The Architectural Answer to the Mythos AI Security Vulnerability: GRIDS

Press Briefing for Financial Press

QPQ AG, Switzerland – 7 May 2026
Every link in this briefing leads to a primary source. QPQ is contactable for verification of any claim not covered by an embedded link.

The story

On 7 April, the first AI built to break into other people’s systems autonomously – the first of its kind, not the last – defeated the password-and-two-factor authentication on which every regulated institution your readers cover depends.

The cybersecurity industry is pushing for significant increases in budgets. A Swiss company, QPQ AG, has been quietly running the architectural answer for eighteen months, and it is free.

What has happened

On 7 April 2026, Anthropic announced an AI model called Mythos that finds and exploits vulnerabilities in connected computer systems autonomously, at machine speed. To prove the point, it identified a 27-year-old flaw in OpenBSD – one of the most secure operating systems in production – and used it to take complete control. In Anthropic’s own words, the model can perform “account login bypasses that allow unauthenticated users to log in without knowledge of their password or two-factor authentication code.” In financial-services terms, an attacker can act as a customer or as an authorised internal user without having either the password or the text-message code that two-factor authentication relies on. The two pillars of how regulated institutions verify the identity of every party they deal with, defeated by a single AI model, autonomously. Anthropic’s own estimate is six to eighteen months before equivalent capability reaches actors who will not behave as responsibly.

Within days, the US Treasury Secretary and the Chair of the Federal Reserve convened Wall Street’s largest bank chief executives in the first joint emergency meeting of its kind since the financial crisis of October 2008. The Bank of Canada convened its Financial Sector Resiliency Group. The Bank of England is convening its Cross Market Operational Resilience Group.

On 13th April the Cloud Security Alliance, SANS, and OWASP jointly published an emergency framework: eleven priority actions, with the report’s own caveat that “long-term goals should be considered a quarter away at most.” Two days later, the UK government’s open letter to business leaders recorded the UK AI Security Institute’s assessment that frontier AI capabilities are now doubling every four months, against the previous estimate of every eight.

Subsequently, on 24 April, the Swiss Financial Market Supervisory Authority told Bloomberg that “the uncontrolled and immediate availability of AI models such as Mythos would be classified as a systemic risk” because “virtually all existing software systems could simultaneously be affected by a multitude of previously unknown zero-day vulnerabilities, which would be exploited immediately and via AI.” FINMA confirmed it is in contact with banks and “critical service providers” on the matter. On 4 May, the Eurogroup convened in Brussels to discuss Mythos access for European institutions; the Bundesbank President said all relevant institutions should have access to the technology to avoid competitive distortions. Switzerland is not in the Eurogroup process.

The supervisory community has understood the import of this immediately. The last meeting of the scale of Bessent and Powell’s convening produced front-page financial-press coverage for months. This one has not, yet.

This did not start with Mythos

The same kind of weakness has been costing the institutions your readers cover for two decades:

These were the most-defended, most-regulated, most-monitored systems in the world. They were broken into anyway. All of it happened before Mythos, all of it happened under the rules supervisors are enforcing today, and all of it took thousands of hours of hostile state-actor effort. Mythos can do the same kind of work in seconds, on its own.

The asymmetry that has been dominating recent news flow is instructive: $5,000 drones against a $2 billion navy destroyer that fires $2 million missiles to stop it – and only one drone in the swarm has to get through. Mythos is a step beyond that. The drone is single-use and the swarm is finite, as is the missile supply on the defending ship. The framework being put in front of supervisors asks regulated institutions to keep firing $2 million missiles. One drone gets through and the $2 billion destroyer is gone. Mythos and those AI models that will follow, can attack every system in the world, in parallel, indefinitely, at a marginal cost per attack approaching zero.

What this means for your readers

The cybersecurity rules every regulated institution operates under – the EU’s Digital Operational Resilience Act, the UK FCA’s operational-resilience rules, NYDFS Part 500, the federal banking agencies’ heightened standards, and equivalent regimes in every jurisdiction – were written on the assumption that adequate defence of credentials on connected systems is achievable. Mythos has just rendered that assumption an error. The financial industry already spends more on cybersecurity per dollar of revenue than any other sector and is more comprehensively regulated on cybersecurity than any other sector. Global information-security spending reached $213 billion in 2025 and is forecast at $240 billion in 2026 – 12.5% growth in a single year against a threat that has just rendered the underlying assumption obsolete. None of that money is solving the underlying problem.

The dynamics are now permanently against the defender. An attacker needs one route to one credential. The defender has to stop every route, every time, forever. An attacker failing a thousand times costs nothing; one success compromises everything. A defender catching 99.9999% of attempts still lets 0.0001% through, and at machine speed that fraction is all that is needed. Defensive AI cannot close the gap; the asymmetry runs the wrong way. Even the best-performing models hallucinate at rates between 0.7% and 2% on the easiest tasks. The attacker needs the defender to be wrong once and can run millions of probes in parallel.

The disclosure problem at the heart of the cybersecurity policy response

The CSA / SANS / OWASP framework gives institutions a quarter at most to act on eleven priority steps. Each step assumes the same software stack the regulated industry already runs and calls for it to be defended harder. None addresses why the stack is vulnerable in the first place.

The framework lists its authors and reviewers on its title page: most are CISOs, vendors, investors in security firms, training organisations, and conference operators whose commercial position is served by an answer that is more of what they sell. Lead author Gadi Evron is chief executive of Knostic, whose tools appear among the recommended options in the framework’s first priority action; the framework’s publishing bodies are themselves named in its adoption pathways. The affiliations are disclosed on the title page; the conflict at the points where the affiliations bear on specific recommendations is not flagged. This is the framework that will shape what supervisors expect of every regulated institution across the major democracies in the coming months. Its own disclosure practice does not meet the standard it will require of those it regulates.

The architectural alternative described in the next section was published in full on 14 April with the framework’s named contributors tagged directly on LinkedIn. Evron’s only public response was to post a link to promote his own paper. No other named contributor on the framework engaged at all. The institutions your readers cover are about to be told, on the framework’s authority, to spend more on the products its authors sell.

The architectural alternative

A Swiss company, QPQ AG, has been running an alternative architecture since 22 October 2024. The architecture is called the Internet of Economics. The component that addresses Mythos directly is GRIDS – Gajumaru Remote Instruction Dispatch and Serialisation – a free open protocol released under the GPL3 open-source licence at Main Net on 26 April 2026.

The principle is simple. The bank’s systems should not hold anything that an attacker can use to act as a customer. Not a password, not a stored fingerprint template, not a session token, not a server-side credential of any kind. The proof that a customer is who they say they are – the signing key – sits in a sealed part of the customer’s own device that even the device’s own software cannot read. When the bank needs to verify the customer or authorise an action, it sends the specific instruction to the customer’s device. The device displays the instruction in plain language: “approve transfer of £500 to John Smith”; “approve change of address”. The customer approves. The device produces a one-off cryptographic signature bound to that specific instruction. The bank’s system verifies the signature against a public counterpart on file – useless to anyone else – and acts on it. There is no password to steal, no two-factor code to intercept, no session token left over for an attacker to hijack.

The same primitive serves every credential surface a bank operates. Retail customer authentication. Private banking. Corporate and institutional client authentication, with delegated authority and multi-signatory approval as signed attestations rather than role databases. Inter-institution authentication for SWIFT, correspondent banking, and clearing. Internal authentication for trading desks, treasury, payment authorisation, settlement, compliance overrides. Once the customer’s key is the anchor of the relationship, anything the bank holds on the customer’s behalf can be tied to that key and presented at the moment of need. The IBM Cost of a Data Breach Report places the average breach cost at $4.88 million; for financial services, the figure is materially higher. Without the credential to act, what the attacker reaches is data they cannot use.

A five-minute live demonstration is available at https://youtu.be/WkzNErEg51o – login, transfer action, and QR code login. It works today on a laptop or desktop; the mobile reference application follows in July 2026. The first sovereign user is the Liechtenstein Trust Integrity Network, with Telecom Liechtenstein as majority owner, deploying national infrastructure on this architecture in the second half of 2026.

Our commercial position

The GRIDS protocol is open source and free under GPL3; QPQ does not charge for the protocol or for the reference applications, GajuDesk and GajuMobile.

The commercial offer is engineering integration through QPQ IaaS AG, the Swiss operating subsidiary in Einsiedeln: institutions that want GRIDS built into their existing systems by the team that built it engage QPQ IaaS AG on a project basis. We make that point explicitly because the cybersecurity industry’s framework does not.

Story angles

The disclosure problem at the heart of the cybersecurity policy response. The framework that supervisors and examiners will be citing over the coming months is being authored by parties whose commercial position is served by the answer being more of what they sell. The work to verify the conflict takes a financial reporter five minutes from the framework’s own title page. The framework’s lead author was given the architectural alternative directly and used his only public response to promote his own paper.

FINMA, the Eurogroup, and the silence outside Switzerland. FINMA’s 24 April statement to Bloomberg is the most consequential supervisory statement on Mythos to date. The Eurogroup has convened on it. Switzerland is not in the Eurogroup process. The institutions your readers cover are spread across both jurisdictions and others. None of the major financial titles has reported the architectural alternative against this regulatory backdrop.

The architecture, not the model, is the story. Every major publication has covered Mythos as a cybersecurity event. None has covered the architectural error Mythos has made undeniable. The institutions paying $240 billion a year are paying to defend an architecture that was never built to do what it is being asked to do.

The card-network implications. The same primitive that authenticates a customer to a bank can bond card credentials to the customer’s device, removing card credentials from the entire issuer-acquirer-network chain. Banks sit on both sides of the card-network relationship. What banks ask for shifts what gets built. The conversation with Visa and Mastercard about who carries the credential surface is one that follows from this architecture, not a feature of the brief.

What is available to journalists

On-record interview with Greg Chew, CEO. Live, recorded, or written. Topics: the architectural error, the disclosure asymmetry in the framework, what your readers’ institutions would do with this, why this matters now.

Live demonstration of GRIDS. Ten to fifteen minutes, remote. Greg Chew or Craig Everett (Chief Product Officer and the engineer who built the protocol) walking through what an attacker cannot do once GRIDS is in place.

Hands-on access for your reporter. Download GajuDesk at gajumining.com/downloads. The team will get your reporter signed in and using it within minutes, with no password.

Background technical briefing. Craig Everett (CPO and GRIDS architect), Ulf Wiger (CTO), Dimitar Ivanov (CDO). Topics: the protocol, the dead-drop signature flow, the comparison with FIDO2/WebAuthn, the Stage 2 air-gapped hardware design.

The full architectural argument: Un-White Paper

qpq.swiss · gajumaru.io · gajumining.com

Engineering credit: Ulf Wiger (CTO, formerly chief designer of Ericsson’s AXD 301), Craig Everett (CPO and GRIDS architect), Dimitar Ivanov (CDO).

QPQ AG (Industriestrasse 47, Zug) built the Internet of Economics architecture and holds the intellectual property. QPQ IaaS AG (Allmeindstrasse 17, 8840 Einsiedeln) is the integration counterparty for institutions deploying GRIDS. Gajumaru and GRIDS operational since 22 October 2024. Main Net: 26 April 2026.