On Thursday morning, before most New Yorkers had finished their first coffee, something unusual happened in Washington. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell issued an urgent joint warning to the CEOs of America's largest banks. The subject: Anthropic's new AI model, codenamed Mythos, and the cybersecurity risks it poses to the financial system.

This isn't a theoretical warning. Anthropic itself has been so concerned about Mythos's capabilities that it refused a standard public release — instead granting early access only to a handful of major tech firms including Apple and Amazon, specifically to test for security vulnerabilities before the model goes wider.

That kind of caution from an AI company about its own product is rare. That kind of response from the Treasury and the Fed is rarer still.

Most AI models get released with some restrictions and a lot of hype. Mythos is different because Anthropic has openly acknowledged it represents a step-change in capability — particularly around tasks that matter to cybercriminals: code generation, vulnerability detection, and social engineering at scale.

In plain terms: Mythos can potentially identify weaknesses in systems faster and more effectively than any AI model before it. In the wrong hands, that capability becomes a sophisticated hacking tool — one that requires far less human expertise than traditional attacks.

Anthropic's decision to limit Mythos to vetted partners — rather than a broader release — reflects genuine concern that the model could be used to compromise critical infrastructure, including financial systems. They're not being modest. They're being careful.

Banks are always a target. But AI-enhanced attacks are different in scale and sophistication. Traditional cyberattacks require significant human expertise and time. AI models like Mythos can compress that effort dramatically — scanning for vulnerabilities, drafting convincing phishing content, or probing weak authentication points at machine speed.

The Treasury and Fed warning to bank CEOs is an early alert: your cybersecurity posture needs to be upgraded before this technology becomes widely accessible. For the largest institutions — JPMorgan, Citibank, Bank of America, Wells Fargo, all of which have major NYC operations — this means accelerated investment in AI-aware security infrastructure.

A federal appeals court also declined Anthropic's bid this week to pause the Pentagon's designation of the company as a supply-chain risk, adding another layer of complexity to the story. Washington is clearly watching AI capabilities with fresh urgency.

If you run a business in New York and you're thinking "that's a big bank problem, not mine" — reconsider.

Here's the chain of risk:

1. Business banking is your exposure point. Every NYC small business owner with a Chase, Capital One, TD Bank, or credit union account is downstream from whatever security posture that institution maintains. A breach at a major bank can expose business account credentials, payment processing data, and ACH routing information.

2. AI-powered phishing is already here. The Mythos warning accelerates a trend that's been building for two years. AI-generated phishing emails are now nearly indistinguishable from legitimate bank communications. If you receive an email from your "bank" asking you to verify account details, verify it independently — call the number on your debit card, not the number in the email.

3. Your vendors are also exposed. Most NYC small businesses rely on third-party payment processors, POS systems, and bookkeeping software. These vendors connect to your bank. A breach anywhere in that chain is a breach to your business.

4. Cyber insurance is no longer optional. If you run a business with employees, an online presence, or payment processing — and you don't have cyber insurance — this week's news is the clearest possible signal to get it. The risk of an AI-assisted attack is no longer remote for businesses your size.

5. Wire fraud is about to get smarter. NYC real estate transactions, contractor payments, and supplier invoicing all involve wire transfers. AI-powered impersonation of vendors or clients is already happening. Verbal confirmation before any wire transfer is now a basic operational standard, not a nice-to-have.

You don't have to be a business owner to be at risk. Here are five steps any New Yorker can take in the next 48 hours:

Enable two-factor authentication on every financial account. This is the single most effective defense against credential theft. Most major banks offer it; most people haven't turned it on. Do it now — not this weekend, today.

Audit your inbox for fake bank communications. Check recent emails from financial institutions. Verify the sending domain is exactly correct — not chase-secure.com, but chase.com. No subdomain tricks, no hyphenated variants.

Freeze your credit. Equifax, Experian, and TransUnion all offer free credit freezes. A freeze prevents new lines of credit from being opened in your name even if your Social Security number is stolen. Unfreeze only when you're actively applying for credit.

Review your bank's security settings. Log into your online banking dashboard and set transaction alerts, login notifications, and daily spending limits. These don't prevent breaches — but they shrink the window of damage from hours to minutes.

Talk to your accountant or IT person. If you're running a business and haven't had a conversation about cybersecurity in the past year, have it this week. Not because AI is magic — but because the threat environment has materially changed.

Beyond banking, the sectors most directly affected by Mythos-level AI capability include:

Healthcare. Patient records remain among the most valuable targets for cybercriminals. NYC's massive hospital network — NYU Langone, Mount Sinai, Northwell Health — is perpetually in the crosshairs. If you work in healthcare administration, flag this to your IT department now.

Real estate. Title companies and property transaction platforms handle enormous volumes of financial data. Wire fraud in real estate is already a major problem in New York; AI-enhanced impersonation makes it worse. If you're closing on a property in the next few months, verify every wire instruction by phone before sending.

Legal. NYC law firms hold client financial data and confidential communications. AI-powered attacks on email systems — what security professionals call "business email compromise" — are a direct and growing threat.

Retail and hospitality. POS systems and payment terminals remain common attack vectors for small businesses citywide. If your card reader hasn't had a firmware update in over a year, ask your provider.

Here's what the Treasury warning actually signals: AI capabilities are accelerating faster than the security infrastructure designed to contain their misuse.

Anthropic deserves credit for moving cautiously on Mythos. The company has limited release specifically because it assessed the model's potential for harm and decided the downside risk outweighed the commercial upside of a faster rollout. That's a real decision with real costs.

But caution at the developer level doesn't eliminate risk — it just delays the window before these capabilities are in wider circulation. The question isn't whether AI-enhanced cyberattacks become more common. The question is how prepared you are when they do.

For New Yorkers, the lesson is the same one the city teaches in every domain: stay informed, move fast when the signal is clear, and don't wait for the problem to arrive at your door.

The Treasury and the Fed just gave you the signal.

The Metro Intel covers the news that affects New Yorkers' money, homes, and businesses. If this was useful, forward it to a business owner you know.