Financial Firms Are Deploying AI Agents Faster Than They Can Govern Them

The headline finding in the Cloud Security Alliance's 2026 financial services survey is how far AI agents have already spread. Sixty-two percent of the 340 institutions surveyed said they're running them. Only 27 percent said they aren't, and 11 percent didn't know, which is its own kind of answer. An agent you can't account for is an agent operating outside governance.

The survey defined agents broadly, so that 62 percent covers everything from simple task bots to systems that act with real independence. Even so, the direction is clear. Agents have moved from pilots into the daily operation of banks, and the controls for them are running behind.

Agents are already acting

Where are they? Customer service leads at 63 percent. Cybersecurity and IT operations follow at 47 percent, internal coding and analytics tools at 46 percent, back-office automation at 44 percent, and fraud detection and AML monitoring at 41 percent. These aren't science projects. They sit in the parts of the bank that touch money and customer data.

How much rope do they get? The survey maps a spectrum. Seven percent keep a human in every decision. The largest group, 55 percent, runs limited autonomy with active human oversight, the familiar human-in-the-loop model. Conditional autonomy, where the agent acts on its own inside set guardrails, covers 33 percent. And 5 percent have granted high autonomy for critical actions. That last number is small, but it marks a line some institutions have already crossed, from AI that advises to AI that acts.

The identity problem underneath

Every one of those agents needs an identity to do its job: a service account, an API key, a token, a set of credentials. And those machine identities have been multiplying for years, well before agents arrived. The survey points to estimates that non-human identities outnumber human ones by roughly 96 to 1 in financial services, while noting the exact ratio shifts by source. Agents widen the gap further.

This matters because identity is where attacks land. The survey cites research that 82 percent of organizations had at least one identity-driven cyberattack in the past year, with financial services running higher. Each service account and agent credential is a door, and most banks have far more doors than they're watching. That's why improving identity and access security came in as the single biggest next-year priority at 48 percent, ahead of every other line on the list.

The survey is candid that the sector may be underrating this. Respondents ranked insecure non-human identities at 24 percent among their top cloud risks, which the analysts read as low given how fast the machine-identity population is growing. The risk is moving faster than the perception of it.

The payments headline, and the part you actually control

The most attention-grabbing finding sits one step further out. Eighty-five percent of respondents expect consumers to use AI agents to initiate and execute payments, and 65 percent believe that will require a new authorization model, because today's payment and authentication methods assume a human is present to confirm the transaction. The survey notes the rails are already being laid: Visa's Trusted Agent Protocol, Mastercard's Agent Pay, Stripe's machine payments work, and Google's agent payments protocol.

That consumer frontier is real, but it's largely being built by the card networks and the platforms. The part a bank controls today is narrower and more immediate: the agents it runs inside its own walls, against its own data and systems. That's where agent governance is a present-tense problem, not a future one.

What the survey says to do

The recommendations are specific, and they center on treating agents like first-class actors in the security model rather than features bolted onto an app.

• Make agent identity a real IAM object. Verifiable credentials, scoped and time-bounded permissions, audit logs that tie every action back to the human or organizational owner, and credentials that rotate. An agent's identity should be as governed as an employee's, with a clear principal behind it.
• Review what agents can reach. Least-privilege review of every tool an agent can call, so a connector built for one task can't be turned to another.
• Watch them in production. Monitor for drift, anomalous output, and extraction attempts. The survey's other finding, that 20 percent of firms had a confirmed AI incident and another 21 percent couldn't say, shows how thin agent-level monitoring still is.
• Threat-model the agents specifically, using resources like the OWASP Top 10 for LLM Applications, MITRE ATLAS, and CSA's MAESTRO framework, and keep an inventory of material AI agents, shadow ones included.

The common thread runs through all four: you can only govern an agent you can see, scope, and trace. That gets much harder when the agent, its credentials, and the data it touches live across a platform you don't fully control.

Where Cognetryx fits

We build private AI for regulated institutions, and agent governance is built into the architecture rather than added on top.

• Agents run with scoped identity. Every agent acts under a bounded, logged identity tied to a real owner, with permissions limited to the task. That's the survey's first recommendation, in the product. See secure on-premises agents.
• Agents can't see what the user can't. Retrieval enforces permissions, so an agent acting for someone can't surface a record that person isn't cleared for. More on permission-aware RAG.
• Every action is auditable. Immutable logs of what an agent did, on whose behalf, and against which data, which is what examiners ask for and what the survey calls a baseline control.
• It runs in your environment. Credentials and data don't transit a shared public service, so the agent's identity and the data it touches stay inside your boundary.

Autonomy is coming to finance whether or not the controls are ready. The institutions that do well with it will be the ones that can answer, for any agent, a short list of questions: who is it acting for, what can it reach, and can you prove what it did. We built the platform so those answers are easy. For the language around what "agent" should and shouldn't mean, see agentic AI, defined.

Keith Kennedy, CISSP

Founder, Cognetryx

Keith is an IT thought leader with nearly 20 years of experience architecting secure technology solutions for regulated industries. He holds a CISSP certification and has advised enterprise companies on HIPAA, SEC/FINRA, and GDPR compliance.