Bank of England Governor Andrew Bailey delivered a blunt message in Reykjavík. British banks still cannot access Anthropic’s advanced AI model designed to hunt software vulnerabilities. The tool, known as Mythos, promises to uncover bugs faster than human experts. Yet concerns over its power have delayed rollout. Bailey made the comments during an interview with Bloomberg Television on the sidelines of a conference. He noted that banks continue testing defenses with other models while access to this one remains blocked.
The delay stems partly from Glasswing phase two. That initiative has been in development for about six weeks. Bailey suggested it has become entangled with processes under the current U.S. administration. “Given our concerns about the risks involved in this it is really important there is access,” he said. The remark highlights tension between innovation and control. One side sees potential for stronger defenses. The other fears what happens when such capability lands in the wrong hands.
But Bailey did not stop at access issues. He called for something broader. “What I would say is that the spillovers from this sort of cyber risk are so big that we can’t just have a single sort of national approach towards dealing with the consequences and mitigating it,” Bailey told Bloomberg’s Stephanie Flanders. “There’s got to be an international approach to this.” Short sentence. Direct. And it captures the shift now underway among regulators who once focused on domestic rules.
This stance aligns with work already in motion at the Bank of England. Its CBEST program, updated in the 2025 thematic review, explicitly supports cross-jurisdictional testing. The framework allows assessments to run alongside those of regulators in other countries. It draws on threat-led penetration testing that mirrors real adversarial behavior. “In line with the growth of threat-led penetration testing (TLPT) frameworks around the world, CBEST remains a highly effective regulatory assessment tool that can be used on a cross-jurisdictional basis with other international regulators and frameworks,” the Bank of England report states (Bank of England, January 2026).
Internationally, similar approaches are spreading. Regulators look to the G7 Fundamental Elements for guidance. That alignment promotes consistent standards and easier cooperation across borders. The Bank works jointly with the Prudential Regulation Authority, the Financial Conduct Authority and the National Cyber Security Centre. Their combined efforts produce anonymized reports shared across the industry. Lessons from one test strengthen many firms. No single institution can shoulder the load alone. Not when attacks target interconnected payment systems, cloud providers and supply chains that ignore national lines.
Recent developments have sharpened the urgency. In April, Bailey warned that Mythos could “crack the whole cyber risk world open.” He made the comment at Columbia University in New York. The model’s ability to discover unknown vulnerabilities at speed and scale changes the threat picture. Banks using legacy systems appear especially exposed. Anthropic has declined to release the model publicly. It has instead agreed to brief the Financial Stability Board, which Bailey chairs. The session will cover capabilities and risks (Reuters, May 2026).
UK authorities responded with joint guidance. On May 15 the Financial Conduct Authority, Bank of England and HM Treasury issued a statement on frontier AI models and cyber resilience. They warned that these systems can exceed skilled human capabilities in speed, scale and cost. Firms that underinvest in basic security face greater danger. Boards must understand the risks. Strategies need to reflect them in budgets, insurance and priorities. Identification of vulnerabilities must happen faster and more often, often through automation. Third-party dependencies require close monitoring, especially when models pull from external libraries. Protection layers should include stronger access controls, network segmentation and AI-driven defenses of their own. Response and recovery plans must allow quick restoration. The statement points firms to effective practices published by the Bank, PRA and FCA in October 2025 (FCA, May 2026).
These steps build on years of quieter preparation. The Bank has long run cyber stress tests and sector-wide exercises through the Cross Market Operational Resilience Group. SIMEX simulations test collective recovery. CBEST assessments use real threat intelligence from accredited providers. Results feed into supervisory priorities. Yet the arrival of frontier AI forces a rethink. What worked against conventional attacks may prove insufficient against tools that generate novel exploits in minutes.
Global bodies are taking notice. The Financial Stability Board, G7 cyber expert groups and BIS initiatives all emphasize coordination. Central banks share intelligence on tactics, techniques and procedures. They map them to frameworks like MITRE ATT&CK. Consistency matters. A vulnerability patched in London but ignored in another jurisdiction can become the entry point for systemic disruption. Spillovers do not respect borders. Neither should the response.
Industry observers see the pattern. Cyber incidents have climbed in frequency and sophistication. Ransomware gangs operate as businesses. State actors blend espionage with disruption. Third-party failures cascade quickly. The Investing.com report that first highlighted Bailey’s latest comments captured the core tension. National efforts continue. They cannot suffice (Investing.com, May 2026).
So regulators push forward on two tracks. They tighten domestic expectations. Firms must demonstrate resilience under operational rules. At the same time they expand international dialogue. Cross-border CBEST tests represent one practical step. Briefings to the FSB on tools like Mythos represent another. Both aim to close gaps before attackers exploit them.
Bailey’s message carries weight because he chairs the FSB. His words signal direction for global financial oversight. They also reflect realism. No regulator controls every variable. Technology moves faster than rules. Cooperation offers the best chance to keep pace. Banks, for their part, cannot wait. They test what they can access today. They prepare for what arrives tomorrow. The question is whether governments and supervisors can align quickly enough to match the pace of both innovation and threat.
Recent reports reinforce the point. The World Economic Forum’s Global Cybersecurity Outlook 2026 examined AI adoption and readiness gaps. Disparities widen. Those who invest pull ahead. Those who lag become targets. Central banks and supervisors increasingly view cyber risk as a stability issue, not merely an operational one. That framing demands the multinational approach Bailey advocates. Anything less leaves the system exposed at its weakest link.
Bank of England Governor Bailey Pushes Global Coordination as AI Cyber Tools Like Mythos Expose Financial System Gaps first appeared on Web and IT News.