Once in a career, you get the chance to work on something that genuinely changes how an industry operates. I have had that chance twice. MiFID II was the first. Project Glasswing is the second. And if anything, the stakes are higher.
What MiFID II Taught Us, and What Mythos Is About to Demand
In 2018, MiFID II did not merely change how investment banks reported trades. It changed how they thought. It rewired compliance functions, restructured client relationship models, overhauled research monetisation, and forced an uncomfortable truth into boardrooms across the City: the regulation was not the problem. The operating model was.
Banks that treated MiFID II as a technology implementation project failed. Banks that treated it as a human and cultural transformation, backed by technology, adapted. The distinction sounds simple. At the time, it cost billions to learn.
We are standing at an identical inflection point. The release of Anthropic's Mythos, an AI system of a capability tier that has not been publicly deployed before, is not arriving as a product update. It is arriving as a systemic event. And the window between now and its release, likely summer 2026, is not a countdown. It is an opportunity.
What Makes Mythos Different
Previous generations of AI tools arrived gradually enough for institutions to absorb them incrementally. A new model here, a copilot feature there. Change management could trail behind adoption because the risk profile was manageable.
Mythos would change that calculus. A system of this capability level does not sit at the edge of banking operations. It will interact with the core: client data, internal communications, privileged access environments, decision-support chains, and the vast surface area of an institution's digital infrastructure. Its power is precisely what makes it dangerous if an institution has not done its internal work first.
The vulnerabilities Mythos will expose are not new. They are the ones that have been sitting quietly beneath years of technical debt, inconsistent access controls, undocumented processes, and the comfortable assumption that the threat model was manageable. Mythos does not create those vulnerabilities. It illuminates them, at speed, at scale.
The MiFID II Parallel Is Exact
MiFID II gave investment banks a deadline. More importantly, it gave them a mirror.
Before MiFID II, many banks could not accurately answer basic questions: Who is the client? What service are we actually providing them? What conflicts exist in this relationship? The regulation did not invent those questions. It simply made the cost of not answering them visible.
Mythos does the same for cybersecurity and operational resilience. Before its release, banks should be asking: Who has access to what, and do we actually know? Where are the gaps between our documented processes and how people actually work? Where does our ITIL framework describe a world that no longer exists on the ground?
The institutions that will navigate Mythos well are the ones asking those questions now, not in August.
It Is Not About the Technology
This is the central point, and it is the one most likely to be missed.
Every major technology disruption in financial services has been met with the same initial instinct: find the technical solution. Buy the platform. Implement the tool. Update the architecture. And every time, the institutions that survive and lead are the ones that recognise the technology is not the constraint.
People are the constraint. Culture is the constraint. The gap between what an ITIL process document says and what a service desk analyst actually does under pressure at 11pm on a Friday, that is the constraint.
Mythos prevention within banking is fundamentally a human change programme. It requires:
• Operational honesty. Where are the workarounds? Where are the informal processes that bypass access controls because the formal process is too slow to meet SLAs? Those informal processes are the attack surface.
• SLA renegotiation. Some existing SLAs were designed for a threat landscape that no longer exists. If the pressure to meet a four-hour resolution target is what drives analysts to take shortcuts with privileged access, then the SLA is contributing to the vulnerability. That is a leadership conversation, not an infrastructure one.
• ITIL alignment with reality. ITIL frameworks are only as strong as their relationship to how work actually happens. A Change Advisory Board process that is bypassed 30% of the time is not a process. It is a suggestion. Before Mythos, every bank needs to close the gap between the framework and the floor.
• Psychological safety for escalation. The single most underrated cyber control in any institution is whether the person who notices something wrong feels safe to say so before it becomes an incident. In high-pressure banking environments, that safety is rarely as robust as it appears on paper.
Responding to a Fast-Moving Landscape: The Mindset Shift
MiFID II gave banks roughly two years of known lead time. They still largely treated the first 18 months as someone else's problem.
The Mythos window is shorter, and the stakes are different. Regulatory non-compliance carries fines and reputational damage. An AI-enabled breach of a major institution's privileged environment carries systemic consequences that extend well beyond the institution itself.
The mindset shift required is this: stop waiting for the technology to arrive before deciding how to respond to it. The response must precede the release.
That means programme managers and change leads in financial services need to be driving this now, not as a cybersecurity workstream sitting in a technical team, but as a firmwide transformation programme with executive sponsorship, human-centred design, and the same rigour that MiFID II demanded of compliance and operations.
What Good Looks Like
An institution that handles the Mythos moment well will look like this:
• A completed access rights audit, not a scheduled one
• ITIL processes that have been stress-tested against real incident simulations, with gaps documented and remediated
• SLAs reviewed through the lens of what they incentivise behaviourally, not just operationally
• Change management that has moved cybersecurity from a technology conversation to a firm culture conversation
• Staff at every level who understand why this matters personally, not just procedurally
The last point is the hardest and the most important. MiFID II succeeded in the institutions where people understood that it was about integrity in how they served clients. Mythos prevention will succeed in the institutions where people understand that it is about integrity in how they serve each other, and how they protect the firm and its clients from threats that are now operating at a speed and intelligence level that humans cannot match reactively.
The Opportunity in the Window
There is a genuine gift in the fact that Mythos has not yet been released. That window is not a grace period. It is an invitation to do the work that should have been done anyway, with a clarity of urgency that rarely exists in transformation programmes.
MiFID II changed investment banking permanently. Not because of what it required, but because of what it revealed about how institutions had been operating and what needed to change.
Mythos will do the same for cybersecurity and operational resilience. The question is not whether your institution will be changed by it. The question is whether you will have changed yourselves first.
The institutions that lead through transformation are always the ones that understood, before anyone else, that the technology is never the transformation. The people are.
