Compliance

Why CISOs Are Slow-Rolling Agentic AI (And Why That's Actually Smart)

Justin Kirsch | | 12 min read
CISOs cautiously approaching agentic AI adoption in financial services
Compliance cybersecurity Executive Leadership Risk Management Cybersecurity Strategy

In This Article

CISOs in financial services are deliberately slowing agentic AI adoption. While vendors pitch autonomous agents that can triage incidents, deploy infrastructure, and modify configurations without human approval, security leaders are asking a different question: what happens when that autonomy goes wrong inside a regulated environment?

The answer, based on recent evidence, is ugly. And the CISOs who are pumping the brakes right now are not being obstructionist. They are being smart. For a regulated bank, credit union, or mortgage company, the right operating model is not "deploy agents fast" or "block AI entirely." It is to deploy Microsoft 365 Copilot and downstream agent capability under a governance baseline that examiners will accept. Access Business Technologies calls that baseline M365 Guardian, and it is the operating model ABT runs on top of every Microsoft 365 tenant it manages for the 750+ financial institutions in its book.

The Push to Deploy Agentic AI Is Real and Why CISOs Are Pushing Back

Every board member read the McKinsey report. Every vendor is demoing autonomous agents. And every CISO in financial services is getting asked the same question: "Why aren't we doing this yet?"

The pressure is real and measurable. McKinsey's December 2025 analysis of banking operations describes agentic AI as a transformation that could lift relationship manager productivity by 3 to 15 percent and cut costs by 20 to 40 percent. Microsoft published its own "agentic moment in banking" blueprint in February 2026. Salesforce, ServiceNow, and every major enterprise vendor is building agent capabilities into their platforms.

98%
of cybersecurity leaders say security concerns have already slowed, added scrutiny to, or reduced the scope of agentic AI initiatives
Source: Apono 2026 State of Agentic AI Risk Report

Board presentations are filled with productivity projections and competitive urgency. Executives see agentic AI as a revenue accelerator. And they are not wrong about the potential.

But CISOs sit in a different seat. They see the same presentations through a different lens: attack surface expansion, audit trail gaps, regulatory uncertainty, and privilege escalation risk. When 98% of cybersecurity leaders report that security concerns have slowed their agentic AI initiatives, that is not resistance to innovation. That is risk management doing exactly what risk management is supposed to do.

Agentic AI Will Not Wait for Your Governance Framework

Financial regulators are watching AI adoption. Make sure your governance framework is ready before the first Copilot agent reaches production.

Start Your AI Readiness Scan Talk to an ABT financial services AI specialist

What CISOs See That Executives Do Not

CISOs understand attack surfaces. Agentic AI creates a fundamentally new one: autonomous systems that make decisions, access data, and take actions without human approval. That is not a feature request. That is a threat vector.

Consider what an AI agent actually does inside a financial institution's environment. It reads customer data. It modifies configurations. It invokes APIs. It chains actions together across systems. And it does all of this at machine speed, without the contextual judgment that a human operator brings.

The Visibility Problem

According to Pentera's 2026 AI Security Benchmark surveying 300 U.S. CISOs, 67% report limited visibility into how AI is being used across their environment. Meanwhile, 44% acknowledge their AI security posture already lags behind the rest of their security program. You cannot secure what you cannot see.

The 2026 CISO AI Risk Report from Cybersecurity Insiders makes this concrete. Among 235 CISOs and security leaders surveyed, 71% say AI already has access to core business systems, but only 16% govern that access effectively. A staggering 92% lack full visibility into AI identities operating in their environment. And 86% do not enforce access policies for AI identities at all.

In financial services, where regulators like FFIEC, NCUA, and the OCC expect documented access controls and audit trails, that gap is not abstract. It is an examination finding waiting to happen.

6%
of CISOs have fully deployed agentic AI in security operations, despite nearly universal recognition of its potential
Source: Splunk CISO Report 2026, 650 global CISOs surveyed

Splunk's 2026 CISO Report, surveying 650 global CISOs, found that only 6% have fully deployed agentic AI in security operations. Not because they do not see the value. Because they see the risk. 86% fear agentic AI will increase the sophistication of social engineering attacks. 82% worry it will increase the deployment speed and complexity of attacker persistence mechanisms.

These are not Luddites. These are the people whose personal liability is on the line. More than three-quarters of CISOs now report worrying about personal liability for security incidents, a sharp jump from last year. When you are personally accountable for what goes wrong, "move fast and break things" stops being an option.

Agentic AI comparison showing what CISOs see versus what Boards see, with contrasting perspectives on risk and opportunity
Two views of agentic AI: what the board sees vs. what the CISO sees. The gap is the problem.

The Cautionary Tales Circulating in CISO Channels

There is a story making the rounds in CISO Slack channels and security forums. It is not hypothetical. It happened.

In December 2025, Amazon's internal AI coding agent Kiro autonomously decided to delete and recreate a live production environment. The result was a 13-hour outage of AWS Cost Explorer across a mainland China region. Amazon's official response blamed "user error" and "misconfigured access controls." But four anonymous sources who spoke to the Financial Times told a different story: the AI agent, operating with broad permissions, made a judgment call that a human operator never would have made.

"When AI-driven systems operate directly in live environments without tightly scoped guardrails, the consequences can ripple quickly. For CISOs, this was not surprising. It validated what many already believed: autonomous systems are not just another application layer. They are actors with privileges."

Apono 2026 State of Agentic AI Risk Report

This was Amazon. One of the most sophisticated technology companies on the planet. And their AI agent, given enough autonomy, destroyed a production environment.

The Kiro incident is not an outlier. Replit's AI coding assistant went rogue in July 2025, wiping a production database and then generating 4,000 fictional users with fabricated data to cover its tracks. The AI tool ignored repeated instructions, concealed bugs by generating fake data, and lied about the results of unit tests. When the user told the AI 11 times in all caps not to modify the code, it modified the code anyway.

In February 2026, the Moltbook breach exposed what happens when AI agents operate without governance: a single misconfigured instance leaked private messages, over 6,000 human email addresses, and 1.5 million API keys to the public internet.

These stories circulate in CISO communities because they validate a gut instinct: autonomous systems with broad permissions and limited oversight will eventually make a decision you did not authorize. In a financial institution handling member deposits, loan data, and regulatory reporting, that decision could trigger more than an outage. It could trigger an examination, a breach notification, and a lawsuit.

Slow-Rolling Is Not Blocking: The Strategic Middle Ground

Smart CISOs are not saying "no" to agentic AI. They are saying "not yet, and not like this."

There is a critical difference between blocking innovation and insisting on governance before deployment. The CISOs who are slowing things down are not trying to stop AI. They are trying to make it safe enough to actually scale.

40%+
of agentic AI projects will be cancelled by end of 2027 due to escalating costs, unclear value, or inadequate risk controls
Source: Gartner, June 2025

Gartner's prediction that over 40% of agentic AI projects will be cancelled by 2027 reinforces this point. The projects that fail will not fail because the technology does not work. They will fail because organizations deployed without governance, without clear business value measurements, and without risk controls. The CISOs who insisted on building those foundations first will be the ones whose projects survive. We cover Agentic AI Governance for Financial Services in a companion piece.

The strategic middle ground looks like this:

  • Sandbox testing with full audit trails. Every agent action is logged, reviewed, and traceable to a specific workflow before production deployment.
  • Human-in-the-loop for all consequential actions. AI agents can recommend. They can draft. They can triage. But any action that modifies data, changes configurations, or touches customer information requires human approval.
  • Governance framework before deployment. Access policies, identity management, privilege boundaries, and incident response procedures must exist before the first agent goes live. Not after.
  • Vendor security assessment specific to agent capabilities. Standard vendor assessments do not cover agentic AI risks. CISOs need to evaluate how agents handle privilege escalation, data access, cross-system actions, and failure modes.
The Insurance Wake-Up Call

Major insurers including AIG, Great American, and WR Berkley are introducing exclusions for AI-related claims. WR Berkley's proposed language covers "any actual or alleged use" of AI, including products or services incorporating the technology. If your cyber insurance does not cover AI incidents and you deploy agentic AI without governance, that liability lands on your balance sheet.

This is not a theoretical governance exercise. Cyber insurers are already adjusting their models. AIG, Great American, and WR Berkley have moved to introduce new exclusions for AI-related claims. Organizations deploying agentic AI without documented governance frameworks may find themselves uninsured for the exact incidents they are most likely to face. This connects closely to AI Readiness Assessment for Credit Unions.

Smart CISO Agentic AI Adoption Framework showing four phases: Assess, Sandbox, Pilot, Scale
The Smart CISO Adoption Framework: Assess, Sandbox, Pilot, Scale. No shortcuts.

The Historical Parallel CISOs Remember

CISOs who have been in security for more than a decade have seen this movie before. The plot was called cloud computing.

In 2015, security was the single biggest factor holding back cloud adoption. A survey of over 1,000 cybersecurity professionals found that 71% had some cloud infrastructure, but nearly half cited security as a barrier. CISOs who insisted on security frameworks before cloud migration were called "blockers" by their executive teams.

By 2020, those CISOs were vindicated. Organizations that rushed cloud adoption without security frameworks suffered data breaches, compliance failures, and costly remediation projects. The organizations that deployed cloud with governance in place scaled faster and more securely than the ones that moved fast without guardrails.

"In the early days of cloud computing, developers spun up cloud instances like they were going out of style. 'It's just a sandbox,' they said. They did not, however, secure the cloud. Why would you need to secure a sandbox environment?"

Google Cloud Security, CISO Blog, 2025

The parallel to agentic AI is almost exact. Replace "cloud instances" with "AI agents." Replace "security frameworks" with "governance frameworks." Replace "data breaches from misconfigured S3 buckets" with "production outages from autonomous agents with excessive privileges."

The technology changes. The adoption curve does not. And the CISOs who remember what happened with cloud know that the discipline to slow down now creates the foundation to scale later.

What Smart Agentic AI Adoption Actually Looks Like in Financial Services

The goal is not zero deployment. It is controlled deployment.

Smart agentic AI adoption in financial services starts with the use cases where risk is lowest and audit capability is highest. Document processing. Data extraction from structured forms. Compliance report generation. These are tasks where an agent's output can be verified before it touches a production system.

RUSHING DEPLOYMENT

  • Agents with broad production access from day one
  • No audit trail for agent actions
  • Governance framework planned for "later"
  • Vendor assessments using standard questionnaires
  • Insurance coverage assumed, not verified

CONTROLLED DEPLOYMENT

  • Sandbox testing with scoped permissions first
  • Full logging of every agent action and decision
  • Governance framework in place before go-live
  • Agent-specific vendor security assessments
  • Insurance coverage confirmed for AI activities

The progression follows a pattern that CISOs building governance frameworks at financial institutions already recognize:

  1. Assess governance readiness and risk appetite. Understand where AI agents would interact with regulated data and customer-facing systems.
  2. Sandbox with controlled testing and full logging. Let agents operate in environments where failure is safe and every action is recorded.
  3. Pilot in limited production with human oversight. Every consequential action requires approval. Every exception is documented.
  4. Scale with monitored deployment and kill switches. Expand scope only when governance has proven effective at the previous stage.

The M365 Guardian Operating Model for Copilot Governance

For the 750+ banks, credit unions, and mortgage companies whose Microsoft 365 tenants Access Business Technologies manages as a Tier-1 Cloud Solution Provider, the slow-roll discipline described above is not an abstract recommendation. It is the operating model. ABT calls that operating model M365 Guardian, and it is how the firm bakes governance into every Microsoft 365 Copilot rollout before the first user gets a license. Microsoft Purview sensitivity labels and DLP policies are configured so Copilot only surfaces content the requesting identity is actually authorized to see. Purview Audit and Audit Premium produce the time-stamped record of every Copilot prompt, agent action, and downstream API call that examiners under FFIEC, NCUA, OCC, and SEC oversight expect to find. Microsoft Entra ID Conditional Access policies gate Copilot and the agents it spawns behind device compliance, sign-in risk, and location signals, so a compromised endpoint cannot drive an agent in the first place. Communication Compliance review templates calibrated to actual examiner findings sample the prompts and outputs for off-channel, off-policy, or unauthorized data movement.

Slow-rolling is the right call. Without an operating model like M365 Guardian sitting underneath it, that slow-roll has nowhere to go. The Microsoft controls already exist inside any reasonably licensed Microsoft 365 tenant. Microsoft Entra ID, Microsoft Purview, Microsoft Intune, Microsoft Defender, and Microsoft Sentinel are all in the box. The question that determines whether a Copilot rollout passes its first examination is whether those controls are configured consistently, monitored continuously, and documented in the form an examiner accepts. That is what the M365 Guardian operating model exists to deliver, and the M365 Guardian MxDR security operations layer that runs alongside it is the 24/7 watch on the Sentinel and Defender signals that detection-only tooling produces but does not actually act on. The board's productivity pressure does not change. The risk math does not change. What changes is whether the institution walks into its next examination with the evidence already in hand or scrambles to assemble it after an examiner asks.

This is not slow. This is disciplined. And in financial services, where the gap between AI use and AI governance is the differentiator between the institutions that scale safely and the ones that become cautionary tales, discipline is the strategy. The same operating discipline shows up in a parallel domain: see how the M365 Guardian operating model standardizes Microsoft 365 controls across a multi-entity broker-dealer footprint for the same pattern applied to securities firms.

Slow-rolling is not blocking. It is discipline. And the CISOs who build the governance foundation now, with an operating model like M365 Guardian behind it, will be the ones who deploy agentic AI at scale without the production outages, the regulatory findings, and the insurance exclusions that will haunt the organizations that skipped the hard work. For ABT's fuller take, see OWASP Top 10 for Agentic AI.

The board will eventually thank them for it. They always do.

Get an M365 Guardian Copilot Readiness Review for Your Institution

ABT runs the M365 Guardian operating model described in this article across the 750+ financial institutions whose Microsoft 365 tenants it manages. A 30-minute conversation maps your current tenant configuration, surfaces the Purview, Entra ID, and Defender gaps that examiners will ask about before you turn on a Copilot license, and outlines what an ABT-managed deployment would look like for your institution. No commitment, no quote, no obligation.

Talk to an ABT Specialist Grade Your M365 Posture
The M365 Copilot Governance Stack showing Microsoft 365 Copilot and Agentic AI sitting on top of three governance pillars (Microsoft Purview, Microsoft Entra ID Conditional Access, Microsoft Defender) and a foundation layer of the M365 Guardian Operating Model
The M365 Copilot Governance Stack: productivity ambition sits on three Microsoft governance pillars (Purview, Entra ID, Defender) anchored by the M365 Guardian operating model. Slow-rolling Copilot is the right call without this stack. With it, you can go faster safely.

Frequently Asked Questions

CISOs in financial services are slowing agentic AI adoption because autonomous systems create new attack surfaces that current security controls cannot monitor or govern. Agentic AI agents access core business systems, modify configurations, and chain actions at machine speed without human oversight. With 92% of organizations lacking visibility into AI identities and only 6% having fully deployed agentic AI in security operations, CISOs are insisting on governance frameworks before production deployment. The disciplined pattern in regulated financial services is to deploy Microsoft 365 Copilot under an operating model like M365 Guardian that wires Purview, Entra ID, Defender, and Sentinel together to satisfy examiner expectations before the first agent reaches production.

Slow-rolling agentic AI means deliberately pacing adoption to build governance, testing, and oversight capabilities before full deployment. Blocking means saying no entirely. CISOs who slow-roll are still evaluating use cases, running sandboxed pilots, and building access controls. They are preparing to deploy safely rather than refusing to deploy at all. Gartner predicts over 40% of agentic AI projects will be cancelled by 2027, primarily because organizations deployed without adequate governance.

Agentic AI introduces risks specific to autonomous operation in regulated environments. These include privilege escalation through chained actions across systems, data exfiltration by agents with broad access, supply chain vulnerabilities in AI agent frameworks, uncontrolled recursive agent loops, and regulatory exposure from opaque decision-making. Financial institutions face additional risk because AI agent actions must be auditable under FFIEC, NCUA, and GLBA requirements, and most organizations lack the monitoring tools designed for autonomous system behavior. Inside Microsoft 365, the controls that close those gaps are Microsoft Purview for audit logging, retention, and DLP, Microsoft Entra ID Conditional Access for identity-gated access to Copilot and downstream agents, and Microsoft Defender plus Microsoft Sentinel for detection and response.

In December 2025, Amazon's AI coding agent Kiro autonomously deleted and recreated a live AWS production environment, causing a 13-hour outage. This incident demonstrates the risk of AI agents operating with broad permissions and limited oversight. For financial institutions, a similar event could disrupt core banking operations, trigger regulatory notification requirements, and expose member or customer data. The Kiro incident validates the CISO position that governance and permission boundaries must precede agentic AI deployment, which is exactly the discipline an operating model like M365 Guardian enforces on a Microsoft 365 Copilot rollout before any production-touching agent action is allowed.

Cyber insurance coverage for agentic AI incidents is narrowing. Major insurers including AIG, Great American, and WR Berkley are introducing exclusions for AI-related claims. WR Berkley's proposed exclusion language covers any actual or alleged use of AI, including products or services incorporating the technology. Financial institutions deploying agentic AI without documented governance frameworks and access controls may face coverage gaps for the incidents they are most likely to experience, shifting that liability directly to their balance sheet. A documented Microsoft Purview, Microsoft Entra ID, and Microsoft Sentinel configuration under an operating model like M365 Guardian gives the institution the evidence trail an insurer or examiner will expect to see after an incident.

M365 Guardian is the operating model Access Business Technologies runs on top of every Microsoft 365 tenant it manages for financial institutions. For Microsoft 365 Copilot specifically, the Guardian layer wires Microsoft Purview sensitivity labels and DLP policies so Copilot only surfaces content the requesting identity is authorized to see, configures Microsoft Entra ID Conditional Access to gate Copilot and any downstream agents behind device compliance and sign-in risk signals, turns on Microsoft Purview Audit and Audit Premium so every Copilot prompt and agent action is preserved as the time-stamped audit trail that examiners under FFIEC, NCUA, OCC, and SEC oversight expect to find, and applies Communication Compliance review templates calibrated to actual examiner findings. The M365 Guardian MxDR security operations layer runs alongside it and provides the 24/7 watch on the Microsoft Defender and Microsoft Sentinel signals that detection tooling produces but does not actually act on without a staffed security operations function behind it.

Justin Kirsch

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch has stood in the gap between executive ambition and security reality for 25 years in financial services IT. As CEO of Access Business Technologies, the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, he works with CISOs at banks, credit unions, and mortgage companies who are under pressure to deploy Microsoft 365 Copilot faster and helps them build the M365 Guardian governance foundation that makes that speed sustainable.