Aller au contenu
NeoXamAgents

Are AI agents safe for banks and asset managers?

AI agents are safe in finance only when the platform constrains what they can see and do: identity, tool policies, tenant isolation, vaults, audit. A CISO's guide.

7 min read

The short answer

AI agents are safe for banks and asset managers only when they run on infrastructure that strictly constrains what they can see and do — declared tools, scoped credentials, isolated tenants, bounded execution, recorded approvals and complete audit. The model is the least controllable component in the stack, so a securable design assumes the model can be wrong or manipulated and makes the blast radius small and observable.

Framed that way, the question shifts from "is the AI safe?" to "is the platform around the AI securable?" — a question security teams already know how to evaluate. Agents are privileged automation: software acting on systems with credentials. Financial institutions have run privileged automation for decades; what is new is non-determinism in the middle, and the controls that answer it.

The actual risk surface

Security reviews of agentic systems converge on a handful of concrete risks — most of them about the surroundings, not the model weights:

  • Ungoverned tool access — an agent wired directly to databases or APIs with broad permissions; one bad reasoning step becomes a data exfiltration or an unwanted write.
  • Prompt injection — malicious instructions hidden in content the agent reads (documents, emails, web pages, even data fields) that redirect its behavior.
  • Credential sprawl — API keys embedded in prompts, code or configuration, visible to the model and to logs.
  • Data leakage into telemetry — prompts and completions containing client data landing in logging and monitoring systems with weaker access controls.
  • Shadow agents — undeclared scripts and bots built by enthusiastic teams, invisible to security until an incident surfaces them.
  • Tenant bleed — in multi-client platforms, insufficient isolation letting one tenant's agent touch another's data.
  • Unbounded execution — runaway loops consuming budget, hammering internal systems, or retrying destructive actions.

The security model that answers it

Each risk has a structural countermeasure, and together they describe what a securable agent platform looks like. Capabilities are explicit: every agent is declared in a versioned registry with its tools, permissions and schemas, and nothing undeclared can run — which converts shadow AI from a discovery problem into an impossibility. Tools are least-privilege: agents call narrow, schema-typed interfaces (increasingly MCP-based) rather than raw systems, each gated by allow/ask/deny policy, with consequential actions pausing for recorded human approval.

Identity and secrets follow enterprise practice: agent invocations authenticate with verified tokens under the institution's identity provider; credentials live only in scoped vaults, injected at call time, never present in prompts, descriptors, code or traces — a property that should be contract-tested, not asserted. Isolation is layered: per-tenant separation enforced in the data layer (row-level security or stronger), per-workspace credential scopes, per-tenant rate limits and quotas. Execution is bounded: hard ceilings on duration, tool calls and tokens per run, with cancellation. And everything is observable: per-step traces and an append-only audit log make any run reconstructible — with redaction guarantees so the observability itself does not become the leak.

Design assumption worth writing down: the model will occasionally be wrong, and may occasionally be manipulated. Security comes from what a wrong or manipulated agent is physically able to do — which should be: little, slowly, observably, and reversibly.

Prompt injection deserves its own paragraph

Prompt injection — adversarial instructions embedded in content the agent processes — is the attack class most specific to LLM systems, and no current technique eliminates it at the model layer. Mature deployments therefore manage it architecturally: agents read from curated, declared sources rather than the open web; retrieved content is treated as data, not instructions, wherever the harness allows; tool permissions are scoped so a hijacked agent still cannot reach beyond its narrow declared surface; consequential actions sit behind approval gates; and output schemas reject results that do not match the expected shape.

The honest posture for financial institutions: assume injection attempts will eventually reach any agent that reads externally influenced content, and design so the worst realistic outcome is a wasted, fully logged run — not a data exfiltration or an unauthorized action.

Questions CISOs should ask any agent vendor

A practical diligence list, usable in RFPs and security reviews:

  • Can you enumerate every agent, tool and permission from one source of truth — and prove nothing outside it can execute?
  • How are credentials stored and injected? Show the control that keeps secrets out of prompts, logs and traces — is it contract-tested?
  • What exactly does the LLM provider receive, where is it processed, and is client data used for training? (The answer should be a documented data flow, and no.)
  • How is tenant isolation enforced — at the database layer or in application code? What did your last isolation test find?
  • Which actions can agents take without human approval, and is that grading a policy we control?
  • What are the per-run execution bounds, and what happens when they are hit?
  • Can we replay any historical run — version, tool calls, data touched — and what is the audit retention?
  • Which third-party tools can agents reach, and what review gates an addition to that registry?
  • What is your model-failure and injection incident-response playbook?

The verdict

Whether agents are safe is a property of the deployment, not the technology — and both answers exist in the market today. Ungoverned agents wired broadly into financial systems are an incident in waiting. Governed agents on a constrained, observable, approval-gated runtime are arguably easier to secure than the human-driven swivel-chair processes they assist, because every step is typed, policy-checked and logged at a granularity manual work never was. The security organization's job is to make sure only the second kind exists in the building.

FAQ

Frequently asked questions

Can an AI agent leak our data to the model provider?

Data sent for inference necessarily reaches the model endpoint, so the controls are contractual and architectural: enterprise terms excluding training on your data, regional processing commitments, minimal context assembly (the agent retrieves only what the task needs), and deployment options that keep inference within approved boundaries. Ask vendors for the documented data flow.

Is prompt injection a solved problem?

No. It is mitigated, not eliminated — through curated input sources, least-privilege tools, approval gates on consequential actions, schema-validated outputs and full tracing. Treat any vendor claiming immunity as a red flag; ask instead what a successfully injected agent could actually do in their architecture.

Do AI agents increase or reduce audit risk?

Well-governed agents typically reduce it: every run carries a version, ordered tool calls, inputs, outputs and approvals in an append-only log — evidence at a granularity manual processes never produced. The risk concentrates in ungoverned deployments, where none of that record exists.

Should agents run in our tenant or the vendor's cloud?

It depends on your residency and sovereignty constraints. The questions that matter: where inference, traces and audit data live; whether observability can be self-hosted; whether the platform can deploy into your environment; and what jurisdiction governs each component. Stronger platforms make these deployment choices configuration, not re-architecture.

How do agents interact with our existing IAM?

Production-grade platforms authenticate every invocation against your identity provider (OIDC SSO), apply per-agent role gating, and use dedicated rotated service accounts for system-to-system calls — so agent access reviews fold into the access-governance process you already run.

In NeoXam Agents

The NeoXam Agents security posture

NeoXam Agents is built to pass the review this article describes. Nothing undeclared can run: every agent, tool and permission lives in a Git-governed catalog. Tenant isolation is enforced as row-level security in the database; every API call carries a verified JWT; per-run signed tokens gate each tool call; credentials live in workspace-scoped vaults and never appear in prompts, logs or traces — guaranteed by automated contract tests. Runs carry hard budgets and are cancellable, and an append-only audit log designed for 7-year retention makes every run reconstructible. Enterprise OIDC SSO and human-in-the-loop approvals arrive in Beta.