Skip to main content
Cybersecurity

IMF Warns AI Exacerbates Cyber Risk to Financial Stability

Modern financial district with sleek skyscrapers and a laptop in the foreground.

"Cyber risk does not respect borders," the International Monetary Fund warned in a May 7 blog post — a line that frames the fund's central finding: artificial intelligence has transformed cyber risk into a potential financial‑stability threat for the global banking and payments system.

IMF: AI changes the contours of systemic cyber risk

The IMF told readers that AI lowers the barrier to entry for attackers, accelerates the pace of attacks, and amplifies the systemic implications because much of finance runs on shared digital infrastructure — software, cloud providers and payment networks. The fund highlighted a stark scenario: a single vulnerability discovered and exploited across dozens of institutions could be devastating for the global financial ecosystem.

Anthropic's Project Glasswing and Claude Mythos: defensive access, offensive power

Anthropic has given limited access to its Claude Mythos Preview model through Project Glasswing to a select group of organizations so they can find and patch zero‑day vulnerabilities before the model is released more widely. The preview model has uncovered thousands of previously unknown vulnerabilities, many of which had survived decades of code review. Anthropic's decision to gatekeep Mythos is deliberate: the offensive capabilities that make Mythos dangerous in the wild are the same capabilities that enable stronger defenses.

OpenAI Daybreak and commercial cooperation with enterprise defenders

Industry defenders are moving in parallel. OpenAI announced Daybreak, an AI vulnerability scanning initiative run on GPT 5.5 and GPT 5.5 cyber versions, and named enterprise partners including Cloudflare, Cisco, CrowdStrike, Oracle and Zscaler. Daybreak is presented as a tool to "accelerate cyber defenders and continuously secure software," reflecting a wave of new vendor efforts that embed AI across enterprise security stacks.

Forrester's Allie Mellen: uneven access, patching tempo, and a disagreement with the IMF

Allie Mellen, principal analyst at Forrester, told the source that financial services firms are "pretty much leading the charge" on addressing AI‑related vulnerabilities because of compliance requirements, the elevated cost of breaches, and direct executive attention. But she warned that access to cutting‑edge AI capabilities "is size‑dependent" — regional banks, credit unions and smaller firms face the same threat environment as JPMorgan with a fraction of security resources.

Mellen emphasized a practical shift: the tempo of vulnerability discovery will require more frequent patching and faster triage than the old rhythm of periodic Patch Tuesdays. Critically, she pushed back on one of the IMF's policy recommendations. While the IMF encourages policymakers to prioritize resilience — accepting that breaches will occur and focusing on containment and recovery to prevent local incidents from becoming systemic — Mellen argued institutions without growing security teams should prioritize detection and prevention now. "I would put as much as you can, especially now, into establishing appropriate prevention capabilities," she said, including better understanding of attack surfaces and more dynamic workflows that produce higher‑quality detections.

Geopolitics, regional AI models, and the uneven geography of access

The IMF and Mellen both connected AI risk to geopolitical fragmentation. Anthropic limited Mythos access in certain geographies; the source names emergent regional models such as China's DeepSeek, Mistral AI in Europe, ChatGPT and Claude in the United States. The IMF warned that as countries build regional models and as geopolitics shifts, boards and executives should factor geopolitical risk into operational decisions — for example, how a public statement or a government contract could make an enterprise a target.

What this means for regional banks, policymakers, and AI vendors

  • Regional banks and credit unions: Expect to face faster discovery of vulnerabilities and a need to accelerate patching and preventive controls despite smaller security staffs; access to cutting‑edge defensive AI is uneven.
  • Policymakers and regulators: The IMF frames policy toward resilience and systemic containment, but the industry debate includes calls to prioritize prevention and detection operationally where workforce limits exist.
  • AI vendors and enterprise defenders: Projects like Project Glasswing and Daybreak illustrate a dual track — tightly governed early access to powerful models for defenders, alongside commercial efforts to embed AI into continuous scanning and remediation workflows.

The IMF's hypothetical worst‑case — a single bug that can be exploited across many institutions — remains theoretical but consequential. The immediate, practical challenge is real: faster discovery of vulnerabilities, uneven access to defensive AI tools, and the need for either more resilient containment plans or stepped‑up prevention investments. Anthropic's Mythos previews and OpenAI's Daybreak offer defenders early levers; whether firms and policymakers use them to narrow the gap between large and small institutions will help determine whether the coming years are a period of weathered risk or systemic surprise.

Original story