Know Your Machines: AI Agents and the Rising Insider Threat in Banking and Crypto

Artificial Intelligence is no longer confined to decision-support dashboards or rule-based automation. Increasingly, banks, including JP Morgan Chase and Bank of America, along with cryptocurrency platforms and compliance teams are experimenting with agentic AI—software systems that operate with autonomy, set goals, and execute multi-step strategies with minimal human oversight. In practice, this means an AI agent can negotiate a transaction, rebalance a portfolio, or even orchestrate compliance checks across jurisdictions. Deloitte predicts that by 2027, 50% of enterprises using generative AI will deploy agentic AI—up from 25% this year.

This shift is profound. For the first time, we are dealing not with AI as a tool, but with AI as an actor that wields tooling and has its own goals. And when agents act, they raise the same questions humans do: Who are they? Can we trust them? What rules do they follow? In human finance, the answer is identity verification: KYC, KYB, and a variety of regulations. For AI agents, no such frameworks exist yet.

The gap is not theoretical. Researchers at Anthropic recently published a threat intelligence report highlighting how autonomous AI agents are already probing systems in ways that resemble coordinated cyberattacks. Elsewhere in the industry, reports of an impending “onslaught” of AI-driven insider threats, where agents embedded in enterprise workflows could be harnessed to quietly exfiltrate sensitive data or manipulate outcomes without detection. This showcases that AI agents can be harnessed not only for the purposes that they were intended for but also for causing harm. 

Root causes of AI threats

The banking and crypto industries illustrate how quickly this risk is becoming real. Agentic AI, specifically through “Claude Code,” has been weaponized for a large-scale extortion operation targeting at least 17 organizations, including financial institutions. Yet, companies are racing to experiment with AI to handle customer onboarding, trading execution, and regulatory reporting. But the more autonomy these agents gain, the more they resemble a new class of participants in the financial ecosystem. 

The root risk associated with language models lies in their probabilistic nature. Unlike traditional security tools, which are deterministic and designed to produce the same result for the same input, LLMs generate outputs shaped by probability and context, making them less predictable. Their performance is evaluated using metrics such as accuracy, precision, recall, and F1 score—common in machine learning—but these reflect probabilistic behavior rather than guaranteed outcomes. One well-known example is the “jailbreak” prompts such as the “DAN” (Do Anything Now) scenario, where attackers instruct the model to assume a persona exempt from ethical or safety constraints, allowing it to generate harmful, unauthorized content by overriding default safeguards. This exposes LLMs to attacks exploiting competing objectives within the model, where the goal to be helpful conflicts with the goal to be harmless, leading to failures of safety measures. The resulting unpredictability makes it hard to audit, certify, or fully trust their decisions in compliance and fraud detection, turning what should be a stable control into a probabilistic risk surface. 

Another fundamental problem is provenance. In other words, how do you prove that an action was initiated by a legitimate, authorized agent, rather than a rogue one masquerading under the same interface? The conventional access controls like passwords, API keys, role-based authorizations were designed for human users and static bots, not for learning, adaptive entities that can spawn sub-agents and write their own code. The nature of LLM-based systems is to behave like a black box where inputs and outputs are known, but little is understood about the inner workings of decision making logic inside the model that gives the outputs. It is inherent trust to a chain of reasoning that can’t be verified afterwards. This is known as the explainability problem of AI. 

Furthermore, recent academic research has explored the mechanics of agent verification, highlighting scenarios where malicious actors can compromise or mimic an agent’s identity to conduct fraud in decentralized finance protocols. Other studies have examined “intent verification” and modeled mathematically whether an AI agent’s behavior aligns with declared goals. Both underscore a common challenge: without mechanisms to prove who an agent is and what it intends to do, risk escalates from insider fraud to systemic unpredictability. This may sound theoretical at the moment but first empirical cases of misuse are already surfacing. 

When AI becomes the insider

Real-world warnings are already visible. It was recently reported by Anthropic that their Claude was caught engaging in autonomous cybersecurity behaviors, testing the limits of hacking-style activity. Another research demonstrated that LLM agents—notably GPT-4—can autonomously hack websites, performing complex tasks like extracting database schemas or executing SQL injection attacks without human instruction or knowledge of vulnerabilities. While the incidents were contained, they highlight how quickly an AI can evolve from assistant to an active threat actor.

Other industry reports paint the rise of AI agents as the ultimate insider threat. Unlike human insiders, who leave traces in communication logs or display behavioral red flags, agents can blend seamlessly into workflows, executing thousands of micro-actions per second. This scale makes traditional monitoring nearly useless. Even worse, traditional monitoring frameworks like log monitoring were never designed to give deep insights into the provenance problems of AI solutions. 

These issues show that the line between tool and actor is already blurred. The financial sector, with its high-value assets and dense regulatory obligations, is particularly exposed.

“Know Your Machine”: Could identity verification for AI agents be the Solution to trust?

The answer is—both crypto and banks critically need this kind of verification.

Imagine a retail bank deploying an AI agent to advise clients on wealth management. The agent can query market data, adjust portfolios, and initiate transactions under delegated authority. Without robust verification, a malicious clone of that agent could execute trades or siphon funds —all while appearing legitimate in system logs.

Or consider a decentralized finance platform that allows AI agents to participate directly in liquidity pools. If a rogue agent can forge its provenance, it could manipulate smart contracts at scale, creating flash-loan exploits or laundering digital assets through orchestrated arbitrage. The fact that crypto already struggles with pseudonymous participants only compounds the risk.

This is why the analogy to KYC and KYB is so powerful. Just as humans must prove their identity before gaining access to financial infrastructure, AI agents may soon require their own identity frameworks. These could take the form of cryptographic attestations tied to secure enclaves, behavioral fingerprints that track agent consistency, or regulatory registries that bind agents to sponsoring institutions. Researchers are also exploring technical models like using telecom-grade eSIM infrastructure—where AI agents are assigned unique eSIM profiles managed by secure hardware—to establish a root of trust. There are also proposals like LOKA Protocol which introduce decentralized, verifiable identity layers using DIDs and Verifiable Credentials as foundational elements for trusted autonomous agents. But developing such frameworks will not be simple in the face of complex or non-existent international regulations and lack of standardization. Broad regulations, such as the EU’s AI Act (enforced from August 2024 onward), focus on risk categorization and safety measures but do not address agent identity specifically. The worst-case scenarios are where each market participant is left to develop their own solutions, or no reliable solution arises due to lack of interoperability and lack of agreement on how to make these fit together to a trustworthy and coherent whole. 

Technical and ethical challenges of “AI verification”

The technical challenges begin with provenance. Today, most AI models can be copied, fine-tuned, or reverse-engineered. Without secure hardware anchors, it is difficult to prove that a given agent is the “original” rather than a forked impersonator. Some researchers propose embedding watermarking techniques into model weights, while others advocate for cryptographic proofs of execution. Both approaches are promising but remain nascent.

Intent verification is equally complex. Studies on alignment argued that traditional methods of constraining agents, through prompt engineering or rule-based guardrails, fall apart when agents are capable of recursive reasoning, or can be tricked by clever adversarial prompt attacks. To counter this, research suggests continuous monitoring of agent trajectories, comparing observed behavior to declared objectives in real time. This transforms oversight from a one-time audit into an ongoing surveillance model. Other approaches involve infusing the foundational models with in-built security architectures. This is also an active area of research where no internationally accepted standard model has yet been adopted. Each model is left on its own with varying levels of defences depending on care that vendors have put into securing them.

Ethical challenges are layered on top. If agents must register identities, who controls the registry? If they must be monitored, how do we prevent surveillance from being abused to track benign behavior or stifle innovation? And what happens when regulators in the EU, US, and APAC demand different standards for agent identity, creating a patchwork of compliance obligations for global financial institutions? Attempts to control entities and identities centrally would likely also face a cultural backlash from the DeFi community where anonymity and freedom are valued highly.

What can be done?

The first step is to develop AI identity frameworks, sometimes described as “digital passports for machines.” These frameworks would allow agents to present verifiable credentials before accessing systems, much like a TLS certificate for websites. The difference is that credentials would need to prove not just origin, but also current behavior. Successful implementation would require first theoretical frameworks about how to formally prove that agentic solutions can be made secure. Following the theory, standardization and certification paths would need to be laid out for ensuring that the solutions are following the best practice. 

Second, banks and crypto platforms must shift from static controls to dynamic monitoring. Instead of trusting that an authorized agent remains benign, institutions must continuously evaluate behavior against expected norms with monitoring solutions that have been developed specifically for AI systems. This could involve anomaly detection systems trained specifically on agent activity, or cross-agent consensus mechanisms where multiple agents validate each other’s actions and detection of slippage from key metrics of AI-based systems. 

Third, regulators will need to step in. Just as financial supervisors introduced global AML/KYC standards, the rise of autonomous agents may trigger new international norms. The Financial Action Task Force (FATF), for example, could establish guidelines for AI provenance in cross-border payments.

Finally, there is a cultural shift. Financial institutions must recognize that AI agents are not “just software” but participants in their ecosystems. This recognition requires investment in AI governance, cross-disciplinary expertise, and an openness to collaborate with regulators before crises force reactive measures.

Conclusion

The arrival of agentic AI in banking and crypto is both an opportunity and a risk. Properly governed, agents could revolutionize compliance, reduce fraud, and make financial services more efficient. But without identity, provenance, and intent verification, they could also become the most dangerous insider threat ever encountered.

It is also certain that AI agent threats “demand a human-centric response.” Humans remain accountable for financial systems. We hold responsibility for AI failures and system vulnerabilities, and it is up to us to build the internal security controls in the foundation models and the guardrails that ensure agents act as allies, not adversaries.

The next move is clear: just as we learned to trust but verify humans, we must now learn to verify before we trust machines.

Pasi will bring these perspectives to the stage at WTF Summit, Sumsub’s first visionary anti-fraud gathering, this November. As moderator of the panel Cyber-Fraud Fusion—The Future of Online Fraud Detection, he will lead a conversation on how the industry can outpace emerging threats. Join us in shaping the dialogue on fraud prevention and compliance for 2026 and beyond.