What To Know Before Agentic AI Starts Driving Security and Fraud Workflows

Last year, financial services boardrooms were still parsing the difference between generative AI (which they’re actively piloting) and its more autonomous sibling, agentic AI, which remains a tougher sell. Generative models are already demonstrating their value, helping us redefine how we operate — not just in cybersecurity, but also across information management, network operations, and business processes. GenAI has assisted us with everything from optimizing our workforce with targeted training (like the Splunk SPL Assistant) to streamlining the Governance, Regulatory and Compliance (GRC) reporting. While it is widely used in cybersecurity investigations, it has also assisted us in the hunts on our networks as we strive to automate the known from the unknown and be more proactive vs. reactive.

Although generative AI has been such a huge help, the industry never stops innovating. We are now starting to leverage GenAI’s little brother, agentic AI, to do more with less, speed up the workforce and cybersecurity outcomes, and drive even more value for our businesses. But with this drive, questions arise: Would I allow autonomous actions on my network without human involvement? How can we put autonomous, agentic AI to work without letting its autonomy outrun the rulebook? Underneath that lies the deeper issue of trust: At what level can I trust agentic AI in my organization, and how do I establish the right lines of defense before allowing autonomous systems to act on their own?

When I talk through these challenges and questions with industry leaders and C-suite, I tend to use a family metaphor. Think of us as the adults in the room who have been there, done that, and gotten the t-shirt. Then, think of generative AI as a responsible teenager who is learning a lot and thinks it knows everything, but struggles with context. It reads fast, writes mostly clearly, and, once prompts and outputs are logged, follows the house rules to the best of its ability (until it gets the keys to the house the first time while mom and dad go on vacation.) 

In this scenario, the first‑gen agentic model down the hall is the little brother who tries to do good, but sometimes shows his independence in ways we don’t anticipate. While his older sister is a rule follower, he is a rule maker and problem solver who can act without his parents’ approval. Both GenAI and agentic AI think they know more than us (because well, they’re teenagers), but they are still learning and adapting to the rules of this world.

In practice, generative and agentic AI are still young. They are full of knowledge, but they lack the context, judgment, and organizational awareness to act responsibly. Only life experience can bring them that age and wisdom. They may appear confident while missing the larger architecture, business ecosystem, or overall risk picture because they are still relatively new in the space, but they still want to be helpful.

So ask yourself: Do you trust your teenagers alone at home with the keys to the house, the brand-new car, and unsupervised access to your finances while you take a much-needed vacation? It’s a simple question every parent one day has to ask themselves, and it applies just as much to our business as it does to our family. This is especially true as we move more and more into the autonomy of technology like agentic AI. Often, we understand our kids and trust their behavior based on experience — but with generative and agentic, it's like suddenly having two fully formed teenagers we barely know. We're still figuring out how to integrate them into our home and whether we can trust them when we're not watching.

Technology is sprinting. Governance is jogging.

Splunk’s State of Security 2024 highlights a gap — 34% of financial services firms still have no formal GenAI policy, 45% name data leakage as their top AI risk, and 77% expect that risk to climb as GenAI spreads across business lines. Projects often begin in a single department while security, legal, and compliance teams are still reviewing the plan. As usual, technology advances while policy struggles to keep up.

Regulators are closing that distance. In the U.S., supervisors direct banks to the Federal Reserve and OCC’s SR 11‑7 model‑risk guidance, indicating that large‑language models fall squarely under its validation, documentation, and board‑oversight requirements. Across the Atlantic, the EU AI Act places credit‑scoring and fraud‑monitoring systems in its high‑risk tier, activating strict data‑governance controls, human oversight, transparency reports, and incident logging.

In practice, most financial institutions already have a generative model in production and an agentic roadmap and pilot (hopefully) in a safe zone. The real work now is giving those teenagers the supervision, telemetry, and least‑privilege access it needs to become a trusted helper in our organization, without risking a potentially disastrous misstep along the way. One practical approach is to align agentic capabilities to a threat framework like MITRE ATT&CK, or a control framework like NIST-CSF. This helps teams map specific Tier‑1 tasks and controls — such as initial triage or testing of controls — to techniques where AI can assist effectively. Which techniques and controls to prioritize depends on the specific vertical, business outcomes, or current threat landscape. For example, a retail bank might focus on fraud signal correlation, while a capital markets firm may emphasize identity and access anomalies. Matching agentic support to clearly defined outcomes, lower-risk techniques, and a solid control plane keeps the model useful while keeping guardrails up and parenting oversight in place.

Huntington Bank offers an example on how they leverage AI. In an American Banker interview, CFO Zach Wasserman described a generative co‑pilot that scans the entire policy library, flags outdated language, and routes revisions to the right owners, returning hours to staff and providing a clean audit trail for regulators. That success reveals the prize. In this case they have used a combination of generative and agentic AI to keep pace with GRC. They’ve kept the human in the loop by routing it to the right data owners with the outcome while streamlining the GRC requirements to the regulators. In this case, they trained their AI to act as responsible teenagers that have gained trust over time and learned the needs of the bank (family) first.  Much of that early progress was shaped by former Huntington executive John Petty (one of the best AI guys around — and a friend of mine who taught me a lot about AI). His work helped define the bank’s AI trajectory. Huntington has since backed Petty’s new AI venture, an example of how leveraging AI the right way and having the right person in place can not only streamline business outcomes but evolve into an entirely new line of business.

Three guardrails that keep pace with AI

So, what keeps that bright-but-still-unpredictable teenager from becoming tomorrow’s incident report? In my work (with not only financial institutions but across all verticals, public and private) building a strong foundation is essential. Start with a clear vision of what you want to accomplish and the outcomes that you want to achieve. Then, develop an end-to-end data strategy that defines the data to outcomes, maps data owners and business owners to those outcomes, incorporates the right stakeholders, and leverages a strong least-privilege model like the Zero Trust framework for every control and outcome. Finally, be tactical, selective, demanding when choosing the right AI to meet those outcomes and requirements. Before deployment, ensure governance, risk, and compliance (GRC) requirements are fully integrated, covering people, process, and technology end-to-end. Remember — at all times, we are trying to reduce risk, not increase risk. AI is not an EDR solution. It is an end-to-end data framework with a crazy amount of access to your critical systems and ecosystem. Go back to the teenager analogy: Teenagers can be trusted, but we trust and verify over time to build that trust.

Once that foundation is established, the following three guardrails help keep AI deployments aligned and secure:

Policy before code

Start with a strong policy-first approach. Outline which outcomes you are seeking per business unit and organization chart (a helpful guide is NIST’s AI Risk‑Management Framework 1.0) and keep it in a sandbox before deployment. Remember — though engineers and analysts will use the AI in their daily lives, only the executives at the company can own the risk to the organization. When writing your policy, make sure you do the following:

• Have a clear vision on what you want to accomplish with AI. One AI does not rule them all.
• Document what data the model may access (privacy is a modern-day requirement) and ensure the appropriate authority signs off on it.
• Define who gets to see what and when. Role based permissions are foundational.
• Specify who can change or retrain the model. Remember, AI is learning and evolving all the time. We don’t allow just anyone to raise our kids. Only those with proven trust are allowed that much influence, and we always trust but verify.
• Establish clear guardrails for what AI can and cannot do without human supervision.
• Know the ingress, egress and lateral data movement, especially around your business-critical systems, IT operations and production networks. (Segmentation is a baseline practice —  we already do this with all data, or at least we should.)
• Have a plan for how to shut it off in an emergency to enable rapid risk containment.

Contain data leakage early

Data leakage remains a top fear on CISO surveys, and for good reason. Some AI models have all-access data which are not defined by RBA (role-based authentication). From day one, you should begin with a clear vision, defined goals, and robust policy enforcement. Ensure that as the model evolves to meet your requirements, role-based authentication is implemented at every step. Remember that data leakage can result from both malicious and non-malicious acts — and either can be catastrophic for an organization.

Practical containment starts with least privilege, whereby prompts are treated like high‑risk APIs, and models see only masked or tokenized columns. Retrieval‑augmented generation (RAG) adds a second layer. The LLM pulls sensitive facts from a private vector store at inference time, but the store never leaves your perimeter. Some banks go further and add row‑level encryption so that retrieval keys, not raw values, flow through memory. Every request and every response travels the same telemetry pipeline as firewall logs do. A prompt that includes account information should trigger the same high‑severity alert as a privileged login. Auto‑redaction and automatic PII detectors are worth the minor latency trade‑off. They turn “please don’t copy data” into “data physically cannot leave.” If we want AI to work at machine speed, we need to train it to do that very thing the right way. It will build on success.

End-to-end visibility

A friend once told me, “Tony, you will not catch everything. It is just not possible with the emerging threats. But we can see everything because we control the ingress, egress, and lateral movement. No matter the exploit, they have to go through these three pillars — so focus there and tie your controls to what is important.”

AI is no different. AI is evolving faster than we all have anticipated, and that teenager has thought it was an adult since day one. As we build out AI, to solve many of our problems at machine speed, we need to know all times the who, what, where, when and why it did something. AI, whether generative or agentic, can be our best friend and a strong addition to any team. But we should never forget it is a learning machine, and just like any overachieving teenager, it will make mistakes along the way. Nothing is perfect, and like some of my DEFCON friends say, “if you can make it, we can break it.”

Understanding the 5 W’s of your data AI strategy is instrumental into a solid outcome. Look at Huntington bank as an example: It had clear goals and objectives before the first implementation. Yes, as the priorities changed, they changed with it. But they continued to be motivated by the shared, agreed-upon vision and implementation from the beginning. That’s what led to their successful deployment.

The future is now

Generative AI is already delivering returns, and more autonomous agentic models are next in line. Pandora has opened the box. We are all now enjoying the fruits of her labor. But as we approach our AI goals, we should always trust but validate. My challenge to you all is to drive vendors to do more, but hold them accountable for the work they do. Challenge business leaders when they say “we need AI,” by asking, “What do you exactly need it to do?”

Demand that stakeholders become part of the program. They can’t be the bystanders in the neighborhood who watch your kids burn down your house, shake their heads and say, “I told them.” Drive accountability, keep to your vision of outcomes, know when to use automation, and use AI to address risk first — not last — after deployment. For the last 10 years, people have said they’re going to automate the SOC, but still haven’t done it. AI will help us, but like any teenager on their first day of work, we need to train it and make sure we know its left and right limits.

We should hold AI accountable just like we would hold our kids accountable if they burned down our house or wrecked our brand new car. AI, whether generative or agentic, is here to stay. But that does not mean we should give it the keys on day one.

Subscribe to Splunk Perspectives for monthly insights on deploying powerful AI in financial services while staying secure and compliant.