🎧 Prefer to listen? Audio version below — approximately 9 minutes.
The Bank of England has spent recent weeks assembling Britain’s major financial institutions to brief them on a specific threat: an AI system capable of independently discovering security vulnerabilities and planning attacks that would take a human professional days to execute. The briefings were thorough, the concern genuine, and the timing deliberate.
The institutions being warned cannot access the system being described. That access was revoked by the White House.
In April 2026, Anthropic had been preparing to expand access to Mythos Preview -- its most capable cybersecurity AI -- to a second cohort of organisations including British banks. The Trump administration intervened and ordered the company to restrict that expansion. The rollout was cancelled. The banks remained outside the access perimeter. The briefings continued anyway, because the threat did not pause for the politics.
Anthropic’s UK head Pip White, in comments reported this week, described the company as still in a “learning phase” with an initial group of US businesses. That initial group -- Microsoft, Apple, JP Morgan and a handful of others -- retained their access. Britain’s financial sector did not make the cut, and now cannot.
This is not a failure of UK institutions. The Bank of England acted correctly. The banks engaged through legitimate channels. Britain’s AI Security Institute, which sits adjacent to NCSC, evaluated Mythos and reported a “notable capability jump” over existing cyber tools -- meaning the government’s own AI security body has access, has assessed what it can do, and has presumably briefed accordingly. The sector being protected does not share that access.
The structural problem is simpler and more uncomfortable than regulatory failure: the defensive capability of British financial infrastructure has become a variable in American foreign policy.
Anthropic’s response to Mythos’s capabilities was to create a Cyber Verification Programme -- a know-your-customer gate intended to ensure the model reached only legitimate security practitioners. Any competent cybersecurity professional will have filed for approval. The programme filters for bureaucratic compliance; it does not and cannot filter for intent.
A nation-state actor or sophisticated criminal syndicate faces a straightforward engineering problem: establish a legitimate-looking defensive consultancy in an approved jurisdiction, with verifiable corporate history and certified practitioners, and apply. The gate opens. Meanwhile, a tier-one UK bank -- bound by strict corporate governance, unable to misrepresent its compliance position, and now locked out of the access tier it was promised -- remains outside.
The restriction acts as an asymmetric embargo: it is entirely porous to state-backed adversaries, yet absolute against regulated British compliance departments.
Mythos-class models are not faster search engines. They are reasoning systems capable of discovering novel exploit chains -- attack paths that do not yet exist in any defensive signature database -- and automating the kind of threat modelling that currently takes a skilled team days. The AISI finding of thousands of previously unknown vulnerabilities discovered autonomously is not a benchmark curiosity; it describes a qualitative shift in attacker capability.
A UK bank defending with pre-Mythos tooling against a Mythos-equipped adversary is operating with a structural time disadvantage. Detection latency, remediation latency, and threat-modelling depth all widen in the attacker’s favour. The gap is not bridgeable with additional headcount or faster legacy tools.
The Bank of England knows this. That is why it called the briefings.
It is worth stating plainly what the reaction would be if the positions were reversed. A British or European government ordering a UK AI company to cut off American banks from a defensive security tool -- mid-rollout, after access had been promised, for domestic political reasons -- would produce an immediate and disproportionate response from Washington. Trade implications, diplomatic pressure, congressional attention. The asymmetry of that hypothetical reaction is itself an argument about the nature of the dependency.
The UK financial sector discovered, during active threat-preparation, that its defensive capability is not a technical or regulatory matter. It is a foreign policy variable, held in California, adjusted in Washington.
Geography-based access controls applied to cloud-native AI systems produce incoherence at the edges almost by design. The Isle of Man sits outside the UK regulatory perimeter and outside the EU entirely. A VCP-approved practitioner operating here occupies a genuinely ambiguous position relative to the institutional blocks that apply to a multinational bank headquartered in London -- not because the rules have been circumvented, but because the rules were written for a different map.
That ambiguity is not a loophole. It is an illustration of the underlying problem: the access control architecture was designed around corporate compliance frameworks and US jurisdiction assumptions. It does not map cleanly onto the actual geography of the practitioners, institutions, and adversaries involved.
The authority administering that restriction is itself in an extraordinary position. The Trump administration designated Anthropic a “supply chain risk” -- a label normally reserved for foreign adversaries -- after the company refused to build autonomous weapons and mass domestic surveillance tools for the Pentagon. Federal judges have called the designation a spectacular overreach. Multiple courts are actively contesting its legality. The government is six months into untangling Claude from federal agency infrastructure it cannot cleanly remove, with agencies still quietly investigating how to access Mythos for their own cybersecurity evaluation -- undermining the restriction they are simultaneously enforcing.
Washington is restricting allied access to a capability it is actively, messily, and unsuccessfully trying to divest from. The export control is being administered by an entity that cannot control its own imports.
Anthropic, for its part, built something it found genuinely alarming, restricted it, created a verification programme, and is now briefing regulators and financial stability bodies across the Western world about what it can do. That is not unreasonable corporate behaviour. The company is navigating a capability it did not fully anticipate with more transparency than most would manage.
The problem is not Anthropic. The problem is not the Bank of England. The problem is that the gate controlling access to the most significant defensive cybersecurity capability currently in existence is in Washington, operated according to American political priorities, and the institutions on the other side of it have no recourse.
Britain’s banks are being warned about a weapon by the people who have it. That is not a technology problem. That is a sovereignty problem.
Sources: The Daily Telegraph, 20 May 2026 (James Titcomb); NPR, 24--27 March 2026; CNBC, 9 March 2026; Center for Democracy and Technology, May 2026; Anthropic Project Glasswing announcement, April 2026.
The Sovereign Auditor covers digital sovereignty, cybersecurity governance, and data protection policy -- with a particular focus on Isle of Man jurisdiction and Crown Dependency issues.
Payments via PayPal. Credentials delivered by email. No Substack. No Stripe. No middlemen.
