Every bank deploying generative or agentic AI just lost its regulatory rulebook. The Fed, OCC, and FDIC amended model risk management guidance to clarify it doesn’t apply to those categories of AI. Anthropic’s Mythos put that gap under a spotlight: on April 7, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell convened an emergency meeting with big-bank CEOs over the model’s cybersecurity implications.
Mythos was built to identify and eventually patch software vulnerabilities. Anthropic CEO Dario Amodei acknowledged Tuesday it creates “a moment of danger” by exposing those vulnerabilities in the process. JPMorgan Chase CEO Jamie Dimon, who missed the Bessent-Powell session, said cyber risk has been JPMorgan’s biggest risk “for years” and that AI made it worse.
Fed Vice Chair for Supervision Michelle Bowman put the regulatory gap plainly at a Financial Stability Oversight Council roundtable: the existing risk-management framework “may not be the right fit to assess AI.” She’s calling for industry feedback to help shape what comes next. Banks of all sizes have flagged concern about Mythos access, and regulators are actively refining their cybersecurity approach.
Dimon wants Amodei to publish more technical detail so institutions can build real mitigation plans. He hasn’t gotten it.
Audit your model inventory this week. Anything that classifies as generative or agentic falls outside the amended guidance. Your legal and compliance team needs to know which framework they’re actually using, because it’s not the one the Fed just updated.
— Nathan Zakhary