A single model that never sleeps, never tires, and never hesitates—Mythos—has reportedly demonstrated the capacity to find fresh zero-day bugs, weaponize them across Windows and Linux, and route attacks through mainstream browsers before defenders can even triage alerts, and that changes the cyber math for global finance overnight. Banks run intertwined systems that clear payments, settle trades, and manage liquidity under unforgiving timelines, where minutes matter and mistakes echo. Regulators across Asia, Europe, and the United States have urged urgent hardening, acknowledging that AI is compressing the time between discovery and exploitation. India offered one of the clearest signals of escalating risk by convening an expert panel led by State Bank of India chairman C S Setty to map exposures, set priorities, and test whether AI can defend as quickly as AI can attack.
The Threat Landscape: AI and Systemic Finance
Unlike earlier waves of malware written by small teams, advanced models can autonomously scan code bases, synthesize fuzzing strategies, and chain vulnerabilities into reliable exploits against heterogeneous stacks. Mythos has been cited as an example that can coordinate attacks across browsers, automate privilege escalation, and pivot laterally using living-off-the-land techniques, shrinking incident response windows from days to hours. In finance, where core banking, real-time gross settlement, and securities clearing intersect, this acceleration matters. A breach at a major payment processor or a clearing member could ripple through liquidity corridors, amplify market volatility, and trigger protective halts. Legacy middleware and aging mainframes complicate hot patching, while third-party connectors expose back doors that adversarial AI can probe at scale.
The sector faces a stark dual-use dilemma. AI has been embedded in fraud analytics, sanctions screening, and customer service, improving speed and lowering cost. Yet those same integrations widen the attack surface with new APIs, model endpoints, and data flows. Defensive AI has made strides—behavioral analytics in identity platforms, autonomous endpoint response, and SOAR playbooks reduce mean time to contain—but adversarial models may still outpace patch cadences and change-control gates. Basic weaknesses persist: weak multi-factor enrollment, stale service accounts, and unsegmented flat networks give AI-driven intrusions easy wins. Supply chain risk adds pressure, as routine browser and kernel updates can lag across fleets, leaving exploitable deltas that automated tools identify and weaponize faster than human teams can coordinate.
India’s Move: SBI-Led Panel and Defensive Playbook
Building on this mounting urgency, India constituted a panel chaired by SBI’s C S Setty, who also heads the Indian Banks’ Association, tasking it with stress-testing the sector against Mythos-class threats. The group’s remit spans cataloging high-value assets, ranking legacy choke points, and proposing targeted investments that actually lower blast radius—microsegmentation at payment gateways, just-in-time credentials for administrators, and immutable vaulting for backups. Coordination with the Reserve Bank of India, CERT-In, and the National Payments Corporation of India is expected to align guidance across core banking, UPI rails, and market infrastructure. Tabletop exercises, red-team operations driven by AI agents, and runbook rehearsals for clearing outages will translate strategy into muscle memory.
The initiative pointed beyond surveillance to concrete action. Banks were urged to ring-fence mainframe cores, enforce hardware-backed phishing-resistant authentication, and deploy decoy assets to siphon automated reconnaissance away from production. Migration of net-new services to memory-safe languages, rigorous software bills of materials, and continuous validation of browser and OS baselines formed a pragmatic path to narrow the gap from 2026 to 2028. Sector-wide simulations, with telemetry-sharing that preserves privacy but accelerates detection, would raise the floor for smaller lenders. Procurement rules that favor AI-resilient architectures, plus funding incentives for retiring brittle middleware, were positioned as near-term levers. Taken together, these steps recognized that resilience depended on matching offensive speed with automated, policy-driven response—before the next Mythos learned new tricks.
