AI Security in Financial Services: Four Areas Where Control Gaps Are Emerging

Financial institutions are rapidly adopting AI across fraud detection, anti-money laundering (AML), underwriting, trade execution, customer service, and operational workflows. The technology is advancing quickly, but governance, assurance, and security controls are not always keeping pace.

For security leaders, risk teams, and regulators, the central question is no longer whether AI creates business value.
The question is whether organizations can demonstrate that AI-enabled decisions are secure, explainable, auditable, and operating within defined risk tolerances.

While much of the market discussion remains focused on model performance and prompt guardrails, the more significant risks often emerge from the surrounding architecture, permissions, data flows, and decision-making processes.

Across banks, insurers, and asset managers, NCC Group consistently observes four areas where control gaps are developing as AI adoption accelerates.

1. The “Sandbox” Assumption Often Breaks Down in Production

Many organizations assume that because an AI model operates within a sandbox or isolated environment, it cannot directly impact critical systems.

In practice, this assumption frequently breaks down.

Under these conditions, a malicious prompt, compromised data source, or cleverly crafted attachment may influence the model to perform actions that affect financial systems directly.

If an AI-enabled application can influence a financial process, it should be treated as part of the organization’s control environment rather than as a standalone technology component.

2. Human Review Alone Is Not a Security Control

Many organizations continue to assume that human review provides an effective safety net for AI-enabled processes.

Historically, human reviewers have played an important role in functions such as fraud investigations, AML reviews, customer onboarding, underwriting assessments, and compliance monitoring.

However, AI introduces attack techniques that human reviewers were never designed to detect.

Attackers are actively exploring methods to manipulate AI-enabled workflows through prompt injection, adversarial inputs, hidden instructions, data poisoning, and indirect influence techniques.

This is particularly important in regulated environments where AI may influence customer outcomes, risk assessments, fraud investigations, or financial decisions.

Regulators including the FFIEC, OCC, Federal Reserve, CFPB, OSFI, FCA, and PRA increasingly expect firms to demonstrate effective governance, auditability, model risk management, and control effectiveness.

Organizations should evaluate where AI participates within a business process and determine which decisions require independent validation.

Business rules, approval requirements, and policy enforcement mechanisms should operate independently of model recommendations.

Threat modeling, adversarial testing, and AI-focused penetration testing should be performed regularly to verify that controls continue to function under realistic attack scenarios.

3. Agent-to-Agent Architectures Introduce New Systemic Risks

Many financial services companies are beginning to deploy agentic AI architectures that allow multiple AI systems to interact with internal applications, external services, data providers, and business workflows.

These architectures create powerful automation opportunities, but they also introduce new trust relationships that are often poorly understood.

For example, a customer facing AI assistant may collect information from a user, pass that information to an underwriting model, retrieve external credit data, and trigger internal workflows used to support lending decisions.

If any component within that chain is manipulated, compromised, or operates with excessive permissions, downstream decisions may be affected.

A compromise affecting a seemingly low-risk component may have consequences far beyond the initial point of entry.

Each agent interaction should be treated as a control point rather than an assumed trust relationship.

4. AI Is Increasingly Embedded in Financial Decision Paths

AI is no longer limited to research, productivity, or customer support use cases.

In many organizations, it now sits directly within business processes that influence customer outcomes and financial decisions.

As AI becomes more influential in these processes, it effectively becomes part of the decision-making chain.

The challenge is that many organizations still lack independent enforcement mechanisms.

When a model misinterprets a request, receives poisoned data, or is manipulated through prompt-based attacks, downstream systems may continue operating as though the decision were valid.

Regulators increasingly expect firms to demonstrate accountability, explainability, governance, and traceability for decisions that affect customers, transactions, and market activity.

The objective is not to remove AI from business processes.

The objective is to ensure that business controls remain authoritative regardless of how a recommendation was generated.

As regulators, boards, and customers place greater scrutiny on AI-enabled processes, organizations will need to demonstrate not only what their AI systems can do, but how those systems are governed, controlled, and assured.

For financial institutions, the challenge is no longer about deploying AI rapidly. The challenge is ensuring that AI-enabled decisions remain secure, explainable, auditable, and aligned with established risk management practices.

Organizations that treat AI as part of their broader control environment will be better positioned to manage emerging threats, satisfy regulatory expectations, and maintain trust with customers and stakeholders.

Security, governance, and resilience are increasingly becoming differentiators alongside innovation. The institutions that can demonstrate effective control over AI-enabled processes will be best positioned to scale adoption while managing operational, compliance, and reputational risk.