The Architectural Answer to the Mythos AI Security Vulnerability: GRIDS
Commercial Brief for Tier 1 Financial Institutions
QPQ AG, Switzerland – 7 May 2026
Every link in this briefing leads to a primary source. QPQ is contactable for verification of any claim not covered by an embedded link.
What has happened
On 7 April 2026, Anthropic announced an AI model called Mythos that breaks into other people’s computer systems on its own, at machine speed, without a human at the keyboard. In Anthropic’s own words, the model can perform “account login bypasses that allow unauthenticated users to log in without knowledge of their password or two-factor authentication code” and “multiple complete authentication bypasses that allow unauthenticated users to grant themselves administrator privileges.”
In banking terms: the model can sign in as your customer without their password, defeat the two-factor code your systems text to their phone, authorise payments out of their account, send messages between your institution and counterparties as if from an authorised internal user, and act as any party your systems have been built to verify. It can do this against any institution whose authentication runs on the same architecture every regulated bank uses today. Anthropic has held the model back. On Anthropic’s own assessment, equivalent capability will be in less responsible hands within six to eighteen months.
Within days, the US Treasury Secretary and the Chair of the Federal Reserve convened Wall Street’s largest bank chief executives in the first joint emergency meeting of its kind since the financial crisis of October 2008. The Bank of Canada convened its Financial Sector Resiliency Group. The Bank of England is convening its Cross Market Operational Resilience Group.
On 13th April the Cloud Security Alliance, SANS, and OWASP jointly published an emergency framework: eleven priority actions, with the report’s own caveat that “long-term goals should be considered a quarter away at most.” Two days later, the UK government’s open letter to business leaders recorded the UK AI Security Institute’s assessment that frontier AI capabilities are now doubling every four months, against the previous estimate of every eight.
Subsequently, on 24 April, the Swiss Financial Market Supervisory Authority told Bloomberg that “the uncontrolled and immediate availability of AI models such as Mythos would be classified as a systemic risk” because “virtually all existing software systems could simultaneously be affected by a multitude of previously unknown zero-day vulnerabilities, which would be exploited immediately and via AI.” FINMA confirmed it is in contact with banks and “critical service providers” on the matter. On 4 May, the Eurogroup convened in Brussels to discuss Mythos access for European institutions; the Bundesbank President said all relevant institutions should have access to the technology to avoid competitive distortions.
This did not start with Mythos
The same architectural weakness has been costing financial institutions and the inter-institution counterparties they depend on for two decades:
- November 2023, the Industrial and Commercial Bank of China – the world’s largest bank by assets – was locked out of its own US systems by a ransomware attack, forcing its New York office to physically carry that day’s US Treasury trades on a USB stick between buildings.
- December 2024, hackers working for the Chinese government broke into the part of the US Treasury that imposes financial sanctions on foreign governments and individuals – including the same Chinese hackers who had broken in.
- Salt Typhoon, an operation linked to China that has been running since at least 2019, broke into every major US telephone company – AT&T, Verizon, T-Mobile and others – giving the attackers access to call records, text messages, and the systems US law enforcement uses to lawfully tap suspects’ phones. The FBI told more than 600 organisations across 80 countries they had been affected. Senator Mark Warner, chairman of the US Senate Intelligence Committee, called it “the worst telecom hack in our nation’s history.”
These were the most-defended, most-regulated systems in the world. They were broken into anyway. All of it happened before Mythos, all of it happened under the rules supervisors are enforcing today, and all of it took thousands of hours of hostile state-actor effort. Mythos can do the same kind of work in seconds, on its own.
The asymmetry that has been dominating recent news flow is instructive: $5,000 drones against a $2 billion navy destroyer that fires $2 million missiles to stop it – and only one drone in the swarm has to get through. Mythos is a step beyond that. The drone is single-use and the swarm is finite, as is the missile supply on the defending ship. The framework being put in front of supervisors asks regulated institutions to keep firing $2 million missiles. One drone gets through and the $2 billion destroyer is gone. Mythos and those AI models that will follow, can attack every system in the world, in parallel, indefinitely, at a marginal cost per attack approaching zero.
Why the defensive response cannot be enough
The dynamics are now permanently in the attacker’s favour. An attacker needs one route to one credential. A defender has to stop every route, every time, forever. An attacker failing a thousand times costs nothing; one success compromises everything. A defender catching 99.9999% of attempts still lets 0.0001% through, and at machine speed that fraction is all that is needed. Defensive AI cannot close the gap; the asymmetry runs the wrong way. Even the best-performing models hallucinate at rates between 0.7% and 2% on the easiest tasks. Mythos is the first of its kind, not the last; the defender is up against a category of capability that will proliferate.
The financial services industry has been the most aggressive adopter of every patch this category of threat has produced – tokenisation, encryption in transit, zero-trust, multi-factor authentication, hardware-backed credentials, biometrics, behavioural analytics, transaction monitoring. It spends more on cybersecurity per dollar of revenue than any other sector. It is more comprehensively regulated on cybersecurity than any other sector. PCI-DSS, GLBA, SOX, FFIEC, OCC heightened standards, NYDFS Part 500, FCA operational resilience, the EU’s DORA – three decades of escalating regulatory cybersecurity programme, all of it built on the assumption that adequate defence of credentials on connected systems is achievable. The capabilities that Mythos is merely the first of has rendered that assumption an error.
The disclosure problem at the heart of the cybersecurity policy response
The framework lists its authors and reviewers on its title page: most are CISOs, vendors, investors in security firms, training organisations, and conference operators whose commercial position is served by an answer that is more of what they sell. Lead author Gadi Evron is chief executive of Knostic, whose tools appear among the recommended options in the framework’s first priority action; the framework’s publishing bodies are themselves named in its adoption pathways. The affiliations are disclosed on the title page; the conflict at the points where the affiliations bear on specific recommendations is not flagged. This is the framework that will shape what supervisors expect of every regulated institution across the major democracies in the coming months. Its own disclosure practice does not meet the standard it will require of those it regulates.
The architectural alternative described in the next section was published in full on 14 April with the framework’s named contributors tagged directly on LinkedIn. Evron’s only public response was to post a link to promote his own paper. No other named contributor on the framework engaged at all. The architecture is operational, free, open-sourced. The engagement record is on the public record.
The architectural answer
The correct response is to remove sensitive credentials and economic data from the connected attack surface entirely. Not to defend them better in place. That separation now exists, is operational, and is open sourced, ready for immediate deployment.
A Swiss company, QPQ AG, has been running this alternative architecture since 22 October 2024: the Internet of Economics, an open economic resource layer designed for value rather than information. The first commercial tool of the Internet of Economics directly relevant to the financial sector is GRIDS – Gajumaru Remote Instruction Dispatch and Serialisation – a free open protocol released under GPL3 at Main Net on 26 April 2026. Self Sovereign Single Sign On in operation.
Today, when a customer signs in to your systems, when an institutional client authorises a payment, when a trader logs in to a desk system, when a SWIFT message is sent between your institution and a counterparty, your systems hold something that proves the originator is who they claim to be – a password, a session token, a two-factor code, a stored fingerprint template, a SWIFT key, an HSM-protected credential. That proof has to sit somewhere, and wherever it sits, an attacker who reaches it can act as the legitimate party. Everything you hold about the relationship – account balances, transaction history, beneficial ownership records, KYC attestations – sits alongside it.
Under GRIDS, the proof does not sit on your systems. The originating party holds a cryptographic key inside the hardware-backed keystore of their own device. When they sign in or authorise an action, the key produces a one-off digital signature that binds to that specific action and nothing else. Your server verifies the signature against the public key on file – the mathematical counterpart that is useless to an attacker – and acts on it. Nothing on your systems can sign in or authorise as that party. An attacker who reaches your database can read the data, but cannot use it to act anywhere. The originating party is sovereign over their own identity. Your institution is freed of the burden of managing other people’s credentials. One key, one identity, every relationship.
Anthropic has confirmed that Mythos can defeat passwords and two-factor authentication. A GRIDS flow contains neither. There is no password. There is no second factor. There is a one-off digital signature, produced by the originator’s device, verifiable by you, useless to anyone else, gone the moment it is consumed.
A five-minute live demonstration is available at https://youtu.be/WkzNErEg51o – login, transfer action, and QR code login.
The architecture extends across every credential surface
The same architectural primitive serves every credential surface a Tier 1 institution operates. Retail customer authentication. High-net-worth and private banking, where Stage 2 hardware is the natural fit for the value at stake. Corporate and institutional client authentication, with delegated authority and multi-signatory approval as signed attestations rather than role databases. Inter-institution authentication for SWIFT, correspondent banking, and clearing relationships. Internal authentication for elevated-privilege functions: trading desks, treasury, payment authorisation, settlement, compliance overrides. Service-to-service authentication for internal systems.
Once the originator’s key is the anchor, anything you currently hold on the originator’s behalf can be tied to that key: account balances, payment authorisations, KYC attestations, beneficial-ownership records, credit and debit cards. Each of these is currently held by the institution because there has been no other way to make it available when needed. With the key as anchor, the originator presents what is needed at the moment of need, signed for that specific use. The fraud and operational-risk categories that exist because the institution holds this data on behalf of millions of parties reduce as the institution holds less of it. Customer-service social engineering reduces because authority must be signed by the same key that holds the relationship. Inter-institution credential compromise reduces because there is no shared secret to compromise. Internal credential compromise reduces because elevated-privilege users sign each consequential action rather than holding standing access through a session.
Our commercial position
The GRIDS protocol is open source and free under GPL3; QPQ does not charge for the protocol or for the reference applications, GajuDesk and GajuMobile.
The commercial offer is engineering integration through QPQ IaaS AG, the Swiss operating subsidiary in Einsiedeln: institutions that want GRIDS built into their existing systems by the team that built it engage QPQ IaaS AG on a project basis. We make that point explicitly because the cybersecurity industry’s framework does not.
The cost of defending what cannot be defended
Global information-security spending reached $213 billion in 2025 and is forecast at $240 billion in 2026 – 12.5% growth in a single year. Financial services is the largest single contributor by sector. None of this expenditure is solving the underlying problem. It is the cost of defending an architecture that was not built to carry the economic activity financial institutions place on it, and that Mythos has now rendered indefensible at scale.
The institution’s share of this is the visible tip of a much larger cost picture. Beneath it sit the costs that exist because credentials and sensitive data sit on the institution’s systems: IAM tooling across multiple customer and employee populations, MFA infrastructure, fraud prevention platforms, breach insurance, breach response capability, third-party assessment, the regulatory technology stack required to evidence compliance with PCI-DSS, GLBA, SOX, FFIEC, OCC heightened standards, NYDFS Part 500, FCA operational resilience, DORA, and equivalent regimes in every jurisdiction the institution operates. The portion of the customer-service operation handling identity and fraud disputes. The portion of the marketing and communications spend that exists to maintain customer trust through every industry incident that erodes it.
The breach event itself has become a specific commercial and regulatory risk with a known shape. The IBM Cost of a Data Breach Report places the average breach cost at $4.88 million; for financial services, the figure is materially higher. For a Tier 1 institution, this is the floor, not the ceiling. Beyond the direct cost: regulatory enforcement (OCC, NYDFS, FCA, FINRA, the European Central Bank under DORA), supervisory consent orders, capital surcharges, and personal accountability findings against named executives.
Solving the security problem through architecture removes the credentials these costs exist to defend. When nothing on the institution’s systems can sign in as a customer or counterparty, and when bonded data points are presented at the moment of need rather than held continuously, the attack surface that the institution has been paying to defend reduces with every step. The IAM spend that scales with customer and employee populations reduces. The breach risk that haunts every board review falls because the data left on the institution’s systems is no longer dangerous in the wrong hands – without the credential to act, it is information rather than access. The supervisory and Board exposure changes because the architecture has changed.
Three stages of implementation
Stage 1: operational today, open sourced under GPL3. GajuDesk on desktop platforms today; GajuMobile on iOS and Android from end Q2 2026. Private keys held in the device’s hardware-backed keystore (Apple Secure Enclave on macOS and iOS, Android hardware-backed keystore, TPM on Windows and Linux). Zero external software dependencies; no NPM packages, no frameworks, no anonymous dependency chains of the kind exploited in the September 2025 NPM supply-chain attack that compromised 18 packages with more than 2 billion combined weekly downloads. The honest limitation: the device holding the key is itself network-connected. The keystore is strong but the device sits on the internet. That is a smaller attack surface than the current architecture by orders of magnitude, but it is not zero. For retail customer authentication, internal staff authentication, and the actions that sit within an authenticated session, Stage 1 is a categorical change from anything currently deployed. For relationships above a value threshold the institution chooses, Stage 2 is the right answer.
Stage 2: dedicated air-gapped hardware, on the protocol roadmap. Dedicated signing device with no network connection of any kind – no Wi-Fi, no Bluetooth, no NFC, no cellular radio. The only communication channel is optical, via QR codes. For the populations a Tier 1 institution serves and employs at the upper end of the value spectrum – private banking clients, institutional clients, sovereign customers, employees with elevated trading or settlement authority, inter-institution counterparty interfaces – Stage 2 is the definitive answer.
Stage 3: sovereign-provenance hardware, partnership programme. Signing devices manufactured in auditable facilities with verified component-to-assembly manufacturing chains. For institutions with strategic exposures – sovereign relationships, central-bank linkages, critical-infrastructure dependencies – Stage 3 adds hardware provenance to the architecture.
What we are proposing
Immediate: A ten-to-fifteen-minute live demonstration, on your machine or ours. Download GajuDesk from gajumining.com/downloads; we will send installation instructions and a mining licence so your team can authenticate themselves during the session. If local installation is precluded by policy, we screen-share our own live operations.
Near term: QPQ IaaS AG works with your team to implement Stage 1 GRIDS across the credential surfaces you choose – retail customer authentication, internal elevated-privilege authentication, institutional-client authentication, or a defined subset. The protocol is open source. The cost is implementation time and any specific customisation, not licensing.
Bonding extensions: Specific data classes the institution currently holds on behalf of customers, counterparties, and authorised users – account balances, payment authorisations, KYC attestations, beneficial-ownership records, regulatory reporting attestations, audit trails – can be bonded to the originator’s key(s) as discrete engineering projects. Each is a defined piece of work that QPQ IaaS AG undertakes with institutions wishing to extend SSSO into the data they currently store. Data the institution no longer has to store has lost its value as a target, and the operational and regulatory cost categories that exist because the institution holds it reduce as the bonding extends.
Medium term: Stage 2 hardware deployment for the populations where the value at stake warrants air-gapped signing – private banking clients, institutional clients, sovereign customers, employees with elevated authority, inter-institution counterparty interfaces. Structured as a commercial relationship with deployment commitments that accelerate the manufacturing timeline.
The Series A opportunity. The architecture that removes credentials from the institution’s systems is operational. The extension that removes payment credentials from the whole issuer-acquirer-network chain requires co-operation from the card networks. QPQ is raising a Series A in part to deliver that extension. For a Tier 1 financial institution, three engagement vectors are open at this stage:
- Investment. The card-bonding extension is in the institution’s direct commercial interest as an issuer. PCI scope reduction, card-not-present fraud reduction, chargeback reduction, and compliance burden reduction translate directly into cost recovery and risk reduction. Participation in the Series A places the institution at the centre of the commercial arrangement.
- Co-development. QPQ is engaging issuer-side technical teams on the integration design for key-bonded payment credentials. Institutions that engage at this stage shape the integration to fit their own infrastructure and operational model.
- Demand signal to the networks. A Tier 1 institution signalling to Visa or Mastercard that it would deploy key-bonded payment credentials when available materially changes the commercial gravity of the network conversation. The institution is on both sides of the card-network relationship; its signal carries weight on the issuance side that the retailer’s signal cannot.
Beyond authentication. The Internet of Economics that GRIDS is the first commercial tool of has further implications for the financial sector that are out of scope for this brief but available for further discussion. The Gajumaru base layer (Groot) provides settlement and inter-institution messaging properties that bear directly on SWIFT and correspondent-banking economics. The RIPA model – Resource, Infrastructure, Platform, Application – permits sovereign and institutional Associate Chains, where regulated financial institutions can participate in governance directly rather than through intermediated networks. These are conversations we are happy to open once the immediate Mythos question is resolved.
Technical summary
| Property | GRIDS Stage 1 | GRIDS Stage 2 | GRIDS Stage 3 |
|---|---|---|---|
| Status | Operational (desktop today, mobile end Q2 2026) | On protocol roadmap | Partnership programme |
| Cost | Open sourced under GPL3 | To be announced | Partnership |
| Key location | Device hardware-backed keystore | Air-gapped hardware | Verified-provenance hardware |
| Network connection | Device connects to internet; signing context isolated | No network at all | No network; verified hardware throughout |
| Attack surface | Software attack surface eliminated | Hardware attack surface eliminated | Supply-chain attack surface eliminated |
The full architectural argument: Un-White Paper
qpq.swiss · gajumaru.io · gajumining.com
Engineering credit: Ulf Wiger (CTO, formerly chief designer of Ericsson’s AXD 301), Craig Everett (CPO and GRIDS architect), Dimitar Ivanov (CDO, co-architect FATE virtual machine and Sophia smart-contract language).
QPQ AG (Industriestrasse 47, Zug) built the Internet of Economics architecture and holds the intellectual property. QPQ IaaS AG (Allmeindstrasse 17, 8840 Einsiedeln) is the integration counterparty for institutions deploying GRIDS. Gajumaru and GRIDS operational since 22 October 2024. Main Net: 26 April 2026.