Agentic AI demands an upgrade to financial system resilience, Bank of England warns

Central bank warns that "stronger defences are not enough" amid growing concerns about the weaponisation of autonomous security tools.

Share
Agentic AI demands an upgrade to financial system resilience, Bank of England warns
The Bank of England is preparing for a future in which autonomous AI agents reshape cyber risk across tightly interconnected financial systems (Photo: Francais a Londres on Unsplash)

The Bank of England has hinted at plans to upgrade resilience requirements to address the growing risk that agentic AI poses to the financial system.

Speaking at the European Central Bank's Sintra Forum, Deputy Governor Sarah Breeden said the BoE's most "proximate" concern is a "step change in agentic AI’s cyber capabilities”.

Although we are not quite there yet, it is highly likely that future AI systems will automate or at least dramatically accelerate the discovery and exploitation of software vulnerabilities.

Breeden said: "AI is reshaping finance at speed. And it’s on us to ensure that the next technology surprise does not become a test of financial stability."

The warning echoes growing concern among Western governments. In May, heads of the Five Eyes alliance ordered a "whole of society" response to the growing agentic AI security risk, which will transform the threat landscape on a timeline that is "not years" but "months."

The US temporarily restricted foreign access to Anthropic’s most advanced AI models over fears they could supercharge cyberattacks by making it dramatically easier to identify software vulnerabilities. That ban has now been lifted - prompting alarming warnings about the weaponisation of autonomous AI.

"Nothing is evil in the beginning..."

Agentic AI reminds us of the famous line from the Lord of the Rings in which Gandalf says: " I would use this ring from a desire to do good. But in me, it would wield a power too great and terrible to imagine."

In the hands of defenders, agentic AI could quickly solve lingering problems like alert fatigue - handling routine tasks automatically - and begin taking on more sophisticated jobs such as patching, incident response and proactive vulnerability discovery, identifying weaknesses before the bad guys (or friendly human bug hunters).

The Bank of England nodded to this duality. “In the hands of defenders, these tools strengthen cyber resilience,” Breeden said. “But, in malicious hands, they materially increase the chance of attacks that could harm financial stability.”

She warned that AI is uncovering vulnerabilities across banks, software suppliers and critical infrastructure at an unprecedented pace, creating an urgent race to patch systems before attackers can weaponise newly discovered weaknesses.

She added: “For financial stability, patching must happen quickly - across the financial sector, key third-party technology providers, and wider national infrastructure such as energy and telecoms. That is no small task.”

READ MORE: Stablecoins could become a systemic risk to global financial stability, central banks warn

She also noted that open-source AI models may now lag the most advanced proprietary systems by only four to eight months, while their safeguards can often be bypassed. Once security patches are released, attackers can reverse engineer them to identify the vulnerabilities they fix if organisations fail to install updates quickly.

The Bank argues that this changes the nature of operational resilience.

“Stronger firm defences are essential, but not enough,” Breeden said.

Instead of focusing solely on preventing attacks, regulators should assume that some attacks will succeed and prepare the financial system to continue functioning despite major disruption.

She said authorities should place greater emphasis on scenarios involving simultaneous disruption across multiple firms, expand stress testing for those events and strengthen coordination between regulators and industry before and after major incidents.

Rethinking resilience

The most striking part of the speech was the Bank’s suggestion that the financial sector may eventually require cyber recovery arrangements comparable to those already used during banking crises.

Today, deposit insurance allows customers to access their money if a bank fails, while bank resolution regimes keep critical banking services operating during insolvency. Breeden suggested central banks should now ask whether similar mechanisms are needed when cyber attacks disable essential financial infrastructure.

One possibility would be allowing one institution to temporarily perform another’s critical functions if it has been knocked offline by a cyber attack.

READ MORE: The Silicon Age Collapse: Systemic risks that could derail digital civilisation

Breeden pointed to Ukraine’s “Power Banking” programme, launched in 2022 after repeated Russian attacks on the country’s energy infrastructure. The initiative established hundreds of bank branches equipped with backup electricity and communications so customers could continue accessing cash and essential banking services even during prolonged blackouts.

She also suggested regulators should consider requiring systemically important firms to maintain completely separate fail-over environments or the capability to rebuild compromised core systems rapidly from “bare metal” - reinstalling servers, operating systems and applications from trusted, clean infrastructure rather than relying on software or backups that may themselves have been compromised.

“These are big questions,” Breeden said. “But they are the right ones.”

The speech signals a notable shift in the Bank’s thinking. Rather than treating cyber attacks as operational risks for individual firms, it is framing AI-enabled attacks as systemic risks capable of disrupting multiple institutions simultaneously - and questioning whether the financial system itself must be redesigned to withstand cascading risk.

The lifting of Anthropic's export ban

Unfortunately, the danger could be imminent - at least if the claims of AI marketing teams are to be believed.

Earlier this month, the U.S. government imposed export controls on Anthropic’s latest frontier AI models, forcing the company to suspend access for users worldwide while it complied with the restrictions. Those controls have now been lifted and global access will resume from July 1.

The restrictions followed Anthropic’s disclosure that its unreleased Mythos model had identified “thousands of high-severity vulnerabilities” across “every major operating system and web browser.” The company said the model could “reshape cybersecurity,” illustrating why governments are becoming increasingly nervous.

John Harms, Head of Government Solutions at Quantexa, told Machine “Government IT leaders regularly tell me that uncertainty is a significant concern this year. Anthropic’s Mythos and Fable models illustrate why, serving as a reminder that organisations can be exposed to risks outside their direct control.

READ MORE: Chinese IoT ‘kill switches’ could disable Britain’s critical systems and infrastructure, MPs warn

The dual-use nature of AI is not unique in the story of human technology. Just ask the Chinese inventors who used gunpowder to make fireworks.

Kev Breen, Senior Director Cyber Threat Research, Immersive, said: “Anything created for good can be misused. That’s not a flaw in Fable; it’s a characteristic of every useful tool ever made from a lockpick to a compiler. If 'it could be misused' were the standard, we wouldn’t produce anything."

As organisation await new and potentially burdensome regulation on agentic AI, leaders have been urged to shift their mindset to recognise the risks inherent in interconnected ecosystems in which failures can cascade through networks of businesses, organisations and institutions. This will involve close scrutiny of how and why AI models make decisions, as well as careful attention to the data driving those outputs.

Roey Eliyahu, CEO and Co-Founder of Salt Security, said: "AI security is becoming a governance issue, moving on from a pure model safety issue.

"Governments are rightly asking whether frontier models have appropriate safeguards, but enterprises should be asking a different question: what are those models connected to inside the business?

"Once an AI agent can access APIs, data and workflows, the security challenge becomes understanding and controlling its actions, not just its outputs."

Follow Machine on LinkedIn