling this taskforce, giving its members license to think differently, and protecting them from being dragged back into the familiar patterns of firefighting and incremental change? 

From static rulebooks to a living, collaborative defense of the system

Finally, by surfacing weaknesses across multiple institutions, Mythos has underlined that cyber risk in financial services has become a question of systemic stability and, potentially, geopolitical leverage. It is no longer just an internal governance issue.  

The traditional regulatory model – where authorities analyse a development, consult for months, issue static rules and expect firms to comply – struggles in the face of a threat that evolves continuously and ignores institutional and jurisdictional boundaries. 

Neither regulators nor individual banks can manage this alone. What is needed is a more agile, collaborative and continuous approach to governing cyber risk and AI in finance. 

That implies ongoing collaboration rather than episodic consultation: permanent, cross‑ecosystem structures that include banks, regulators, central banks, critical infrastructure providers and leading security and AI experts. Their role would be to share intelligence, run joint exercises, and feed live insight into priorities and expectations, not just in the aftermath of a crisis but as part of day‑to‑day oversight. 

It also implies ‘living’ guidance rather than one‑off rulebooks. Instead of relying solely on large, infrequent regulatory packages, supervisors would update expectations more like software releases – incremental, responsive and clearly versioned – so that the system can adapt as new information emerges from tools like Mythos. 

Finally, there will need to be shared principles for controlling offensive‑grade AI. As Mythos‑class capabilities become more widespread, questions about who can develop, operate and distribute them will only become more pressing. The technology is clearly dual‑use: powerful for defense but potentially devastating in the wrong hands. 

The underlying leadership challenge is straightforward to state and hard to answer: who will convene and sustain this new form of collective governance, and how quickly can we move from reacting to Mythos to anticipating whatever comes next?