AI Just Crossed a Line. Here’s What Advisors Need to Know

Apr 15, 2026 / By Sean Bailey, Horsesmouth Editor in Chief
Print AAA
Add to My Archive
My Folder

My Notes
Save
AI for Advisors: Anthropic’s newest AI broke out of its security guardrails, hacked systems thought to be unhackable, and emailed engineers to brag about it. The cybersecurity implications are profound. What you and your clients need to know—and the security steps to tighten now.

AI for Advisors newsletter

Something shifted in the world of AI over the past 10 days—and advisors should pay close attention.

Anthropic, the company behind the AI model Claude, didn’t release a product announcement. It released a public warning. The focus wasn’t productivity, efficiency, better writing or faster analysis. It was cybersecurity.

Specifically, Anthropic warned about unprecedented leaps in reasoning and coding capabilities tied to its new, unreleased Claude Mythos model. During testing, the model demonstrated an alarming ability to autonomously identify and exploit critical cybersecurity vulnerabilities in the very systems the world’s digital infrastructure is built on.

That’s the big news. For the last 36 months, the conversation around AI has centered on tasks such as writing emails, summarizing documents, and generating ideas, the kinds of activities that define much of what knowledge workers do every day.

But this is different. AI may be approaching a point where its effects begin landing not just on tasks, but on the underlying systems those tasks depend on—financial systems, communication networks, and software platforms.

The threat environment has changed faster than most advisory firms—and your clients—have adapted.

Since 2023, I’ve spent most of my time translating AI into practical meaning for financial advisors. I don’t usually focus on what the AI labs are doing upstream. But when the companies closest to the bleeding edge of AI start sounding alarm bells about the superpowers of their own creation, it’s worth slowing down and listening.

And this is not just “inside baseball.” If a super-capable version of AI begins to expose weaknesses in the computer systems that underpin all digital workplaces—and the companies, clients, and capital that flow through them—it doesn’t stay confined to Silicon Valley. It starts to touch the assumptions underneath financial planning and investment management itself:

  • The security of client accounts
  • The reliability of communication
  • The integrity of transactions
  • And ultimately, the trust that advisory relationships are built on

What happened at Anthropic?

To understand why this moment feels different, it helps to step back and look at what Anthropic actually reported, not just in headlines, but in the details of how Claude Mythos behaved during testing. The concern wasn’t just what the model could do but what it chose to do on its own. On internal benchmarks, Mythos reportedly scored dramatically higher than any prior AI model, particularly in:

  • Complex reasoning
  • Multi-step problem solving
  • Code generation and execution

Industry observers have said the model is devastatingly effective at autonomous security research. That combination matters because when reasoning and coding ability scale together, the system can suddenly plan, test, adapt, and execute anything any person could do with a computer, and in a vastly superior way.

Mythos emailed IT engineers

Unlike earlier AI models that simply awaited user commands, Mythos exhibited a new kind of initiative. During controlled tests, Anthropic noticed the model acting on its own, independently identifying objectives, exploring different approaches, and choosing strategies to accomplish specific outcomes.

This shift meant the AI was not just reacting but proactively planning and executing complex tasks. One particularly striking scenario demonstrated how Mythos broke out of its secured environment—called a “sandbox” by the industry—and gained Internet access beyond its original restrictions.

The AI model managed to execute a series of security exploits, ultimately announcing its success by posting results to public websites and sending emails about those posts to Anthropic engineers!

The discovery of what we didn’t know was broken

Anthropic also reported that Mythos identified and exploited thousands of previously unknown vulnerabilities across every major operating system and web browser. These included long-standing flaws in various operating systems and vulnerabilities in widely used software that powers video and audio across the Internet. Mythos even cracked the core code that runs most of the world’s servers and Internet routers, systems specifically designed to be unhackable.

Some of these vulnerabilities had gone undetected for years—even decades—despite ongoing security testing. In one case, Mythos found security holes in a system had been scanned five million times and declared safe.

This Mythos model behaved like the most powerful hacker in history, systematically identifying serious weaknesses at a scale and speed never before possible. That directly challenges a long-standing assumption: If a security vulnerability is serious, someone would have found it by now. That assumption no longer looks safe.

The collapse of the skill barrier

The technical barriers to hackers launching attacks have been getting lower for years. But now Anthropic has demonstrated that individuals with little or no formal cybersecurity training can write a simple prompt and direct AI model to:

  • Generate exploit strategies
  • Produce fully functional attack code
  • Execute complex actions

In some cases, this happened within hours. This represents a worrisome, structural shift: Hacking skills are no longer limited by expertise—it is increasingly determined by who has access to a powerful AI model.

The industry response: Project Glasswing

What happened next may be even more important than what Mythos did. According to Reuters, the news of Mythos’s cyber-attack skills hit so hard that it triggered an emergency meeting that included Treasury Secretary Scott Bessent, Federal Reserve Chair Jerome Powell, and CEOs of America’s biggest banks.

Anthropic did not treat this as a normal product release to the public. Instead, it made Claude Mythos available through a defensive initiative called Project Glasswing, bringing together major global firms including Amazon (AWS), Apple, Cisco, Google, Microsoft, and JPMorganChase, among others.

Project Glasswing’s objective is to leverage the Mythos model for defensive patching—uncovering software and network vulnerabilities, fixing them, and reinforcing security infrastructure before these advanced AI hacking powers become broadly accessible by nefarious players.

Anthropic reportedly has committed substantial resources to this project to accelerate this effort. This is not routine. It is a coordinated response to a rapidly emerging risk. And at this time, it seems clear that even the world’s most advanced cybersecurity defenses may struggle to keep pace with any systems that can discover vulnerabilities this quickly.

Why this feels different

Every major technology shift comes with warnings. But this moment stands out for a different reason. By mobilizing global infrastructure players to defend against the risks of AI supermodels like Mythos, Anthropic is signaling that the implications may be difficult to contain—and are acting accordingly.

That is the opposite of a typical product launch, and it carries an uncomfortable implication: We may be entering a phase where the systems we depend on are more vulnerable, and the tools capable of exploiting those vulnerabilities are improving faster than our ability to defend them.

And that brings us back to the question financial advisors should be asking: If systems can now identify and exploit weaknesses this quickly, “Are we as prepared as we think we are?”

What advisors should do next

If there’s one takeaway from what Anthropic revealed, it’s this: The threat environment has changed faster than most advisory firms—and your clients—have adapted.

This isn’t just a technology story. It’s a behavior story because in many of the most common client fraud scenarios today, nothing is “hacked” in the traditional sense. Instead, a client is persuaded, an advisor is impersonated, a request feels urgent and legitimate—and the money moves to later dismay of everyone.

That was already happening. What Claude Mythos signals is that these attacks are about to become more convincing, more scalable, and harder to detect. Which leads to an increase in responsibility. Cybersecurity is no longer something advisors manage in the background. It is something advisors must actively teach and reinforce with both their teams and their clients.

And this is where many firms are still behind. They’ve invested in technology, vendors, and basic safeguards. But they have not fully addressed the most important variable: how people behave under pressure. Because in an AI-driven threat environment, the weakest link is the moment when someone trusts what they see, reacts to urgency, or skips a verification step. That’s where losses occur.

The shift advisors need to make

The most effective firms going forward will do three things differently:

  1. They will enforce non-negotiable security behaviors internally.
  2. They will pressure-test their vendors and technology stack.
  3. They will actively train and guide clients on how to avoid being defrauded.

That third point is the one that often gets overlooked.

Cybersecurity action checklist for advisors and clients

While this story unfolds, now is the time for you, your firm, and your clients to reinforce your cybersecurity practices.

For years, Horsesmouth has helped advisors protect their clients through our Savvy Cybersecurity program, the award-winning book Hack-Proof Your Life Now!, and our latest client education presentation, “Scams, Frauds and Deep Fakes: Smart Rules Every Family Needs to Know Now.”

Below are key guidelines drawn from these programs. Review them, discuss with your team, and share with your clients. This story is just beginning, so expect ongoing guidance as new risks emerge.

Immediate protection steps (Do these first)

  • Enable two-factor authentication (2FA) on all financial, email, and primary accounts.
  • Use a password manager to create and store strong, unique passwords.
  • Replace any reused passwords across accounts—especially email and banking.
  • Set up account alerts for all bank, credit card, and investment accounts.
  • Freeze your credit with all three bureaus (Equifax, Experian, TransUnion).
  • Install software updates regularly on phones, tablets, and computers.

Email & communication security

  • Treat your email account as your most valuable digital asset—protect it first.
  • Never click links or download attachments from unknown or unexpected senders.
  • Be cautious of messages that create urgency, fear, or secrecy.
  • Verify any financial request using a known, trusted contact method.
  • Avoid using public Wi-Fi for accessing sensitive accounts.

Scam awareness (PROOF Framework)

Scammers rely on emotion and urgency, so having a simple decision-making process can stop most attacks.

  • Pause: Don’t act immediately, no matter how urgent it seems.
  • Research: Look up the request, company, or situation independently.
  • Outreach: Contact the person or institution using a trusted number.
  • Observe: Watch for red flags like pressure, unusual payment requests, or emotional manipulation.
  • Freeze: Stop the transaction if anything feels off.

Family & trusted contact safeguards

  • Create a “family password” or phrase for verifying urgent requests.
  • Discuss common scams with family members, especially older relatives.
  • Establish a trusted contact person for financial accounts when possible.
  • Agree on a rule: No money moves without verification.

Financial account protection

  • Review bank and investment accounts at least weekly.
  • Set transaction limits and alerts where available.
  • Avoid linking unnecessary third-party apps to financial accounts.
  • Use credit cards instead of debit cards when possible for better fraud protection.
  • Immediately report any suspicious activity. Speed matters.

Device & technology safety

  • Lock all devices with a PIN, password, or biometric security.
  • Avoid downloading apps from unknown or unverified sources.
  • Turn off Bluetooth and Wi-Fi auto-connect features.
  • Regularly back up important data.
  • Log out of accounts when using shared or public devices.

Identity protection and monitoring

  • Monitor your credit reports regularly (AnnualCreditReport.com).
  • Consider an identity theft monitoring service.
  • Watch for unexpected mail, bills, or account notifications.
  • Shred sensitive documents before discarding them.

High-risk situations to watch closely

  • Requests for wire transfers, gift cards, or cryptocurrency payments.
  • Messages claiming to be from the IRS, Social Security, or law enforcement.
  • “Emergency” requests from family members that feel unusual or rushed.
  • Notifications that your account is locked and requires immediate action.

If you suspect fraud

  • Stop all activity immediately—do not send money or information.
  • Contact your financial institution using a verified phone number.
  • Change passwords on affected accounts right away.
  • Report the incident to IdentityTheft.gov.
  • Notify your advisor and other trusted contacts.

Sean Bailey is the creator of The AI-Powered Financial Advisor training program and AI for Advisors Pro, where he teaches financial advisors how to apply artificial intelligence in their practices. He has spent thousands of hours studying generative AI and has trained hundreds of advisors.

Join the free AI for Advisors newsletter and podcast for weekly insights and practical AI use cases.

IMPORTANT NOTICE
This material is provided exclusively for use by Horsesmouth members and is subject to Horsesmouth Terms & Conditions and applicable copyright laws. Unauthorized use, reproduction or distribution of this material is a violation of federal law and punishable by civil and criminal penalty. This material is furnished “as is” without warranty of any kind. Its accuracy and completeness is not guaranteed and all warranties express or implied are hereby excluded.

© 2026 Horsesmouth, LLC. All Rights Reserved.