Cybersecurity has settled into a mostly manageable cycle of attack-fix-repeat. With system builders patching exposed weaknesses as fast as they can, it has become a game of Whack-A-Mole. So far, it’s been a contest between humans—hackers versus engineers—but the introduction of AI systems such as Mythos fundamentally changes the nature of cyber risk.

AI’s ability to analyse relationships across APIs, cloud infrastructure, authentication layers, messaging platforms, and identity frameworks means we’re heading towards a scenario where vulnerabilities that previously required significant manual effort to identify will be exploited faster than they can be fixed by humans.

For businesses that rely on mobile trust, the issue is no longer simply cybersecurity resilience. It is operational continuity, customer trust, regulatory exposure, and systemic stability.

A serious threat

A chief worry for financial institutions, regulators, and infrastructure providers is that cyber risk is becoming systemic rather than episodic. During the recent IMF–World Bank Spring Meetings in Washington, Barclays chief executive C.S. Venkatakrishnan warned: “Mythos is a serious threat… more will follow.”

Legacy infrastructure, cloud services, and third-party platforms are increasingly connected through APIs and authentication systems. Each layer may function as intended on its own, but the greatest risk lies in the interaction between layers.

Financial institutions are particularly sensitive to this as their infrastructure is deeply layered and heavily reliant on integration between systems. Regulators—including the Bank of England—have warned that advanced AI could increase cyber risk by exposing structural dependencies that are not visible in traditional ways.

The mobile ecosystem illustrates this challenge particularly clearly.

When strength becomes weakness

Modern mobile infrastructure operates through three tightly connected layers: communications platforms, messaging systems, and identity infrastructure.

At the centre of digital communications sit CPaaS providers – they manage authentication flows, transactional messaging, notifications, and customer engagement across enterprises, banks, platforms, and telecom networks. These services require APIs linking cloud environments, enterprise systems, and carrier infrastructure.

Messaging systems form the operational layer above that infrastructure. SMS continues to underpin authentication across much of the global economy through one-time passcodes and verification workflows, while RCS and OTT messaging platforms increasingly support richer business and consumer interactions.

Beneath both sits identity. Mobile numbers, SIM credentials, device intelligence, behavioural signals, and network data now underpin access to financial services, digital commerce, enterprise systems, and consumer applications.

Individually, each layer may function securely; challenges arise when AI systems analyse those layers collectively across large, fragmented environments. A vulnerability inside an API may appear manageable in isolation, but when analysed alongside messaging workflows, authentication systems, and behavioural data, it may expose broader weaknesses in how trust is established across the entire chain.

This is why the discussion around AI and cybersecurity is increasingly moving beyond traditional breach scenarios. The issue is not simply whether attackers can penetrate systems. It is whether trust models built for a slower, more predictable threat environment remain viable.

Traditional security approaches rely on static checks, including passwords, one-time codes, and fixed authentication rules. They assume system behaviour is stable and that threats can be defined in advance, but the old security model of authenticate once and trust thereafter is beginning to fail.

The response is to shift toward continuous verification models.

Adapt or die

Each interaction can be evaluated in real time using a combination of identity signals, behavioural patterns, device context, and network information. Trust will no longer be treated as a fixed condition but as a constantly updated assessment.

CPaaS providers are central to this shift. Their role changes from message delivery infrastructure to continuous monitoring systems for communication integrity.

Messaging platforms will have to adapt by moving away from reliance on known attack signatures and toward identification of emerging behavioural patterns within live traffic.

Identity systems must move away from a single signal being sufficient to verify a user. Multiple signals need to be combined and reassessed continuously, particularly in environments where device and network behaviour can change rapidly.

As large-scale distributed systems cannot be made fully immune to compromise, the goal is not complete prevention of risk. The objective is containment. And this is achieved through rapid detection, isolation of affected components, and controlled impact across connected systems. That requires changes in system design, including segmentation of services, reduction of dependency chains, and faster recovery mechanisms when failures occur.

Trust is the foundation of communication and identity systems. Although an AI system such as Mythos does not alter the role of trust in mobile infrastructure, it does highlight the level of structural exposure that can now be identified through AI-driven analysis, exposing how dependent modern economies have become on invisible chains of digital trust.

In a world of machine-speed analysis, trust can no longer be assumed. It must be continuously tested, verified, and defended in real time.

Dario Betti is CEO of Mobile Ecosystem Forum.