ECB Urges Banks to Tackle AI Security Threats

The ECB’s urgent summons underscores a growing regulatory focus on artificial‑intelligence security within finance. By highlighting Anthropic’s Claude Mythos Preview, the central bank signals that advanced language models can be weaponised to discover and exploit software vulnerabilities faster than traditional threat actors. This aligns with the EU’s Digital Operational Resilience Act, which now obliges banks to embed robust ICT risk controls—including the management of machine‑generated identities—into their core operations, shifting AI security from a compliance checkbox to a strategic imperative.

Recent research from CultureAI and Keeper Security paints a stark picture of the current landscape. While 67% of financial services firms report rapid AI rollout, a staggering 72% have already identified unauthorised or “shadow” AI deployments, indicating that governance is lagging behind adoption. Moreover, 43% of security professionals flag AI‑related non‑human identity (NHI) management as a top governance gap, and 75% admit that handling the surge of both human and machine accounts is at least moderately challenging. These findings reveal a systemic blind spot: as AI agents proliferate, they create privileged identities that are often provisioned hastily and revoked inconsistently, opening a vector for sophisticated attacks.

For banks, the message is clear: traditional security policies must evolve into continuous, context‑aware controls. Continuous visibility into AI workloads, automated risk scoring, and real‑time enforcement can mitigate the speed at which AI exploits emerge. Investing in AI‑specific governance frameworks, integrating NHI lifecycle management, and aligning with DORA’s resilience standards will not only satisfy regulators but also protect the integrity of financial markets against a new generation of AI‑powered threats. The industry’s ability to adapt now will define its resilience in the AI‑driven future.