An AI model capable of identifying tens of thousands of software vulnerabilities - and exploiting them - has prompted one of India's most senior economic policymakers to convene emergency consultations with regulators, banks, and foreign governments. India is now in active bilateral talks with the United States to secure access to Anthropic's Mythos model, a system that Anthropic itself has described as a watershed moment for cybersecurity. The discussions, reported by The Economic Times, are unfolding against a backdrop of genuine anxiety about what happens when AI can outpace institutional defences.
What Mythos Actually Does - and Why It Has Regulators Worried
Mythos is part of Anthropic's Claude family of models, purpose-built for complex reasoning and coding. What separates it from prior generations is its operational range across the cybersecurity spectrum: it can identify vulnerabilities, understand how they connect, and actively exploit them - at speeds and scales that human security professionals cannot match.
In an April 7 note, Anthropic stated that Mythos had already identified thousands of high-severity vulnerabilities across major operating systems and web browsers, and that it could outperform humans in certain offensive hacking tasks. Companies that participated in early trials reported Mythos detecting tens of thousands of vulnerabilities, compared with roughly 500 found by Anthropic's preceding model, Opus 4.6 - a nearly twentyfold increase within a single model generation.
Officials cited by the Financial Times described the model as representing a fundamental change in the threat environment, warning that it could chain together multiple vulnerabilities at a speed beyond human capability. For financial regulators, the concern is specific: banking systems in many countries, including India, still run on legacy infrastructure built decades before modern cybersecurity standards existed. Anthropic has acknowledged that Mythos has uncovered vulnerabilities that had persisted for decades. As Reuters noted, cyber incidents in finance can rapidly spill into market disruptions and erode broader institutional confidence.
India's Response: Diplomatic Access and Defensive Urgency
Finance Minister Nirmala Sitharaman has led the government's response since a high-level review that brought together ministries, regulators, and sector bodies. She flagged publicly that the cybersecurity challenges linked to Mythos require close and urgent attention, and directed the Ministry of Electronics and IT to engage directly with the US government, Anthropic, and the companies involved in early testing of the model.
Sitharaman has also asked the Indian Banks' Association to develop a coordinated rapid-response mechanism for threats linked to the model, and directed banks to strengthen their cybersecurity posture in partnership with specialised agencies and technical experts. Simultaneously, the government has instructed CERT-In and the National Critical Information Infrastructure Protection Centre to accelerate protective measures across power grids, telecom networks, and banking channels - the infrastructure categories most exposed to the kind of chained vulnerability exploitation Mythos can perform.
The government's approach to access is notably cautious on competitive grounds. It does not want to enable access for some companies while excluding others, and is considering a broader policy framework to govern how high-capability AI models from multiple developers could be made available to Indian industry going forward.
Indian Companies Shut Out of Early Trials
Under its Project Glasswing initiative, Anthropic extended early access to approximately 40 companies, the majority of them based in the United States, to test Mythos's ability to detect and remediate security flaws. No Indian company was included. Industry body Nasscom subsequently wrote to Anthropic requesting inclusion of Indian firms in the programme, arguing that Indian companies support software systems worldwide and that their exclusion from such tools weakens global cybersecurity resilience - not just India's.
The exclusion has added urgency to the bilateral diplomatic track. India's software services sector has deep integration with critical infrastructure operators globally, particularly in financial services, healthcare administration, and public systems. A model that identifies vulnerabilities at this scale could expose clients of Indian technology firms as much as the firms themselves.
A Policy Question That Extends Beyond One Model
The Mythos episode reflects a structural tension that governments are only beginning to grapple with: advanced AI systems with dual-use capabilities - beneficial for defence, dangerous in the wrong hands or when inadequately controlled - are now arriving faster than regulatory frameworks can accommodate them.
India's approach appears to combine near-term pragmatism with longer-term caution. The immediate priority is securing access so that Indian security professionals and institutions can use the model defensively. The parallel priority is ensuring that the same capabilities do not outrun the ability of critical systems to protect themselves. Both objectives require coordination that crosses ministerial silos, national borders, and the boundary between public and private sectors. The bilateral discussions with Washington will test how well that coordination can actually function under pressure.
