The Future of Payments: How AI & LLMs Will Transform Gateway Technology

Guest Editorial by Azimkhon Askarov, Co-CEO and Partner at CONCRYT

The news that Anthropic's new Claude Mythos model has demonstrated the ability to find and exploit vulnerabilities in core software systems, including every major operating system and browser, is not a routine product launch. It marks a shift in the balance between attackers and defenders of the digital infrastructure on which modern finance runs. Anthropic itself has been candid about the stakes, restricting access through its Project Glasswing initiative precisely because the same capability that can fortify infrastructure could, in the wrong hands, cause serious damage to economies and public safety.

The reaction from policymakers has been unusually rapid. At this month's IMF and World Bank spring meetings in Washington, finance ministers, central bankers and regulators treated the subject as an active financial stability issue rather than a theoretical one. IMF managing director Kristalina Georgieva warned that the world does not currently have the tools to protect the international monetary system against cyber risks at this scale. When concerns are raised at that level, it is worth paying close attention to what they actually mean for the plumbing of global finance: payment rails, core banking platforms, settlement networks, and the cloud and software stacks that sit beneath them.

The problem is structural, not just technical

Financial infrastructure is not one system. It is a layered stack of modern cloud platforms, older core banking engines, and the standards and software components that connect them. Decades of accumulated code, much of it quietly relied on by institutions that did not write it, create a large ‘surface area’ of possible weaknesses. A model that can scan, reason about, and chain together those weaknesses changes what is economically feasible for a determined adversary. The concern voiced by senior officials, including ECB president Christine Lagarde and Bank of England governor Andrew Bailey, is precisely about this compression of time between discovery and exploitation, and the way a single capable model can cascade through shared cloud and software dependencies.

It would be easy -and we would argue, wrong- to read this as pure bad news. The same capability that makes Mythos alarming is what makes it valuable. Partners inside Project Glasswing are already using the model to find and patch long-standing flaws in widely deployed software before attackers can get to them. Treated as an instrument of defence, AI offers the security community its first real chance in years to get ahead of adversaries rather than constantly react to them. The question is therefore not whether powerful AI belongs in financial services. It is how firms build the governance, testing and disclosure practices that allow defensive use to outweigh offensive risk.

AI is not the only systemic risk in the queue

Focusing on worst-case AI scenarios alone risks missing another threat that has been building for years. Quantum computing is widely expected to reach the point at which it can break the public-key cryptography that secures almost every financial transaction made today. The World Economic Forum has argued that the real danger is not a sudden "quantum break" tomorrow but the uneven pace at which institutions prepare for it, leaving slower adopters exposed.

That threat is not remote. Analysis from EY points to so-called "harvest now, decrypt later" attacks, where adversaries store encrypted data today with the intention of decrypting it once quantum hardware matures. Migration to post-quantum cryptography takes years of testing and redeployment, which is why US federal agencies have been given a 2035 deadline to become quantum-resistant. While the possibility that somewhere in a world an organization -likely a nation-state- will make a quantum breakthrough and render all existing encryption moot is a legitimate worry, the fact that the financial and tech ecosystem has already begun the work to secure against quantum threats is a good sign - especially when it comes to AI threats.

From ambition to accountability

Regulation will catch up. It always does, and it should, but legislative timelines are measured in years while AI model capability is measured in months, if it can be measured at all. In the intervening period, responsibility sits squarely with the firms deploying these technologies. That means being clear about where AI is used in customer-facing and money-moving processes, what human oversight looks like in practice, how models are tested for adversarial use, and who is answerable when something goes wrong. It also means treating cybersecurity, cryptographic agility and AI governance as a single portfolio of obligations rather than three separate compliance workstreams, with decision-makers at the very top of any financial company kept informed of the risks. AI security is not another box to be ticked.

For payments and financial infrastructure providers specifically, the operational implications are immediate and important. Model access controls, vendor due diligence and red-team testing need to reflect a world in which a bad actor can deploy a system with the reasoning capacity of a senior security researcher at a fraction of the cost. The internal culture around AI adoption needs to shift from counting the capabilities unlocked to accounting for the obligations incurred. It’s not (only) a fun way to get to inbox-zero or save some time on a presentation, it could be the reason that your data is breached and your customers lose confidence in you.

The opportunity here is real. Financial systems built with AI in the loop can be faster, safer and more intelligent than the ones they replace. That outcome depends on an honest reckoning with the risks, not a quiet hope that they will sort themselves out. The Mythos moment is a useful prompt to do that work while there is still time to do it well.

Azimkhon Askarov is Co-CEO and Partner at CONCRYT, a company that he helped to build from scratch in just over two years. With extensive expertise across payment processing, payment technology, compliance and risk, card acquiring, alternative payment methods, payment gateways, and e-commerce platforms, Azimkhon combines strong technical and commercial insight with a passion for innovation in financial technology.