The Fed pulled five bank CEOs into a room over one model

On April 7, Jerome Powell and Scott Bessent convened the CEOs of Citigroup, Bank of America, Goldman Sachs, Morgan Stanley, and Wells Fargo in an unscheduled meeting. The subject wasn't a bank failure or a market dislocation. It was an AI model.

That is the load-bearing fact of this week. The two senior-most stewards of the U.S. financial system treated a single frontier model release as a coordination-grade threat to financial stability. They have done this before for collapsing institutions. They have not done it for a piece of software.

The model is Anthropic's Mythos. Reporting puts its zero-day discovery throughput at thousands per year against an elite human baseline of roughly a hundred. Project Glasswing has restricted access to about forty organizations — AWS, Apple, Google, Microsoft, NVIDIA, and a short list of partners. JPMorgan's response was a $1.5 trillion Security and Resiliency Initiative. That is what the inside of the circle looks like.

If you are reading this, you are almost certainly outside it.

The proof was on the same desk

Mythos is the strategic story. The operational story landed in parallel and is harder to wave away. Claude — the generally available model, not the restricted one — discovered a roughly thirteen-year-old remote code execution bug in Apache ActiveMQ and built a working exploit in minutes. No CVE assigned at time of writing. Apache's advisory queue is the place to watch.

In the same news cycle, a ten-year-old Docker Engine authorization bypass resurfaced as a regression. Patched once, silently undone in a later release, scanners reporting clean on version number alone. Impact is root on the host. Container escape, secrets, orchestrator plane, lateral movement to anything the host can reach.

Both bugs share a property your zero-trust diagram does not handle. They sit below the identity layer. Your IdP never sees the request. Your conditional-access policies are irrelevant. The exploit chain starts in plumbing most security programs have spent a decade declaring out of scope because mTLS or a service mesh was supposed to be enough.

It isn't.

What actually changed this week

The capability jump from research demo to operational tool is what triggered the Fed meeting, but it isn't the only thing that shifted.

The Frontier Model Forum — OpenAI, Anthropic, Google — is now sharing intelligence to block Chinese model distillation. Cohere and Aleph Alpha are in merger talks, which is what Tier 2 consolidation looks like in real time. France announced a full government migration off Windows to Linux, framed explicitly as digital sovereignty. Samsung's Q1 operating profit hit 57.2 trillion won, an 8x year-over-year jump on HBM demand. Cisco is paying somewhere between $250M and $350M for Astrix Security because nobody can inventory their own machine credentials.

And three separate physical attacks against AI-linked targets happened in Q1: a Molotov cocktail at Sam Altman's home, thirteen rounds fired into an Indianapolis councilman's house with a "NO DATA CENTERS" note, and the IRGC publishing satellite targeting imagery of OpenAI's Stargate campus in Abu Dhabi. Datacenters have hardened. Humans haven't. The threat actors noticed.

These aren't six stories. They're one. The cost of finding exploits collapsed, the gatekeeping of the tools that found them tightened, the geopolitics around where compute lives sharpened, and the social license to build any of it cracked — all in the same week.

The two-tier security world is the real headline

The forty Glasswing organizations now hold a vulnerability map of common infrastructure that nobody else has. They will patch their own stacks first. Their acquired companies, their portfolio companies, and their largest enterprise customers will benefit second. Everyone else is defending blind against adversaries who, on a twelve-to-eighteen-month timeline, will have equivalent or competing offensive capability without equivalent gatekeeping.

This is not a regulated capability yet. It will be. The Fed proposal from March to ease cyber-related capital reserves is dead on arrival now. Mandatory AI risk assessments for regulated industries are coming. The companies that document their AI governance framework before the rule drops will spend less than the ones that retrofit under a deadline.

What to do this week

If you operate infrastructure, three things, in order.

First, manually verify your Docker Engine version against the AuthZ regression advisory. Do not trust your scanner. SSH in, check the binary, document the result. This is a same-day task. While you're there, inventory every Apache ActiveMQ instance — production, staging, the dev box someone stood up in 2019 — and segment ports 61616 and 8161 off the workstation VLAN and the public internet. There is no patch yet. Network containment is your only control.

Second, point a frontier model at your three oldest, least-maintained internal services and compare its findings against your existing SAST output. If Claude can find a thirteen-year-old RCE in minutes, your legacy code is not safe by obscurity. It is safe by nobody having looked yet. Be the one who looks first.

Third, write a one-page board memo this month. Not next quarter. The Fed treated this as systemic. Your board needs to hear that framing from you before they hear it from a regulator, an auditor, or a journalist. Name the capability gap, name your patching SLA, name what compensating controls cover the unpatchable window, and name whether you have any path — partnership, vendor, acquisition target — to defensive parity with the forty.

If you don't have an answer to that last one, that is the answer.