Canada’s federal banking regulator warned the country’s largest financial institutions that frontier artificial intelligence models are heightening cyber threats [1].

The warning signals a shift in the risk landscape for the financial sector. As AI tools become more sophisticated, the speed at which attackers can exploit system weaknesses may outpace the ability of banks to defend them.

The Office of the Superintendent of Financial Institutions (OSFI) sent an email warning to banks in April 2026 [1]. In that communication, the regulator said Anthropic’s Claude Mythos is an example of a frontier AI model that could increase the attack surface for cyber threats [1].

An OSFI spokesperson said frontier AI models could increase cyber threats and compress the time banks have to identify and fix vulnerabilities [1]. To counter these risks, OSFI issued sound-practice guidance for managing generative and agentic AI [2]. This guidance aims to ensure that banks maintain strong oversight, and risk-management practices as they integrate these technologies into their operations.

Other financial leaders have echoed the need for urgency. Tiff Macklem, Governor of the Bank of Canada, said governments and regulators need to move quickly to get a handle on the cybersecurity risks posed by powerful new artificial intelligence tools such as Claude Mythos [3].

Grant Vingoe, Chief Executive of the Ontario Securities Commission, said the technology is so transformative that a different approach to regulation may be required [3]. The current focus remains on whether existing frameworks can handle the speed of AI-driven attacks, or if new, specialized oversight is necessary to protect the national economy.

OSFI's guidance focuses on both generative AI, which creates content, and agentic AI, which can take autonomous actions to achieve goals [2]. Both categories present unique challenges for traditional cybersecurity protocols used by Canada's largest banks.

Frontier AI models could increase cyber‑threats and compress the time banks have to identify and fix vulnerabilities.

The warning from OSFI highlights a critical transition in cybersecurity where the 'window of remediation' — the time between a vulnerability's discovery and its exploitation — is shrinking due to AI. By specifically naming a frontier model like Claude Mythos, the regulator is moving from theoretical warnings to concrete examples of risk. This suggests that Canadian financial regulators view AI not just as a tool for efficiency, but as a systemic risk that could potentially destabilize the banking sector if defenses are not modernized as quickly as the threats.