This week the European Central Bank (ECB), which supervises about 111 of the eurozone’s largest banks, convened at an urgent meeting with major lenders to accelerate efforts around AI security and heed caution on the cyber risks of AI.
Officials have warned banks specifically about the risks linked to Anthropic’s Claude Mythos Preview and similar systems, amid growing concern that AI can now identify and exploit software flaws faster than institutions can patch them.
Sam Soares, CRO of CultureAI, said: “The ECB’s emergency meeting this week — where it plans to warn banks about risks tied to Anthropic’s Claude Mythos Preview and similar AI systems — is really just the latest sign of a problem that’s been building for a while. Financial institutions are adopting AI faster than they can actually track what’s running inside their own organisations, let alone secure it.”
CultureAI’s own recent findings, as part of its The State of Enterprise AI Usage: The Illusion of Control Report, back this up: 67% of financial services firms say AI adoption is moving rapidly, 93% list it as a top security priority going into 2026, and yet 72% have already found cases of unauthorised or “shadow” AI use within their own walls.
“I don’t think that’s purely a governance failure — it’s more a reflection of how AI spreads in practice. It’s decentralised, it moves fast, and it almost always gets ahead of the controls meant to contain it,” Soares continues.
On the regulatory climate surrounding this meeting, Darren Guccione, CEO and Co-Founder of Keeper Security, added: “This meeting is not happening within a regulatory vacuum. The EU’s Digital Operational Resilience Act (DORA) came into full effect in January 2025, placing binding obligations on financial entities to manage Information and Communication Technology (ICT) risk, govern third-party dependencies and demonstrate operational resilience. This ECB intervention sits squarely within that framework. Banks that have treated DORA as a compliance checklist up to this point, rather than a structural prompt to rethink their security posture, are now facing a second, harder signal from their regulator.”
Guccione continues: “Every AI agent, automated workflow and machine account introduced creates a Non-Human Identity (NHI) that requires privileged access to function. Those identities are often provisioned quickly, governed poorly and rarely revoked with the same rigour applied to human accounts. That is an unsustainable practice and a structural risk for any organisation operating in a highly regulated sector such as banking and finance.”
According to Keeper’s research, 43% of respondents identified AI-related NHI management and security as a top AI governance gap. Among finance sector security professionals, 75% reported finding the management of growing numbers of identities — human and non-human — at least moderately challenging.
Guccione continues: “That raises a pressing the question, if financial institutions cannot effectively govern the identities already in their environment, how will they effectively handle the addition of AI-driven automation at the current scale of deployment?”
This is a question that many governments and sectors are asking, not just financial services. The UK government, for example, recently released an open letter to business leaders cautioning a “new generation of AI models [that] are becoming capable of doing work that previously required rare expertise: finding weaknesses in software, writing the code to exploit them, and doing so at a speed and scale that would have been impossible even a year ago.”
To conclude, Soares says: “Governance policies alone are no longer enough to manage AI threats. Financial institutions need continuous visibility, contextual enforcement and the ability to identify risk as AI becomes embedded into core workflows. AI governance needs to be treated as an ongoing operational discipline.”
