Field Note — April 2026

Treasury and the Fed just convened bank CEOs over a single AI model.

Your board should be asking a different question this week.

On Tuesday, April 8, the Treasury Secretary and the Federal Reserve Chair pulled Wall Street leadership into a room in Washington to brief them on the risk posture raised by one frontier AI model. That meeting happened. What it reveals about the governance gap in regulated AI deployments is not hypothetical — it is operational, and it is being priced this quarter.

Financial Services AI Governance Regulatory Risk

The question most boards are still asking is "which AI vendor should we standardize on — OpenAI, Anthropic, Google, or someone else." The question regulators are now asking is a different one. It has to do with what happens when the AI system underneath a regulated workflow changes — quietly, unilaterally, or under stress — and whether the institution using it can reconstruct the decisions it has already made.

Those are not the same question. A vendor-selection answer will not satisfy a regulator-posed one.

01 — What Actually Happened

Three events, one pattern.

Consider what has happened in the last thirty days inside the AI industry. Not speculation, not forecasts — reported events, each independently verifiable.

Late March — Anthropic

Mythos restricted to a small partner program.

Anthropic determined that one of its own frontier models, internally named Mythos, was too capable for general public release. The model was restricted to a small partner program called Project Glasswing, with approximately a dozen participating organizations focused on critical-infrastructure cybersecurity. Anthropic's own red team concluded the model's vulnerability-discovery capabilities exceeded what should be broadly accessible.

April 8 — Treasury & Federal Reserve

Wall Street CEOs briefed on AI cyber-risk posture.

Treasury Secretary Scott Bessent and Fed Chair Jerome Powell convened Wall Street CEOs in Washington specifically to brief them on the cyber-risk posture raised by Mythos and other models with comparable capability profiles. The briefing was not a routine check-in. It was a signal that AI model capability has crossed into the territory where it registers as a financial-system concern at the central bank and Treasury levels.

Mid April — Anthropic (again)

Default model effort quietly reduced to conserve compute.

Separately, Anthropic was reported to have quietly reduced the default effort level of its production Claude models in order to conserve compute. Power users noticed the degradation before the company disclosed the change. A competitor's revenue chief publicly characterized Anthropic as "operating on a meaningfully smaller curve" than peers on the availability axis.

These are not equivalent events. The first is a safety-motivated withhold. The second is a regulatory signal. The third is an infrastructure constraint expressed as an undisclosed change in model behavior. What they share is a single, uncomfortable property: every one of them happened to a customer who had standardized on a vendor.

The governance question is no longer about which model you chose. It is about what your organization can actually prove — about the decisions AI has already made on your behalf, the humans who approved them, and the controls that would catch a change in model behavior before a regulator does.

02 — The Real Exposure

Why vendor selection misses the point.

A board that has "standardized on Anthropic" or "standardized on OpenAI" or "standardized on Gemini" has made an operational choice that feels like a governance posture but is not one. Consider what the decision actually covers: the vendor's capabilities today, the vendor's pricing today, the vendor's terms of service today.

What it does not cover: the vendor quietly changing model effort to manage cost. The vendor withholding a class of model capability that was previously in roadmap. The vendor's compute-capacity curve diverging from peers in a way that turns into availability risk. The vendor becoming the subject of an emergency briefing by the US Treasury Department. All four of those events happened in the last five weeks.

None of them are failures of the vendor. In fact, the safety withhold and the compute discipline are both arguably responsible choices. But they are choices the customer does not control, cannot anticipate, and in most current deployments cannot even detect in real time.

That is the governance gap. It is not a vendor-quality problem. It is an architecture problem.

03 — The Agenda Shift

Questions for a board that wants to be defensible.

If the March–April sequence were isolated, it would be noise. It is not isolated. The pattern describes the actual conditions under which regulated AI deployments now operate — and it is the pattern, not any single event, that boards need a posture on. Three questions are worth putting on the agenda before the next meeting.

Board Agenda — AI Governance Readiness

Three questions to answer before the next meeting.

Where does your organization currently rely on AI-assisted decisions that touch customers, counterparties, or regulated filings? Not "where are we experimenting." Where are AI outputs actually shaping outcomes that will show up in an audit, a compliance review, a customer dispute, or a regulator's inquiry.

If model behavior changed tomorrow — lower effort, different outputs, different refusals — how would you detect it, and how long would the gap be before you did? A month of customer-facing decisions made against a silently modified model is a month of decisions your audit trail cannot explain.

If a regulator asked you to reconstruct a specific AI-assisted decision from ninety days ago — including the inputs, the model state, and the human authority that approved it — could you? "We trust the vendor" is not a defensible answer. It is a dependency.

If the honest answer to any of these is "not cleanly," the governance gap is not theoretical. It is already priced into the risk posture of the institution, whether leadership has acknowledged it or not.

04 — What Defensible Looks Like

Infrastructure, not policy.

The temptation when governance gaps surface is to write a policy. Policies are useful and insufficient. The shift that regulators are signaling — and that serious operators inside banks, insurers, and critical-infrastructure operators are already moving toward — is from documentation to continuous execution-time assurance.

Practically, that means three things the organization must be able to do at the moment a decision is made, not after the fact. Bind the provenance of every AI-assisted decision to the inputs, the model state, the retrieval context, and the human authority that approved it — as a structured artifact, not a log line. Gate the authority so that decisions which exceed defined risk thresholds cannot be executed by an automated path without a named human in the loop. Detect the drift so that changes in model behavior — whether announced or silent — surface as operational signals before they surface as regulatory problems.

None of that replaces the model. The model is the reasoning engine. The governance layer is the infrastructure that makes what the model produces defensible inside a regulated environment. The two are separable by design, which is precisely the property that survives a compute-constrained vendor, a safety-withheld model, or a Treasury briefing.

That is the conversation worth having this quarter. Not which vendor. The layer above the vendors.

Michael Lawrence — Founder & Chief Systems Architect, Calyx Intelligence

Calyx Intelligence is a governance-first decision infrastructure platform for regulated environments — financial services, legal, healthcare, insurance, and critical infrastructure. Model-agnostic by design.

← Back to all insights