In November 2025 Anthropic disclosed that it had detected and disrupted what is now widely treated as the first documented AI-orchestrated cyber espionage campaign at scale. A state-sponsored actor — designated GTG-1002 — used the model's agentic capabilities to run an estimated 80–90% of the work in a multi-target campaign against roughly thirty global organisations, including financial institutions, with human operators intervening at only a handful of decision points per attack. Six months later, in May 2026, the FCA, Bank of England and HM Treasury issued a joint statement warning regulated firms that frontier AI is reshaping the cyber threat environment faster than industry practice has kept pace with.
For a regulated bank or insurer, the question is no longer whether to update the cyber threat model for AI. It is which assumptions in the existing model are now obsolete, and how quickly the operating response can be re-engineered.
What actually changed in 2025
Three things, in our reading of the public disclosures:
- Autonomy crossed an operational threshold. Earlier AI-assisted attacks treated the model as an advisor — a faster Stack Overflow. The GTG-1002 campaign used the model as an operator, decomposing the attack into small tasks and running them with minimal human oversight. The economics of attack shifted with it.
- Jailbreaking became contextual, not prompt-level. The actor did not bypass safety filters with a clever prompt. They withheld the broader mission from the model and fed it a sequence of innocuous-looking subtasks. Generic refusal training does not catch this pattern.
- The skill barrier collapsed. Capabilities that previously required a senior offensive-security team — reconnaissance, vulnerability identification, exploit development, credential harvesting and exfiltration — are now reachable by less-resourced actors orchestrating frontier models.
How the regulator's framing maps to your control environment
The joint UK statement does not announce new rules. It signals what the supervisor expects firms to be able to evidence at the next operational resilience review. Read carefully, three areas dominate:
- Protective controls under AI-paced attack timelines. Vulnerability management cycles calibrated to human attacker tempo — weeks to months — are now mismatched to an attacker who can probe, weaponise and pivot inside a single working day. Patch SLAs, asset-inventory completeness and exposure-management coverage all need re-baselining.
- Detection against agentic attack signatures. A campaign that issues thousands of small, plausible-looking actions over a long horizon will not trip the playbooks built for noisier, human-driven intrusions. Detection engineering has to add behavioural baselines for sustained, low-and-slow automated reconnaissance.
- Recovery under correlated outage. The regulator's specific concern is not a single firm being compromised. It is the systemic case — multiple firms simultaneously, through a shared vendor, cloud provider or open-source dependency. Recovery plans built on the assumption of an idiosyncratic incident need stress-testing against a correlated one.
What good looks like in 2026
The institutions that will land cleanly through the next supervisory cycle are doing four things in parallel. None of them are exotic; all of them are operational.
- AI-aware threat modelling. The threat library has been refreshed to include autonomous reconnaissance, model-orchestrated exploitation and agent-assisted lateral movement. Each is mapped to specific detective and protective controls, and the gaps are owned with dates.
- Defensive AI in the SOC, governed properly. AI-driven triage, alert enrichment and containment recommendations are deployed in the security operations centre — and treated as models, with inventory, validation, monitoring and challenger review under the same model-risk regime applied to credit scorecards. This is the operating-model question, not the technology question.
- Third-party and concentration-risk re-scoring. Vendor risk assessments now ask explicitly what the vendor's exposure is to frontier-AI-enabled attack tooling, what their defensive posture is, and how they would coordinate during a correlated incident. Concentration on a single cloud or SaaS provider gets re-weighted accordingly.
- Rehearsed response for correlated, AI-paced incidents. Cyber exercises move from single-firm tabletops to scenarios involving simultaneous compromise across a peer group, with playbooks for shared-intelligence handling, vendor coordination and supervisor reporting that have been run end-to-end, not just signed off in a board paper.
The November 2025 disclosure was not a one-off. It was a calibration point. The institutions that internalise it now and re-engineer the response will not be the ones running the next supervisory exercise from behind.