[Exclusive] "Defending AI with AI"...Government Loosens Network Separation for Security AI, Ushering in a Major Security Paradigm Shift

The government's decision to ease network separation regulations for financial companies—limited to generative artificial intelligence (AI) developed for security purposes—stems from the assessment that the disruptive potential of "Mythos," the next-generation security AI model from US-based AI company Anthropic, could upend existing security frameworks. As concerns intensify that physically isolating financial institutions' internal and external networks alone is no longer sufficient to block increasingly sophisticated AI-driven cyberattacks, the government is shifting the financial security paradigm from traditional "closed security" to an AI-based "active defense" system. Industry experts view this measure as the first step toward AI integration in the financial sector, and, in effect, a clear signal that the government's relaxation of network separation rules is now entering a substantive phase.

View original image

The primary reason behind financial authorities' swift response lies in the overwhelming performance of Mythos. Specialized in uncovering cybersecurity vulnerabilities, Mythos identified a bug in the highly secure OpenBSD operating system that had gone undetected for 27 years during its performance testing. It has also reportedly detected thousands of previously unknown "zero-day vulnerabilities."

Unlike Anthropic's Claude Opus 4.6 model, which demonstrated only limited attack success, Mythos has achieved significantly higher results in penetration and vulnerability detection. This has fueled global concerns that "an era is dawning in which even non-expert hackers can use AI to design attack pathways."

In response, major countries around the world are rapidly working to address the risks posed by Mythos. The US Department of the Treasury and the Federal Reserve recently convened emergency meetings with CEOs of leading Wall Street banks to discuss countermeasures. Some large banks, such as JPMorgan Chase and Bank of America, have begun securing access to Mythos and analyzing its security impact. The European Central Bank (ECB), as well as regulators in the UK and Canada, are also assessing how vulnerabilities related to Mythos could affect their financial systems.

This initiative, developed under the principle of "countering AI with AI," is significant not only as a regulatory exception but also as a meaningful step toward substantive relaxation of network separation. Particularly, as the financial sector has long called for the ability to use external AI, the industry interprets this as "the first real signal of AI integration in the financial industry."

Previously, the government partially eased regulations last month to allow financial companies to use cloud-based work applications (SaaS). However, at that time, only work tools and certain service areas were permitted, with no actual connection to external online networks—meaning it could not be considered a genuine relaxation of network separation. In contrast, the current measure focuses on enabling financial institutions to directly utilize external AI engines within their secure internal networks, marking a clear distinction.

With the easing of network separation regulations for security-focused AI, the financial sector will be able to leverage external AI to build proprietary AI models, retrain existing generative AI with a focus on security, and share vulnerability information with overseas AI firms.

An information security official at a major commercial bank commented, "From a white-hat hacker's perspective, relaxing network separation is essential for proactively analyzing AI-based attack pathways and strengthening response systems, such as secure coding."

Jeon Deokjo, CEO of SecuVista, also noted, "If initial infiltration is not prevented, there is a high risk that threats will rapidly move within the network and expand their range of attack," adding, "It is difficult to fully respond to this with conventional security solutions alone."

However, there are also calls for a cautious, phased approach rather than a rapid relaxation of regulations. An information security expert at a commercial bank suggested, "From a risk management standpoint, it is important to gradually ease regulations through mechanisms such as the regulatory sandbox or other restricted approvals that require separate review by financial authorities, as is currently the case."

View original image

Some experts warn that connecting external AI services to the financial sector's internal networks could create new points of vulnerability. They point out that using external AI inevitably requires opening up networks to some extent, and that this process could introduce previously non-existent attack vectors.

Hot Picks Today

"Now Our Salaries Are 10 Million Won a Month" Record High... Semiconductor Boom Drives Performance Bonuses at Major Electronic Component Firms

• Experts Already Watching Closely..."Target Price Set at 970,000 Won" Only Upward Momentum Remains [Weekend Money]
• Prime Minister Kim Minseok: "Samsung Electronics Strike Could Cost Up to 1 Trillion Won per Day, 100 Trillion Won Total... Tomorrow's Talks Are the Last Chance" (Comprehensive)
• Did Samsung and SK hynix Rise Too Much?... Foreign Assets Grow Despite Selling [Weekend Money]
• Is It Really Like an Illness? "I Can't Wait to Go Again"—Over 1 Million Visited in Q1, Now 'Busanbyeong' Takes Hold [K-Holic]

On this point, Professor Yeom Heungyeol of Soonchunhyang University’s Department of Information Security emphasized, "As network separation is relaxed, new attack pathways may emerge, so it is necessary to implement controls based on a risk management framework (RMF)." He added, "It is essential to apply not only AI but also multilayered security systems such as Zero Trust."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.