For most of fintech security history, the dangerous actor was a human: an attacker outside the perimeter, or occasionally a malicious insider with credentials. The defences assumed an adversary who was either clearly external or clearly a person. In 2026 a third category went mainstream, and it does not fit either box: an autonomous agent, inside your systems, acting with real authority, that can be manipulated by input you did not control.
Agentic AI in finance is no longer a thought experiment. Systems now plan, call tools, approve workflows, trigger payments, rebalance portfolios, and interact with smart contracts. Each of those verbs is a capability that, in the wrong sequence, moves money. And the year's incident record is not reassuring: a major fintech breach exposed close to a million customer records, and DeFi losses crossed several hundred million dollars, with bridges, flash-loan manipulation, and contract bugs leading the way. Now add an actor that holds legitimate authority and can be talked into using it.
An agent with payment authority is an insider that never sleeps, follows instructions literally, and can be socially engineered by a string of text it reads in the course of doing its job.
What changed, concretely
The shift is from systems that recommend to systems that act. A model that drafts a payment for a human to approve is a productivity tool with a human circuit breaker. A model that initiates the payment because a workflow told it to is a financial actor. The distance between those two is a single design decision, and it is being crossed quietly, often without the security review a new financial actor would normally trigger.
The second change is the input. Traditional software acts on structured, validated data. An agent acts on language: a support ticket, an email, a document, a web page, the output of another model. That language is an instruction channel, and anything in it can attempt to steer the agent. The boundary between data and command, which decades of security work went into hardening, is soft again by default.
The new attack classes
Three attack classes are specific to agents that hold authority, and they do not map onto the old threat model cleanly.
Prompt injection with consequences. The classic prompt-injection demonstration was making a chatbot say something embarrassing. The financial version is making an agent take an action: a crafted invoice, ticket, or document that, when the agent reads it, instructs it to change a payee, raise a limit, or approve a transfer. When the agent has tools, injection stops being a content problem and becomes a transaction problem.
Confused-deputy escalation. The agent has more authority than the user or data source talking to it. An attacker who cannot move money directly persuades the agent, which can, to do it on their behalf. The agent is not compromised in the traditional sense; it is used as designed, pointed at the wrong end.
Tool-chain exploitation. Agents act by calling tools, and each tool is an edge. An over-broad integration, a tool that returns attacker-influenced data, or a chain where one tool's output becomes another's command, turns the agent into a delivery mechanism for an exploit it does not understand it is running.
The old threats did not leave
None of this replaces the existing fintech attack surface. The breaches of 2026 were still, overwhelmingly, the familiar patterns: stolen credentials, weak APIs, third-party exposure, unpatched dependencies, and the misconfigurations that automated tools find at scale. We mapped that ground in security is not a feature, and every word of it still holds. The agent layer is a new floor added to the building, not a replacement for the foundations. A team that gets excited about agent security while leaving an unauthenticated endpoint open has simply added a new way to lose on top of the old ones.
How we design agents that touch money
When we build an agent that can affect anything financial, we design it as if it will be manipulated, because eventually something in its input will try. Five principles do most of the work.
Least authority, always. The agent gets the narrowest capability that lets it do its job, scoped to specific actions, amounts, and accounts. An agent that drafts payments does not need authority to send them. Most of the danger is removed by simply not granting the capability in the first place.
A human gate on irreversible value. Anything that moves real money, changes a payee, or raises a limit crosses a human approval step. The agent prepares; a person commits. This single boundary defeats most injection attacks, because the consequence requires an action the agent cannot take alone.
Treat all input as hostile instructions. Data the agent reads is never trusted as command. Tool outputs, documents, and messages are sandboxed and constrained, and the agent's authority does not expand because something it read told it to.
Hard limits in code, not in the prompt. Amount caps, rate limits, and allowlists are enforced by the system around the agent, not by asking the model nicely to behave. A guardrail that lives only in the prompt is a suggestion, and suggestions can be argued with.
Full audit trail. Every action, every input that led to it, every tool call, recorded. When an agent does something wrong with money, you need to reconstruct exactly what happened and prove what did not. An agent action with no trace is an unauditable financial transaction, which in fintech is its own kind of failure.
Where to start this week
If you have shipped, or are about to ship, an agent that can affect anything financial, start with one question: what is the worst single action it is technically able to take, and who or what can influence it to take that action. If the answer to the first is "move money" and the answer to the second includes "text it reads from outside," you have an unguarded financial actor, and you should put a human gate and a hard cap in front of the irreversible actions before anything else.
Agentic finance is genuinely useful, and we are building in it, not warning people off it. But the convenience that makes an agent valuable, that it can act, is the exact property that makes it dangerous. The teams that will be fine are the ones who treated their first money-moving agent as a new insider with real authority and designed its constraints before its capabilities. The teams that will end up in an incident report treated it as a feature.