When AI Agents Touch Regulated Data, Governance Can’t Wait
U.S. financial institutions spend $35–40 billion annually on AML compliance operations — and investigators waste most of that budget manually stitching together evidence before any real analysis begins. That was the problem FIS set out to solve when it partnered with Anthropic to build the Financial Crimes AI Agent: a system that compresses AML case investigations from hours to minutes by automatically assembling evidence across a bank’s core systems, evaluating activity against known money laundering typologies, and surfacing the highest-risk cases for human review.
BMO and Amalgamated Bank are among the first institutions in development, with broader availability planned for H2 2026. Anthropic’s Applied AI team and forward-deployed engineers are embedded with FIS to co-design the agent, with every conclusion linked back to its source data and every decision remaining with the human investigator.
Meanwhile, at Kirkland & Ellis, a $500 million internal AI infrastructure project is taking shape — not through a press release, but through a hiring binge. AI Infrastructure Director roles posted May 27, 2026, call for experience with on-premise GPU environments and salaries of $302,000 to $335,000. AI Innovation Advisers will embed within practice groups. The firm plans to use around 180 people. The job listings point toward fine-tuning open-source LLMs on Kirkland’s own hardware, trained on Kirkland’s own data — ownership of the model, the inference, and the liability.
5 Key Takeaways
1. The agent economy just reached the most regulated data on earth.
FIS is deploying an AI agent that runs AML investigations in live banking systems. Kirkland & Ellis appears to be building its own fine-tuned legal LLM on private GPU infrastructure. Both touch data carrying decades of compliance obligations — AML documentation requirements, BSA/FinCEN rules, attorney-client privilege — that apply the moment an agent touches relevant data regardless of how the technology is framed. “We’re still building” is not a compliance defense.
2. The governance gap is the rule, not the exception.
100% of surveyed enterprise organizations have agentic AI on their 2026 roadmap — but only 37–40% have meaningful containment controls. 63% cannot enforce purpose limitations on their own agents, 60% cannot terminate a misbehaving agent, and 55% cannot isolate AI from the broader network per the Kiteworks 2026 Forecast. These are not edge cases. They are the majority condition for the organizations now deploying agents on the most regulated data in the economy.
3. Shadow AI is already inside the perimeter.
92% of organizations say generative AI has changed how employees share information — yet only 13% have formally integrated AI into their business strategies per the DTEX 2026 Insider Threat Report. Shadow AI is now the top driver of negligent insider incidents. In a bank or law firm, those invisible pathways map directly to BSA violations, privilege waivers, and audit failures.
4. Agents can be manipulated through conversation alone.
The Agents of Chaos study — 38 authors across Northeastern, Harvard, MIT, Stanford, and CMU — documented production-deployed AI agents compromised through prompt injection and identity spoofing, with no technical expertise required. For legal and financial environments operating in adversarial settings, agents without cryptographic identity verification are attack surfaces, not just compliance risks. The CrowdStrike 2026 report documented an 89% year-over-year increase in AI-enabled adversary attacks.
5. Governed AI architecture is the same across use cases.
Whether the agent is reviewing suspicious activity reports or drafting discovery memos, the requirements are identical: authenticated identity with delegation chain preservation, attribute-based access controls at the operation level, and tamper-evident audit trails that survive regulatory scrutiny. 33% of organizations lack evidence-quality audit trails entirely — organizations without them trail by 20–32 points on every other governance dimension.
You Trust Your Organization is Secure. But Can You Verify It?
What These Deployments Are Actually Touching
The governance stakes sharpen when you map the data these agents will actually handle.
The FIS Financial Crimes AI Agent does not search a single database — it assembles complete evidence packages across a bank’s core systems, evaluates transactions against money laundering typologies, and supports Suspicious Activity Report narrative quality. Under the Bank Secrecy Act and FinCEN guidance, SAR workflows carry specific documentation, access-control, and retention requirements that do not bend for AI integration timelines. The moment the agent touches transaction records and SAR drafts, compliance obligations are active.
Kirkland’s agents will touch privileged communications, draft work product, and interact with client records. Attorney-client privilege is not suspended because an AI wrote the memo. Discovery obligations do not pause because the document was AI-generated. And fine-tuning a model on client matter data raises genuinely unsettled questions — what can be reconstructed or elicited from a model’s weights, and does training on privileged communications constitute disclosure?
This is why the Kiteworks 2026 Forecast data is so striking in this context. 63% of organizations cannot enforce purpose limitations on AI agents, 60% cannot quickly terminate a misbehaving agent, and 55% cannot isolate AI systems from their broader network. These are the majority condition for organizations now deploying agents on the most regulated data in the economy.
What FIS Got Right — and Where the Industry Lags
The FIS-Anthropic architecture reflects what governed agentic AI should look like from the start. Client data remains within FIS-controlled infrastructure at all times. Every conclusion the agent reaches links back to its source data. Every decision stays with the human investigator. FIS CEO Stephanie Ferris framed the principle directly: “The future is about a trusted provider who manages the data, who governs the agents, and who stands between your customers and the AI making decisions about their money.”
The contrast with typical enterprise AI deployment is instructive. 92% of organizations say generative AI has fundamentally changed how employees access and share information — yet only 13% have formally integrated AI into their business strategies. The Kiteworks 2026 Forecast frames this as a 15-to-20-point gap between governance controls and containment controls. Organizations know they need to govern agents. They have not built the infrastructure to do it.
The Agents of Chaos Warning Legal and Finance Cannot Ignore
The Agents of Chaos study — a 38-author collaboration led by Northeastern University, with co-authors from Harvard, MIT, Stanford, and Carnegie Mellon, published February 2026 — deployed AI agents in a live laboratory environment and documented at least 10 significant security breaches across 11 representative case studies. Researchers found agents accepted instructions from anyone who contacted them — including attackers who changed their display names to impersonate the system owner. Prompt injection, social engineering, and identity spoofing required no technical expertise. Researchers broke production-deployed agents with conversation alone.
For the legal sector, the implication is direct. A Kirkland agent manipulated through a prompt injection embedded in an opposing party’s document is not a distant risk. The CrowdStrike 2026 Global Threat Report documented an 89% year-over-year increase in AI-enabled adversary attacks and an average eCrime breakout time of 29 minutes. At that speed, agents that can be manipulated are attack surfaces operating inside regulated data — not just compliance risks.
The Governed Data Layer: What the Architecture Actually Requires
Whether the deployment is AML investigation or legal discovery, whether the agent runs on Claude or a custom fine-tuned model, three governance controls are non-negotiable.
Authenticated agent identity with delegation chain preservation. Every agent action must be traceable to a human authorizer. The delegation chain — who authorized the agent, for what purpose, accessing what data — must be preserved in the audit record. Without it, there is no defensible answer to the first question any regulator will ask.
Attribute-based access control at the operation level. Authorization cannot be granted at connection time and left open. An agent authorized to read AML case files is not thereby authorized to download them, transmit them externally, or use them as training data. Every request must be evaluated against the data’s classification and the specific operation being requested — in real time.
Evidence-quality audit trails that survive regulatory scrutiny. 33% of organizations lack evidence-quality audit trails entirely. Audit trails are not a compliance artifact — they are the foundation that makes every other control defensible. Organizations without them are 20–32 points behind on every other governance dimension.
The Kiteworks Secure MCP Server and AI Data Gateway deliver this architecture: applying zero-trust access controls, ABAC policy enforcement, FIPS 140-3 validated encryption, and tamper-evident audit logs to every AI interaction with sensitive data, regardless of which AI model is making the request. The Kiteworks Private Data Network extends this across email, file sharing, MFT, SFTP, web forms, and APIs under one policy engine and one consolidated audit log.
What Regulated Organizations Must Do Before Agents Touch Production Data
First, map what your agents will actually touch — not capability descriptions, but data classifications. If an agent can access financial records, transaction logs, privileged communications, or client files, existing compliance obligations apply immediately. There is no grace period for AI integration.
Second, enforce the delegation chain before deployment. Every agent workflow needs a named human authorizer identifiable in the audit record for every access the agent performs. If current architecture cannot produce that record on demand, that is the gap to close first.
Third, treat shadow AI in regulated environments as a critical incident, not a productivity observation. The DTEX 2026 Insider Threat Report found 73% of organizations worry unauthorized AI use is creating invisible data loss pathways. In a bank or law firm, those pathways map directly to BSA violations, privilege waivers, and discovery failures.
Fourth, audit the containment gap. The 15-to-20-point distance between governance controls and containment controls — purpose binding, kill switch capability, network isolation, evidence-quality audit trails — must be measured before the next agent goes to production. Running that assessment takes a week. Explaining its absence to an examiner takes considerably longer.
To learn more about AI data governance, schedule a custom demo today.
Frequently Asked Questions
Verify three controls before go-live: client data stays within your controlled infrastructure, every agent conclusion is traceable to its source data, and every decision remains with a human investigator. The Kiteworks 2026 Forecast found 60% of organizations cannot quickly terminate a misbehaving agent — confirm kill-switch capability and evidence-quality audit trails that satisfy BSA and FinCEN documentation requirements before deployment.
Fine-tuning a model on client matter data raises unsettled privilege questions: what can be reconstructed from model weights, and does training on privileged communications constitute disclosure? Prerequisites for any agent touching privileged material: authenticated agent identity, ABAC-governed access controls at the operation level, and tamper-evident audit trails that can answer discovery requests about what the model accessed and when.
The study documented production-deployed AI agents compromised through conversation alone — prompt injection and identity spoofing required no technical expertise. For legal and financial environments, agents operating in adversarial settings without cryptographic identity verification face real manipulation risk from documents, emails, and client materials containing hidden instructions. Governance must account for adversarial manipulation, not just accidental misuse.
63% cannot enforce purpose limitations on AI agents, 60% cannot terminate a misbehaving agent, 55% cannot isolate AI from their broader network, and 33% lack evidence-quality audit trails. Every gap creates direct regulatory exposure in AML, HIPAA, CMMC, and attorney-client privilege contexts. The 15-to-20-point distance between governance controls and containment controls is the structural problem these numbers describe.
AI-enabled adversary attacks increased 89% year over year with an average eCrime breakout time of 29 minutes per the CrowdStrike 2026 Global Threat Report. At that speed, agents manipulated through prompt injection are attack surfaces inside regulated data — not just compliance risks. Data-layer governance enforced independent of the model is the only architecture that contains the blast radius when the agent is compromised before the 29-minute window closes.
Additional Resources
- Blog Post
Zero‑Trust Strategies for Affordable AI Privacy Protection - Blog Post
How 77% of Organizations Are Failing at AI Data Security - eBook
AI Governance Gap: Why 91% of Small Companies Are Playing Russian Roulette with Data Security in 2025 - Blog Post
There’s No “–dangerously-skip-permissions” for Your Data - Blog Post
Regulators Are Done Asking Whether You Have an AI Policy. They Want Proof It Works.