After Claude Mythos: How banks can ensure their AI resilience

Problem statement: The three drivers of loss of control

When sophisticated AI models and autonomous agents exploit vulnerabilities in the banking sector, traditional, manual security mechanisms fail. Banks thus face a threefold challenge that threatens the very core of their traditional Information Security Management System (ISMS):

• Time compression: AI automation shortens attack cycles from days to seconds. Whereas human attackers used to need hours to take the next step, the machine acts in milliseconds. Human response and weekly patch committees are therefore simply too slow.
• Fragmentation: Subtle steps, each of which is completely inconspicuous on its own, circumvent traditional thresholds and detection mechanisms. An attack bot breaks the attack down into tiny microsteps which, viewed in isolation, appear entirely legitimate. It is only when taken together that the system collapses.
• Automation: There is a massive scaling and personalisation of phishing attacks through Large Language Models (LLMs). The barrier to highly complex social engineering attacks has dropped to zero.

The consequence: Whilst many established security measures (controls) based on ISO 27001 exist on paper, they are gradually losing their protective effect in this new dynamic.

Analysis: The MRIS Framework by Richard Peddi

To counter this loss of control, security expert Richard Peddi has developed the framework for ‘Mythos-Resistant Information Security (MRIS)’¹. The MRIS framework functions like a filter that is applied over the existing ISMS. It assesses the 93 Annex A controls of ISO 27001 for their actual resilience against Gen-AI-accelerated attacks and classifies them into four categories:

1. Robust: Measures that form a strong barrier even at maximum attack speed (e.g. strict cryptographic procedures such as MFA).
2. Partially degraded: Controls that lose a significant amount of their effectiveness due to AI-assisted phishing or automation and urgently require technological hardening.
3. Friction: Controls that today merely generate administrative effort and documentation, but no longer offer any real protection. A striking example from the MRIS analysis is the purely manual initial triage of security alerts in the SOC (A.5.25). As the speed of the attacker systematically outpaces human reaction times, humans become a structural weak point at this stage.
4. Unaffected: Controls that are neutral with regard to AI attacks; typically organisational, documentary, governance-oriented or physical controls.

The uncomfortable truth: Many of the traditional ISO 27001 controls are gradually losing their effectiveness in the face of attacks fuelled by generative AI.

To make a bank AI-resistant, the focus must be placed on the 13 Mythos Hardened Controls (MHC) defined by Richard Peddi.

This means moving away from static passwords towards phishing-resistant MFA (MHC-03). A move away from periodic audits towards continuous control monitoring (MHC-10). In short:

Solution: AI resilience through an AI Security Readiness Assessment

The theory behind the MRIS framework is brilliant, but how can it be successfully applied in the practical setting of a financial institution? msg for banking has translated this methodology into a pragmatic, management-friendly tool: the AI Security Readiness Assessment.

A structured, standardised questionnaire translates the 13 Mythos-Hardening Controls into 6 strategic management clusters:

1. AI Strategy & Governance (risk appetite, policies and management of shadow AI)
2. Identity & Access (protection of critical access points against AI phishing and identity theft)
3. SOC & Detection & Automation (behavioural detection and automated incident response speed)
4. Secure Development (integration of automated security checks into the CI/CD pipeline)
5. Supply Chain Security (continuous monitoring and transparency of third-party risks)
6. Resilience & Recovery (recovery capability and RTO/RPO resilience in the event of serious incidents)

Our experts will analyse the current state of your IT security in a no-obligation consultation and define a bespoke roadmap to strengthen your AI resilience.