The Architectural Answer to the Mythos AI Security Vulnerability: GRIDS

Briefing for Central Banks and Regulators

QPQ AG, Switzerland – 7 May 2026
Every link in this briefing leads to a primary source. QPQ is contactable for verification of any claim not covered by an embedded link.

What has happened

On 7 April 2026, Anthropic announced an AI model called Mythos that breaks into other people’s computer systems on its own, at machine speed, without a human at the keyboard. In Anthropic’s own words, the model can perform “account login bypasses that allow unauthenticated users to log in without knowledge of their password or two-factor authentication code” and “multiple complete authentication bypasses that allow unauthenticated users to grant themselves administrator privileges.”

In supervisory terms: the model can act as any party your supervised population has been built to verify – retail customer, institutional client, internal authorised user, counterparty across SWIFT and clearing – against any institution whose authentication runs on the same architecture every regulated bank uses today. It can do this at machine speed and without human direction after the initial instruction. Anthropic has held the model back. On Anthropic’s own assessment, equivalent capability will be in less responsible hands within six to eighteen months.

Within days, the US Treasury Secretary and the Chair of the Federal Reserve convened Wall Street’s largest bank chief executives in the first joint emergency meeting of its kind since the financial crisis of October 2008. The Bank of Canada convened its Financial Sector Resiliency Group. The Bank of England is convening its Cross Market Operational Resilience Group.

On 13th April the Cloud Security Alliance, SANS, and OWASP jointly published an emergency framework: eleven priority actions, with the report’s own caveat that “long-term goals should be considered a quarter away at most.” Two days later, the UK government’s open letter to business leaders recorded the UK AI Security Institute’s assessment that frontier AI capabilities are now doubling every four months, against the previous estimate of every eight.

Subsequently, on 24 April, the Swiss Financial Market Supervisory Authority told Bloomberg that “the uncontrolled and immediate availability of AI models such as Mythos would be classified as a systemic risk” because “virtually all existing software systems could simultaneously be affected by a multitude of previously unknown zero-day vulnerabilities, which would be exploited immediately and via AI.” FINMA confirmed it is in contact with banks and “critical service providers” on the matter. On 4 May, the Eurogroup convened in Brussels to discuss Mythos access for European institutions; the Bundesbank President said all relevant institutions should have access to the technology to avoid competitive distortions.

This did not start with Mythos

The same architectural weakness has been costing the regulated population and the inter-institution counterparties they depend on for two decades:

These were the most-defended, most-regulated systems in the world. They were broken into anyway. All of it happened before Mythos, all of it happened under the rules supervisors are enforcing today, and all of it took thousands of hours of hostile state-actor effort. Mythos can do the same kind of work in seconds, on its own.

The asymmetry that has been dominating recent news flow is instructive: $5,000 drones against a $2 billion navy destroyer that fires $2 million missiles to stop it – and only one drone in the swarm has to get through. Mythos is a step beyond that. The drone is single-use and the swarm is finite, as is the missile supply on the defending ship. The framework being put in front of supervisors asks regulated institutions to keep firing $2 million missiles. One drone gets through and the $2 billion destroyer is gone. Mythos and those AI models that will follow, can attack every system in the world, in parallel, indefinitely, at a marginal cost per attack approaching zero.

Why the defensive response cannot close the gap

The dynamics are now permanently in the attacker’s favour. An attacker needs one route to one credential. The defender has to stop every route, every time, forever. An attacker failing a thousand times costs nothing; one success compromises everything. A defender catching 99.9999% of attempts still lets 0.0001% through, and at machine speed that fraction is all that is needed. Defensive AI cannot close the gap; the asymmetry runs the wrong way. Even the best-performing models hallucinate at rates between 0.7% and 2% on the easiest tasks. The attacker needs the defender to be wrong once and can run millions of probes in parallel. Mythos is the first of its kind, not the last; the supervised population is not facing a single model but a category of capability that will proliferate.

The regulated population has been the most aggressive adopter of every patch this category of threat has produced – tokenisation, encryption in transit, zero-trust, multi-factor authentication, hardware-backed credentials, biometrics, behavioural analytics, transaction monitoring. PCI-DSS, GLBA, SOX, FFIEC, OCC heightened standards, NYDFS Part 500, FCA operational resilience, the EU’s DORA, FINMA outsourcing circulars, equivalent regimes in every jurisdiction – three decades of escalating regulatory cybersecurity programme, all of it built on the assumption that adequate defence of credentials on connected systems is achievable. The capabilities Mythos is merely the first of has rendered that assumption an error.

The disclosure problem at the heart of the cybersecurity policy response

The framework lists its authors and reviewers on its title page: most are CISOs, vendors, investors in security firms, training organisations, and conference operators whose commercial position is served by an answer that is more of what they sell. Lead author Gadi Evron is chief executive of Knostic, whose tools appear among the recommended options in the framework’s first priority action; the framework’s publishing bodies are themselves named in its adoption pathways. The affiliations are disclosed on the title page; the conflict at the points where the affiliations bear on specific recommendations is not flagged. The supervisory practice the framework will inform requires interest disclosure at the point of decision; the framework’s own disclosure practice does not. We raise this because the supervisory community is the ultimate audience for the framework, and the supervisory community’s standard-setting power is what gives the framework its weight.

The architectural alternative described in the next section was published in full on 14 April with the framework’s named contributors tagged directly on LinkedIn. Evron’s only public response was to post a link to promote his own paper. No other named contributor on the framework engaged at all.

The architectural answer

The correct response is to remove sensitive credentials and economic data from the connected attack surface entirely. Not to defend it better in place. That separation now exists, is operational, and is open sourced, ready for immediate deployment.

A Swiss company, QPQ AG, has been running this alternative architecture since 22 October 2024: the Internet of Economics, an open economic resource layer designed for value rather than information. The first commercial tool of the Internet of Economics directly relevant to the regulated population is GRIDS – Gajumaru Remote Instruction Dispatch and Serialisation – a free open protocol released under GPL3 at Main Net on 26 April 2026.

In the current architecture, customer authentication requires credentials and authentication material – passwords, session tokens, two-factor codes, signed cookies – to transit or sit on connected systems, where they can be harvested by an attacker who reaches those systems. Under GRIDS, the credential does not sit on any connected system. A cryptographic key, held inside the hardware-backed keystore of the originator’s own device, produces a mathematical proof that the originator has authorised this specific instruction. The institution receives the proof, verifies it against the originator’s public key – the mathematical counterpart, which is useless to an attacker – and acts on it. Nothing capable of authenticating anyone is ever present on a connected system.

GRIDS is a dead-drop signature protocol: the execution context (the connected device) and the signature context (the device holding keys) never share a direct connection. The connected device generates a transaction or authentication request and encodes it as a GRIDS URL or QR code. The signing device retrieves the unsigned payload, decodes it, displays exactly what is being asked in plain language on its own screen, and awaits user approval. The user approves. The device produces a signature over the specific instruction payload and returns it. The institution’s system verifies the signature against the public key on file and acts on it.

At no point do private keys exist on the connected device. The signature is bound to the specific instruction. It cannot be replayed against a different instruction, harvested for use elsewhere, or used to establish a session that can subsequently be hijacked. There is no session state, no token, no credential to retrieve in a subsequent breach. Anthropic has confirmed that Mythos can bypass two-factor authentication. A GRIDS flow has no two-factor authentication to bypass. The entire category of harvestable credentials is absent.

The same architecture applies to retail customer authentication, payment authorisation, staff authentication into internal systems, inter-institution messaging across SWIFT and correspondent banking, and any interaction that currently depends on credentials being transmitted or stored. The institution’s connected systems hold public keys, delivery records, audit trails – none of which can authenticate anyone. They hold nothing Mythos is looking for.

A five-minute live demonstration is available at https://youtu.be/WkzNErEg51o – login, transfer action, and QR code login. It works today on a laptop or desktop; the mobile reference application follows in July 2026. The first sovereign user is the Liechtenstein Trust Integrity Network, with Telecom Liechtenstein as majority owner, deploying national infrastructure on this architecture in the second half of 2026.

Our commercial position

The GRIDS protocol is open source and free under GPL3; QPQ does not charge for the protocol or for the reference applications, GajuDesk and GajuMobile.

The commercial offer is engineering integration through QPQ IaaS AG, the Swiss operating subsidiary in Einsiedeln: institutions, supervisors, and sovereign actors that want GRIDS built into their systems by the team that built it engage QPQ IaaS AG on a project basis. We make that point explicitly because the cybersecurity industry’s framework does not.

Three stages of implementation

GRIDS is not a single product. It is an architectural protocol with a staged implementation path. Each stage addresses the remaining trust assumption of the stage before it.

Stage 1: operational today, open sourced under GPL3. GajuDesk on desktop platforms today; GajuMobile on iOS and Android from end Q2 2026. Private keys held in the device’s hardware-backed keystore (Apple Secure Enclave on macOS and iOS, Android hardware-backed keystore, TPM on Windows and Linux). Zero external software dependencies – no NPM packages, no frameworks, no anonymous dependency chains of the kind exploited in the September 2025 NPM supply-chain attack that compromised 18 packages with more than 2 billion combined weekly downloads. The honest limitation: the device holding the key is itself network-connected. The keystore is strong but the device sits on the internet. That is a smaller attack surface than the current architecture by orders of magnitude, but it is not zero. Stage 1 is the right answer for everyday transactions; Stages 2 and 3 add coverage for the flows the supervised population most cares about – high-value transactions, institutional treasury, inter-bank messaging, sovereign payment infrastructure.

Stage 2: dedicated air-gapped hardware, on the protocol roadmap. Dedicated signing device with no network connection of any kind – no Wi-Fi, no Bluetooth, no NFC, no cellular radio. The only communication channel is optical, via QR codes. Every category of attack that depends on keys being present on a networked device is structurally eliminated. There is nothing to find because the keys are not there.

Stage 3: sovereign-provenance hardware – the stage most directly relevant to central banks and sovereign supervisors. Stage 3 eliminates the remaining trust assumption of Stage 2: hardware provenance. QPQ plans to establish global GRIDS device fabrication facilities in jurisdictions chosen for regulatory stability, manufacturing capability, and audit access. These facilities will be open to audit and inspection by any sovereign partner. The signing devices produced will have fully verified component-to-assembly manufacturing chains. No black-box components. No unverifiable supply chains. For sovereign partners who want the capability in their own hands rather than purchased from ours, QPQ is open to establishing fabrication facilities within partner jurisdictions, including full technology transfer. For a central bank seeking to protect national payment infrastructure, the full stack means: signing devices manufactured in a facility you can audit, in a jurisdiction you trust; a GRIDS protocol you can inspect, verify, and deploy on your terms; connected devices whose manufacturing chain is verified to the same standard.

The supervisory question

“Adequate” security under every major prudential framework has meant adequate defence of credentials on connected systems, because there was nowhere else to put them. There is now. The question that follows is whether the standard should continue to mean what it has meant, or whether architectural removal of credentials from the connected attack surface should become part of what adequate protection requires.

The regulated population has been moving in this direction for a decade – tokenisation, data minimisation, zero-trust, hardware-backed credentials – and GRIDS is the completion of that direction rather than a deviation from it. The consequence for supervised firms would be significant. Cybersecurity budgets that have risen indefinitely to defend data on connected systems would reduce, because the attack surface those budgets defend would no longer exist in GRIDS flows. The security posture of the regulated estate would transform, because compromise would no longer depend on the next patch cycle outpacing the next exploit. Global information-security spending reached $213 billion in 2025 and is forecast at $240 billion in 2026; financial services is the largest single contributor by sector. The trajectory is not new spending on something better. It is dramatically less spending, because the problem has been removed.

The data the regulated population holds about its customers, counterparties, and citizens can be returned to those parties. Once the originator’s key is the anchor of the relationship, anything the institution currently holds on the originator’s behalf can be tied to that key and presented at the moment of need. The data-minimisation principle that has been a regulatory aspiration under GDPR and equivalents for fifteen years becomes an architectural property rather than a compliance overlay.

It is a question for the supervisory community, not for us. We have set out the diagnosis and the architecture as honestly as we can. The standard-setting is yours.

What we are proposing

Immediate: A ten-to-fifteen-minute live demonstration, on your machine or ours. Download GajuDesk from gajumining.com/downloads; we will send installation instructions and a mining licence so you can sign in yourself during the session. If local installation is precluded by policy, we screen-share our own live operations.

Near term: QPQ IaaS AG works with any central bank, government agency, supervisory body, and the regulated firms within their remit to implement Stage 1 GRIDS across institutional interfaces – authentication, payment authorisation, inter-institutional communication. The protocol is open source. The cost is implementation time and any specific customisation, not licensing.

Medium term: QPQ will accelerate Stage 2 hardware development in partnership with institutions and supervisors that commit to the programme. A sovereign commitment to deploy GRIDS hardware across a defined user base changes the manufacturing economics and accelerates the timeline.

Long term: QPQ is seeking sovereign partners for Stage 3 fabrication. This is the Internet of Economics at sovereign scale: national economic infrastructure in which sensitive financial and economic data never touches the internet-connected layer, manufactured in a jurisdiction whose integrity can be assured.

Technical summary

PropertyGRIDS Stage 1GRIDS Stage 2GRIDS Stage 3
StatusOperational (desktop today, mobile end Q2 2026)On protocol roadmapSovereign partnership programme
CostOpen sourced under GPL3To be announcedPartnership
Key locationDevice hardware-backed keystoreAir-gapped hardwareVerified-provenance hardware
Network connectionDevice connects to internet; signing context isolatedNo network at allNo network; verified hardware throughout
Attack surfaceSoftware attack surface eliminatedHardware attack surface eliminatedSupply-chain attack surface eliminated

The full architectural argument: Un-White Paper

qpq.swiss · gajumaru.io · gajumining.com

Engineering credit: Ulf Wiger (CTO, formerly chief designer of Ericsson’s AXD 301), Craig Everett (CPO and GRIDS architect), Dimitar Ivanov (CDO, co-architect FATE virtual machine and Sophia smart-contract language).

QPQ AG (Industriestrasse 47, Zug) built the Internet of Economics architecture and holds the intellectual property. QPQ IaaS AG (Allmeindstrasse 17, 8840 Einsiedeln) is the integration counterparty for institutions, supervisors, and sovereign actors deploying GRIDS. Gajumaru and GRIDS operational since 22 October 2024. Main Net: 26 April 2026.