Kiteworks

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Cybersecurity Risk Management > Financial Services Just Became the Test Case for Whether AI Governance Is Real
Financial Services: AI Governance's First Real Test

Financial Services Just Became the Test Case for Whether AI Governance Is Real

by Patrick Spencer updated May 20, 2026 Cybersecurity Risk Management
Reading Time: 9 minutes

Key Takeaways

  1. High Breach Costs in Finance. The average cost of a financial-sector data breach reached $5.56 million per incident in 2025, second-highest among industries.
  2. Financial Motives Dominate Incidents. Roughly 90% of breaches against banks and insurers carried a financial motive, split between data theft and ransomware.
  3. Shadow AI Drives Data Loss. Unsanctioned AI tools accounted for 20% of AI-related breaches, fueled by a wide gap between employee adoption and governance controls.
  4. Deepfakes and Third-Party Risks Rise. Deepfake attacks hit 59% of organizations while supply-chain compromises create long disclosure lags and new attack paths.

Every industry will eventually be forced to answer for its AI governance posture. Financial services is answering now. The sector handles the data attackers want most, operates under the tightest regulatory stack, and has been the fastest to deploy AI across customer-facing and back-office operations.

The Financial Sector Is Where AI Governance Succeeds or Fails First

A new financial-sector threat report quantifies where that combination is currently landing. Financially motivated attacks continued to drive the bulk of cyber incidents against banks, insurers, and payment processors in 2025. Roughly 90% of breaches carried a financial motive — data breaches accounted for about 64% and ransomware for 36%. The average cost of a financial-sector data breach reached $5.56 million per incident, placing finance second-highest among industries.

Personal data appeared in 54% of compromised records. Internal organizational data accounted for 35%. Credentials made up 22%. None of this is new. What’s new is the role AI now plays in how attacks reach regulated data — and how the data leaves when defenses fail.

5 Key Takeaways

1. Financial services is now the second-most expensive breach category in the economy.

The average cost of a financial-sector data breach hit $5.56 million per incident in 2025. Personal data appeared in 54% of compromised records, credentials in 22%, and internal business data in 35%. The sector handles the data attackers want most, operates under the tightest regulatory stack, and has been fastest to deploy AI — making it the test case where AI governance succeeds or fails first.

2. Financial motives drive 90% of incidents.

Approximately 90% of breaches affecting banks, insurers, and payment processors carried a financial motive — 64% data breaches and 36% ransomware. The sector’s concentration of financial records (90% of organizations), payment card data (83%), and credentials (79%) makes it structurally overrepresented in attacker targeting. The IBM Cost of a Data Breach Report 2025 puts the per-incident cost at $5.56 million — second highest of any industry.

3. Shadow AI is now a primary risk driver.

Roughly 20% of AI-related breaches in 2025 traced back to shadow AI — unsanctioned AI tools used outside governance programs. 92% of organizations say GenAI changed how employees share information, yet only 13% have integrated AI into their security strategy. That 92-to-13 ratio is the data loss gap shadow AI creates: behavior has changed at the employee level; AI governance has not changed at the institutional level.

4. Deepfake-driven fraud is the new wire transfer scam.

59% of organizations have seen deepfake attacks, and 97% report some form of harm from AI-generated false information. The 2026 Thales Data Threat Report documents 77% of respondents seeing increased cyber-enabled fraud. Voice authentication, video-based KYC, and document authentication were built on assumptions deepfakes have invalidated — and financial services is the sector where deepfake fraud delivers the highest per-attack payoff.

5. Third-party risk is the unpaid bill.

Supply chain compromises through vendors touching transactional data are rising alongside shadow AI and deepfake fraud. The Black Kite 2026 Third-Party Breach Report documented a 73-day median disclosure lag and 26,000 unnamed affected companies in 2025. Every third-party integration — analytics SaaS, fraud detection partner, outsourced processor — is now a candidate for vendor governance review, not just a contracting exercise.

You Trust Your Organization is Secure. But Can You Verify It?

Read Now

Shadow AI Is the Financial Sector’s Fastest-Growing Blind Spot

Shadow AI is behaving in financial services exactly as shadow IT did a decade ago. It starts as productivity experimentation, scales through peer adoption, and becomes a data exfiltration channel before security teams know it’s there.

The sector’s exposure is structural. Fraud detection teams use AI to correlate transaction patterns. Customer service teams use AI to draft responses. Analytics teams use AI to generate summaries. Each use case is defensible in isolation. Aggregated across thousands of employees and dozens of workflows, the result is an unmonitored flow of sensitive financial data into third-party AI services.

According to the DTEX 2026 Insider Threat Report, shadow AI is now the top driver of negligent insider incidents — named ahead of unmonitored file sharing and personal webmail. 92% of organizations say generative AI has fundamentally changed how employees access and share information, yet only 13% have formally integrated AI into their business strategies. That gap — 92% to 13% — is the shadow AI problem in one ratio. Behavior has changed at the employee level. Governance has not changed at the institutional level.

The financial impact is measurable. The IBM Cost of a Data Breach Report 2025 found that shadow AI adds approximately $670,000 to the average breach cost, and 97% of organizations reporting an AI-related breach lacked proper AI access controls. The financial-sector report pegs shadow AI as roughly 20% of AI-related breaches overall — and financial services is consistently above the aggregate on AI adoption.

Deepfakes Are Defeating the Controls Banks Built Decades Ago

Voice cloning, synthetic video, and AI-forged documents are now operational tools in attacker arsenals — not research demonstrations.

The 2026 Thales Data Threat Report reports that 59% of organizations have seen deepfake attacks, and 97% have experienced some form of organizational harm from AI-generated false information, including business email compromise and brand impersonation. The WEF Global Cybersecurity Outlook 2026 documents 77% of respondents reporting an increase in cyber-enabled fraud, with phishing, payment fraud, and identity theft as the top three categories.

The sector’s high-value transaction controls — voice verification, video-based KYC, document authentication — were built on assumptions that deepfakes have invalidated. Voice authentication assumed the attacker couldn’t produce the customer’s voice on demand. Video-based identity verification assumed visual inspection could catch forgeries. Document authentication assumed synthetic documents would have detectable artifacts. AI is making those artifacts disappear — and financial services is the target set where deepfake fraud delivers the highest per-attack payoff.

Supply Chain Compromise Is the Quiet Third Vector

The Black Kite 2026 Third-Party Breach Report documented 136 verified third-party breach events, 719 named victims, and approximately 26,000 unnamed affected companies in 2025. The median disclosure lag was 73 days — meaning by the time the primary organization learns a vendor was breached, attackers have had over two months inside the data supply chain.

The Vercel incident disclosed on April 21, 2026 illustrates the pattern precisely. An employee used a third-party AI productivity tool that was compromised. The attacker pivoted from the tool into Vercel’s internal systems through the access the employee had granted. Financial services is full of these integration paths — every analytics SaaS, every fraud detection partner, every outsourced service provider is a potential attack pivot in the bank’s environment.

The CrowdStrike 2026 Global Threat Report documented that adversaries are systematically compromising software vendors, update pipelines, and SaaS-side integrations to reach customer data through trusted channels. For financial services, the implication is that third-party risk management is now a data governance discipline — not just a contracting exercise.

Why Financial Services’ Regulatory Stack Is Both a Burden and an Advantage

The Kiteworks 2025 Data Forms Report found that financial services organizations operate under one of the most stringent compliance stacks: 98% must comply with GDPR, 90% with PCI DSS, 62% with CCPA/CPRA, 52% with SOX, and 41% with state-level privacy laws.

The regulatory density is a burden — it drives compliance costs and audit overhead. But it’s also an advantage in the AI governance conversation, because every existing financial-services regulation already specifies requirements for data access controls, audit trails, encryption, and minimum-necessary access. None contain an exemption for AI agents, shadow AI, or deepfake-enabled fraud.

The compliance framework is already written. What’s missing is the control architecture that operationalizes it for AI-era data exchange. According to the Kiteworks 2026 Forecast Report, 63% of organizations can’t enforce purpose limitations on AI agents and 60% can’t terminate a misbehaving agent. In the financial sector, that gap translates directly to regulatory exposure under GDPR Article 32, PCI DSS Requirement 7, and SOX internal controls.

The Kiteworks Approach: Governed Data Exchange for Financial Services

The Kiteworks Private Data Network addresses the three vectors reshaping financial cyber risk through a data-layer governance architecture that maps to existing financial-services regulatory obligations.

Shadow AI containment through governed access. AI interactions with regulated financial data flow through the Kiteworks AI Data Gateway, which enforces attribute-based access policy at the point of data retrieval. Employees using unsanctioned AI tools face a structural choice: work with data the organization has classified as approved for AI use, or work without it. Data egress to arbitrary AI services is architecturally prevented rather than policy-prohibited.

Third-party data exchange under single policy. Every vendor, partner, and customer communication — file sharing, SFTP, MFT, email, web forms, or API — is governed under a unified policy engine with tamper-evident audit trails. When the next supply chain incident occurs, financial institutions can determine scope in minutes. This closes the 73-day median disclosure lag the Black Kite report identified.

Evidence-quality audit trails for regulatory defense. Every data exchange event produces immutable logs suitable for SOX Section 404 internal controls, PCI DSS Requirement 10 logging, and GDPR Article 30 records of processing. Pre-built compliance dashboards for GDPR, HIPAA, and PCI DSS transform audit preparation from weeks into hours.

Deepfake-resistant high-value transaction workflows. Secure data exchange for high-value transactions — contract signatures, wire authorization, customer document delivery — operates through authenticated, encrypted, governed channels. The deepfake that bypasses voice verification still has to defeat channel authentication, which is significantly harder.

What Financial Services Organizations Need to Do Now

First, run a shadow AI discovery program. Network-level scans, SaaS spend analysis, expense report review, and email metadata analysis will surface unsanctioned AI tools. The DTEX 2026 report finds that blocking popular AI tools alone doesn’t work — users shift to alternatives. Inventory is step one; governed replacement is step two.

Second, integrate AI access into existing third-party risk management and model risk management frameworks. Every AI tool the organization uses or allows is now a third party under vendor risk standards. The frameworks exist — apply them to AI.

Third, modernize high-value transaction authentication against deepfake threats. Voice verification, video KYC, and document authentication all require assumption updates. The 2026 Thales report documents widespread deepfake encounters — deepfake-resistant authentication is a current-quarter obligation.

Fourth, consolidate third-party data exchange under a single governance platform with unified audit trails. Every vendor integration is a potential supply chain attack path. Unified audit trails compress detection time and support regulatory reporting obligations simultaneously.

Fifth, map AI governance gaps to specific regulatory obligations to create executive urgency. Each gap corresponds to a specific finding risk under GDPR, PCI DSS, SOX, or state privacy law. Executive attention follows regulatory exposure faster than it follows threat briefings.

Sixth, treat the AI governance program as a competitive advantage, not just a compliance obligation. Financial institutions that can demonstrate governed AI to clients, counterparties, and regulators will win business from those that cannot. McKinsey research cited in industry analysis shows enterprises with mature AI governance experience 45% fewer security incidents — that’s a performance outcome, not just a compliance outcome.

The financial sector didn’t choose to be the test case for AI governance. It became the test case because it handles the data, operates under the regulations, and moves fastest on adoption. The sector that answers the test successfully will define what governed AI looks like for the rest of the economy.

Frequently Asked Questions

The $5.56 million average breach cost reflects the sector’s concentration of high-value targets: 90% of financial services organizations collect financial records, 83% handle payment card information, and 79% store credentials — all data that commands premium prices and triggers heavy regulatory penalties. The IBM Cost of a Data Breach Report 2025 confirms finance as second-highest among all industries, with regulatory fines under GDPR, PCI DSS, and state privacy laws compounding direct theft costs.

Shadow AI includes any AI tool used without formal governance approval: public LLM chatbots used to summarize documents, AI browser extensions retaining context, third-party AI productivity tools granted corporate system access, and AI features embedded in SaaS applications that weren’t evaluated during procurement. The DTEX 2026 Insider Threat Report identifies shadow AI as the top driver of negligent insider incidents — making it a primary data loss vector in regulated environments.

Attackers use AI-generated voice cloning to defeat voice verification on high-value transactions, synthetic video to bypass video-based KYC processes, and AI-forged documents to support fraudulent wire transfer authorizations. The 2026 Thales report found 59% of organizations have seen deepfake attacks. Financial services is disproportionately targeted because the per-attack payoff — fraudulent wire transfers, unauthorized loan disbursements — is highest in this sector.

All existing financial-services regulations apply to AI systems accessing regulated data. 98% of financial services organizations are GDPR-bound, 90% are PCI DSS-bound, and 52% are SOX-bound per the Kiteworks 2025 Data Forms Report. None contain AI exemptions. Governance gaps — 63% cannot enforce purpose limitations on agents — translate directly to Article 32, Requirement 7, and SOX internal control findings.

Phase one — shadow AI discovery, inventory, and classification of AI tools as non-human insiders — typically completes in four to eight weeks. Phase two — implementing governed AI data access through a data-layer governance platform like the Kiteworks AI Data Gateway — typically requires three to six months. Organizations with mature AI governance resolve breaches approximately 70 days faster per the 2026 Forecast Report, making the investment both a risk mitigation and a breach-cost reduction measure.

Additional Resources

Frequently Asked Questions

The sector handles the data attackers want most, operates under the tightest regulatory stack, and has been the fastest to deploy AI across customer-facing and back-office operations, making it the proving ground where AI governance succeeds or fails first.

Shadow AI refers to unsanctioned AI tools used outside governance programs. It accounts for roughly 20% of AI-related breaches and adds approximately $670,000 to the average breach cost, with 97% of organizations reporting an AI-related breach lacking proper AI access controls.

Voice cloning bypasses voice verification, synthetic video defeats video-based KYC, and AI-forged documents undermine document authentication. 59% of organizations have seen deepfake attacks, and financial services faces the highest per-attack payoff from these threats.

Run a shadow AI discovery program, integrate AI access into third-party and model risk management frameworks, modernize high-value transaction authentication, consolidate third-party data exchange under unified governance, and map AI governance gaps to specific regulatory obligations such as GDPR, PCI DSS, and SOX.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks