Banking AI Security Evolves Beyond Data Leakage

The security landscape for banking AI is undergoing a significant shift. Early concerns focused on data leakage from generative models, but the emergence of agentic AI has introduced new operational risks that traditional controls aren’t designed to address.

The Agentic Risk Shift

As banks increasingly deploy AI agents capable of initiating transactions and making decisions without human intervention, the focus is moving beyond what data the model can access to what actions it’s authorized to take. While early systems primarily read and summarized information, today’s agents can:

  • Access full customer transaction histories
  • Invoke fraud-scoring services
  • Adjust account limits
  • Initiate payment workflows

This expanded capability creates a new attack surface where malicious inputs could trigger consequential actions.

Privilege Creep and the Five Eyes Warning

The risk of “overprivileged agents” has caught the attention of international cybersecurity agencies. In April 2026, the cyber agencies of the Five Eyes nations issued joint guidance calling for strict least privilege controls on agentic AI systems. This signals that secure AI deployment is transitioning from recommended practice to expected standard.

Failure Modes in Banking Context

The OWASP framework identifies three key failure modes with particular relevance to banking:

  • Excessive functionality: Agents accessing tools beyond their task requirements (e.g., a servicing agent reaching the payments API)
  • Excessive permissions: Granting broader access than needed for specific operations (e.g., a reconciliation agent that can both read and write data)
  • Excessive autonomy: Allowing consequential actions without human oversight

These failures often compound, creating more complex risk scenarios.

Real-World Illustration from Developer Tooling

A recent incident with the Amazon Q Developer extension for VS Code highlights the potential impact. An attacker used an over-scoped build token to inject malicious code that would have wiped customer environments had it not been caught by a syntax error (CVE-2025-8217).

What’s particularly concerning is that this wasn’t a credential theft scenario—the attack succeeded through a trusted channel. This demonstrates how agents with broad capabilities can be exploited when they process inputs from untrusted sources.

The Indirect Prompt Injection Challenge

In banking, these reachable inputs exist in various forms: customer emails, wire memo lines, uploaded documents, and free-text fields across systems. Addressing this requires limiting what agents can do rather than simply instructing them how to behave—a fundamental shift in security approach.