NY DFS is telling regulated financial firms to prepare now for cyber threats accelerated by frontier AI. Readiness, not new rules, is the ask.

Ahead of any federal response to the cybersecurity threats posed by the capabilities of Frontier AI, the New York State Department of Financial Services (NY DFS) issued two “Industry Letters” on May 21, 2026 advising its regulated entities to prepare for a “heightened cybersecurity threat environment,” in which cyber threats are significantly higher than normal, including the malicious use of Frontier AI models, such as Anthropic’s Claude Mythos Preview.

NY DFS’s new guidance does not require additional regulatory obligations under its Cybersecurity Regulation, but suggests enhanced cybersecurity measures regulated entities (banks, insurance companies, and other financial providers) should consider implementing in the event of a “heightened threat environment.”

“NY DFS moved quickly on the Frontier AI cyber threat, warning its regulated entities of the significance of the threat and strongly suggesting they rapidly implement countermeasures,” said Patrick Burke, a former Deputy Superintendent at NY DFS responsible for examinations of regulated entities for compliance with the Cybersecurity Regulation.

“It also introduced the concept of a ‘heightened threat environment,’ which applies beyond Frontier AI to other foreseeable technological or cyberwarfare events.”

Preparing for Frontier AI and a ‘heightened threat environment’

The NY DFS letters closely follow Anthropic’s announcement of its Claude Mythos Preview AI model in early April, which it revealed was “strikingly capable at computer security tasks.” Anthropic chose not to broadly release these capabilities; it instead opted to launch Project Glasswing, an initiative involving approximately 50 infrastructure partners. However, Anthropic’s May 28 press release mentioned Mythos would be available to the public in “the coming weeks.”

Anthropic’s Mythos is just one Frontier AI model, and others exist, so while the immediate impact for companies and regulated industries might be delayed, the underlying implications still exist and must be addressed.

One of the two NY DFS letters, “Heightened Cybersecurity Risks Associated with Frontier AI Models,” specifically addresses suggested measures to implement in anticipation of the threats posed by the new Frontier AI models. The department advises that the “best preparation for Frontier AI Models” is a “robust cybersecurity program” that includes timely and comprehensive vulnerability identification and remediation. In other words, find and fix cyber vulnerabilities in their own systems and those of third-party service providers, before threat actors use Frontier AI to find them first and exploit them.

NY DFS also recommends strengthening programming practices, including validating and restricting the type of data fed into the program before any scripts or processes run, and applying secure coding standards throughout development. Finally, it recommends that regulated entities evaluate whether existing logging and security event alerting capabilities are sufficient to address heightened threats.

Regulated industries should take ‘additional steps’

The second industry letter, “Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment,” applies more generally to heightened threat environments when cybersecurity risks are significantly elevated and therefore have a high likelihood of impacting information systems, nonpublic information, or operations. The letter recommends regulated entities consider taking additional steps beyond what is required under the Cybersecurity Regulation “when they become aware of a heightened threat environment that warrants stronger defensive measures and increased vigilance.” It identifies a non-exhaustive list of 20 best practices regulated entities should consider incorporating into their existing cybersecurity program to reduce their attack surface, upgrade threat detection and readiness, and improve resilience and response.

“Regulated entities face a dual challenge in reducing their cyber-attack surface when it comes to internal AI risks,” said Burke. “First, recently deployed AI systems present vulnerabilities for which they lack the proper tools to properly assess, and so those risks are essentially ‘known unknowns.’ Second, Shadow AI proliferation creates ‘unknown unknowns’ from unauthorized tools operating invisibly within organizations.

“NY DFS addresses both through recommended measures: ‘Enhance monitoring and validation of expected behaviors of third-party code, applications, permissions, and practices,’ guidance applying equally to approved and Shadow AI.”

Practical tips for preparing for Frontier AI

Continued model advancement raises the stakes on two fronts. Attackers gain access to more tools that find and assist in the development of functional exploits, and AI tools are allowing for faster development, which increases the attack surface.

So, what can organizations do to mitigate the heightened risk that comes with this continued advancement? We suggest considering the following:

1. Use AI to help find previously undiscovered issues in software before release. Just as you would use AI to validate decisions made by AI systems, it can also be used by defenders.
2. Prioritize findings based on attack paths. Prioritize systems that are externally accessible (e.g., routable over the Internet or through peer-to-peer business partner connections), or those that house or process sensitive data.
3. Focus on gateway systems that allow traffic to route from one network segment to another. This approach should include access control devices, authentication sources, and admin management systems (such as jump boxes). This includes both hardware and software systems.
4. Assume attackers will get in, and watch for their endgame moves: the decisive, late-stage actions right before real damage. That means real-time monitoring and response for privileged account creation, group membership changes to sensitive groups, service account manipulation, sensitive data access, and exfiltration attempts.
5. Ensure visibility and monitoring of agentic workflows. With the increase of “citizen developers,” it’s becoming common for organizations to be deploying agents developed completely by AI-assisted development environments (e.g., Copilot, Claude Code, Cowork). This means workflows are being used with limited to no understanding of what is actually happening inside the workflow. Pay close attention to what data these workflows can access and where they send it. In citizen-built workflows, these are usually the least understood parts, and they’re where the most serious problems hide.
6. Strive to execute vulnerability management programs around the clock. The days of quarterly or monthly scanning and patching are over. With Frontier AI model advancements, performing these functions continuously is critical. As you execute sweeps, continue to find ways to streamline existing vulnerability management processes and practices. Consider using tools and platforms that can protect against unpatched exploits without traditional software patching.
7. Ensure you have a real-time inventory of AI components such as agentic workflows, Model Context Protocol servers, etc. These continue to offer an expanding attack surface for threat actors.
8. Implement observability and logging to support faster and more accurate investigation, triage, and response. Knowing the prompts and responses is highly valuable when considering legal situations, incident response, and anomaly detection.
9. Ensure agentic design control and detection of drift from the intended workflow design. This lets you understand what a workflow is doing, accessing, and sharing, and automatically detect changes to the workflow. This can indicate an unapproved change or a threat actor manipulating an existing workflow.
10. Enforce high-fidelity guardrails to protect against attacks like prompt injection and jailbreaking. Screen inputs before they reach the model, filter and validate outputs before they leave the system, and apply runtime controls wherever the model can call tools or act. Pair these with least-privilege, scoped credentials so that even a successful attack stays contained and can’t reach sensitive systems or data. Guardrails are not deterministic and can fail, so layer them. No single control is enough. Prompt injection is an attack against AI systems (large language models) where an attacker embeds instructions into text the model processes, to trick it into ignoring its original instructions and doing something unintended. Jailbreaking is the practice of crafting inputs that get an AI model to bypass its safety guardrails and produce content it was trained to ignore or deny.
11. Be realistic about what you can and cannot do. For most organizations, it may not be possible to identify and patch all potential vulnerabilities. Focus your efforts where they reduce the most risk. Partial mitigation is better than none.