This week, the European Central Bank (ECB) convened an urgent meeting with major financial institutions in the eurozone, highlighting the critical issue of artificial intelligence (AI) security. As the ECB oversees approximately 111 of the largest banks in the eurozone, the call to action reflects mounting concerns regarding the cyber risks posed by advanced AI systems.
The ECB has specifically raised alarms about the vulnerabilities associated with Anthropic’s Claude Mythos Preview and similar AI technologies. With the rapid evolution of AI capabilities, there is a growing fear that these systems can identify and exploit software vulnerabilities more quickly than banks can address them. This situation presents a perilous landscape for financial institutions, which are grappling with the integration of these powerful technologies while attempting to maintain robust security measures.
Sam Soares, Chief Risk Officer at CultureAI, emphasized the gravity of the situation. He articulated that the ECB’s emergency assembly serves as a stark reminder of a long-standing dilemma: financial institutions are adopting AI technologies at a pace that surpasses their ability to monitor and secure these innovations within their operations. Soares stated, “The ECB’s emergency meeting this week — where it plans to warn banks about risks tied to Anthropic’s Claude Mythos Preview and similar AI systems — is really just the latest sign of a problem that’s been building for a while.” He pointed out that the rapid adoption of AI technology has resulted in oversights regarding both awareness and governance within banks.
Recent findings from CultureAI, as detailed in their report titled “The State of Enterprise AI Usage: The Illusion of Control,” reinforce this cautionary stance. Their survey revealed that while 67% of financial service firms recognize the swift pace of AI adoption, an astounding 93% regard it as a top security concern leading into 2026. Moreover, a staggering 72% of these firms have already encountered instances of unauthorized or “shadow” AI usage within their organizations.
Soares elaborated on the issues of governance, remarking that the shortcomings seen in managing AI security are not exclusively due to governance failures. He noted, “It’s more a reflection of how AI spreads in practice. It’s decentralized, it moves fast, and it almost always gets ahead of the controls meant to contain it.” This rapid advancement of AI technologies creates unique challenges for financial institutions that are struggling to implement effective monitoring and security protocols.
The regulatory environment surrounding AI in the financial sector adds another layer of complexity to this issue. Darren Guccione, CEO and Co-Founder of Keeper Security, emphasized that the ECB’s meeting does not exist in isolation. He pointed out that the European Union’s Digital Operational Resilience Act (DORA), which came into effect in January 2025, imposes mandatory obligations on financial entities to manage Information and Communication Technology (ICT) risks, oversee third-party dependencies, and demonstrate operational resilience. Guccione stated, “This ECB intervention sits squarely within that framework.”
He further criticized banks that have treated DORA merely as a compliance task rather than a crucial opportunity to re-evaluate their security strategies. According to Guccione, every new AI implementation creates a Non-Human Identity (NHI) that necessitates privileged access. These non-human identities are often provisioned hastily, poorly governed, and seldom revoked with the same thoroughness as human accounts. “That is an unsustainable practice and a structural risk for any organization operating in a highly regulated sector such as banking and finance,” he warned.
Research from Keeper Security conveys a pressing concern within the industry; 43% of respondents reported that managing AI-related NHI security constitutes a significant gap in AI governance. Among security professionals in the finance sector, 75% acknowledged the increasing difficulty of managing both human and non-human identities effectively.
Guccione raised an imperative question for the financial sector: if institutions struggle to manage existing identities within their environments, how can they adequately address the challenges posed by the incorporation of AI-driven automation at such vast scales?
This concern is echoed across various sectors and governments globally, not only in the financial services industry. For instance, the UK government recently issued a cautionary open letter to business leaders regarding a “new generation of AI models” that can rapidly discover software weaknesses, write code to exploit them, and execute such actions at speeds previously deemed impossible.
In conclusion, Soares asserted that mere governance policies are insufficient to mitigate AI-related risks. He called for financial institutions to establish continuous visibility and contextual enforcement to identify risks as AI technologies are woven into their core operational workflows. He declared, “AI governance needs to be treated as an ongoing operational discipline,” underscoring the need for a shift in approach toward integrating AI technologies securely and sustainably within the financial sector.