Banks Must Limit AI to Read-Only Tasks in Cyber Operations, Security Teams Warn
Banks deploying artificial intelligence to fight cyberattacks are facing a critical choice: treat AI as a junior analyst that summarizes and gathers evidence, or risk creating new security incidents by giving it too much autonomy.
Security engineers at Exeter Finance and Tyson Foods presented their findings at the 2026 RSAC Conference, revealing that the gap between vendor promises and actual production results is substantial. They built an AI assistant for their security operations centers and learned quickly that autonomous decision-making breaks things.
The two engineers found that AI delivered measurable value in specific, constrained roles. When deployed to summarize alerts, stitch together evidence from multiple sources, and draft initial communications, the technology reduced mean time to detect threats by 36% and mean time to respond by 22%. False positives dropped 16 points, and analyst satisfaction improved over time.
The results came from using AI as a friction-removing tool, not as an autonomous responder. "If we asked the model to summarize, draft and link evidence, it made analysts faster," the engineers said. "If we asked it to make decisions or act on security alerts, it would create new incidents."
The Autonomy Problem
Evidence stitching-pulling together IP addresses, logs, browsing sessions and other artifacts from five to seven different tools-normally consumes hours of analyst time copying and pasting between systems. AI can compile this data automatically and suggest the next queries to run, freeing analysts to focus on actual threat analysis.
But when security teams grant AI systems the ability to execute actions without human approval, prompt injection attacks become a critical vulnerability. Attackers can hide malicious commands in support tickets, system logs, or pasted text. If the AI model ingests this untrusted data, an attacker can manipulate its output or force it to take unauthorized actions.
The New York State Department of Financial Services warned in October 2024 that attackers can use AI to "conduct reconnaissance to determine how best to deploy malware and access and exfiltrate" sensitive information. The G7 Cyber Expert Group similarly cautioned in September 2025 that prompt injection could allow attackers to "manipulate outputs or retrieve sensitive information."
How to Contain the Risk
The Exeter and Tyson security teams operated under a "no gate, no action" policy. Systems remained read-only by default. Any responsive action required human analysts to approve it first-a human-in-the-loop control that prevents the AI from creating new incidents.
They also required the model to support every claim with specific evidence, enforcing a "no citations, no trust" mandate. This ensures auditability and builds analyst confidence in the system's output.
Beyond these operational controls, the engineers ran continuous adversarial testing and simulated attacks (red-teaming) to validate the system's access boundaries. The Open Worldwide Application Security Project recommends this approach: organizations should regularly conduct simulated attacks that treat the model as an untrusted user.
Gupta also suggested operating AI systems like production software, using continuous evaluations and version controls to prevent degradation over time.
The Bottom Line
Financial institutions already use AI for back-office optimization and phishing detection through natural language processing. The difference is scope: these applications automate data-heavy processes so human investigators can focus on higher-risk activities.
The same principle applies to security operations centers. AI works when it removes repetitive work and surfaces evidence for human judgment. It fails when it makes decisions or executes actions without oversight.
"Make the model prove its work, and make humans own the decision," the engineers concluded.
Learn more about AI for cybersecurity analysts or explore AI for operations to understand how to implement these controls in your organization.
Your membership also unlocks:
