Identity to underpin the next wave of AI in financial services
By Johan Fantenberg (pictured), Product and Solution Director, Ping Identity
The financial services sector is on the cusp of a structural transformation that could rival the digitisation boom of the past two decades.
After years of deploying Artificial Intelligence (AI) to improve analytics and streamline operations, banks, insurers, and wealth managers are now confronting a more profound shift: the rise of agentic AI.
Unlike earlier forms of AI, which rely on human prompts and oversight to act, agentic systems can operate with a degree of autonomy. They are capable of setting objectives, initiating actions, and coordinating workflows across complex ecosystems.
For an industry built on trust, accountability, and regulation, this evolution raises both significant opportunity and equally significant risk. At the centre of this transformation lies a deceptively simple concept: identity.
From insight to autonomy
The financial sector has historically embraced successive waves of AI innovation. Rules-based engines improved consistency and machine learning enhanced predictive capabilities. More recently, large language models (LLMs) have boosted productivity through copilots that assist employees and customers alike.
Agentic AI represents a significant evolution of this pattern. Instead of supporting human decisions, these systems can make and execute decisions independently. They can break down complex tasks, determine what data or tools are required, and complete processes at scale and speed.
The potential upside is considerable. Institutions could deliver hyper-personalised customer experiences, respond to risks in real time, and automate operational processes in ways that significantly reduce costs and improve margins.
However, the shift to autonomy also expands the attack surface and introduces new forms of vulnerability. Unlike humans, AI systems do not experience consequences, which increases the risk of persistent privilege.
Questions that were once peripheral now become central. Who is taking action within a system? Under what authority? What data is being accessed, and why? And crucially, who is accountable when something goes wrong?
These are not theoretical concerns but go directly to the heart of regulatory compliance, operational resilience, and customer trust.
Identity at the moment of action
As autonomous systems begin to execute financial decisions, identity emerges as the organising principle that can bring order to complexity. In an agentic environment, identity extends beyond human users to encompass machines, software agents and digital counterparts acting on behalf of customers or institutions.
In practical terms, session-based trust was built for static systems. Identity embeds guardrails such as dynamic least-privilege access, consent management, policy enforcement and continuous monitoring directly into agent behaviour. Rather than treating governance as an afterthought, it becomes a core part of how systems operate.
This builds on established identity and zero trust principles, extending them to meet the demands of continuously operating AI systems.
This approach also enables interoperability across ecosystems. As financial institutions increasingly collaborate with partners, fintechs, and third-party service providers, identity frameworks allow autonomous agents to operate using explicit delegation, defining precisely what an agent can do, when it can do it, and under what constraints. This replaces the traditional model of authenticating, exchanging credentials, and operating within static boundaries of authority.
Regulation drives convergence
Regulators globally are already signalling that autonomy must not come at the expense of accountability. Across major jurisdictions, there is growing alignment around the need for transparency, explainability and human oversight in AI-driven systems.
Identity and access management systems are uniquely positioned to support these requirements. By enforcing strict controls over who or what can act within a system, and by maintaining detailed records of every interaction, they provide a common language through which institutions can demonstrate compliance in real time.
This is a notable shift from traditional approaches, where compliance was often retrospective. In an agentic world, governance must be continuous and embedded.
Use cases begin to emerge
While the concept of agentic AI may still appear abstract, practical applications are already taking shape across the financial sector.
In banking, autonomous fraud detection systems can monitor transactions, initiate authentication requests, and halt suspicious activity before losses occur. These systems can document every step taken, creating a comprehensive audit trail for regulators and internal review.
Also, personalised financial advice can be delivered through networks of cooperating agents. Customer personal agents gather preferences and goals under explicit consent, while institutional agents apply risk and compliance frameworks. In high-risk scenarios, these identity controls can trigger a human-in-the-loop requirement before a sensitive financial action is executed.
In insurance, agentic AI is reshaping claims management. Autonomous systems can validate evidence, assess coverage, and coordinate with third parties to resolve routine claims efficiently. More complex or disputed cases are escalated with full transparency, enabling faster and more informed human intervention.
Across these use cases, a consistent theme emerges: autonomy delivers value only when it is bounded by clear rules, verifiable actions and accountable oversight.
Securing the agentic enterprise with runtime identity
For financial institutions, the challenge now is to move beyond legacy identity architectures that assume trust persists after login without continuous evaluation. In a world of autonomous systems, the login is no longer the security boundary; the decision itself becomes the control point.
This is the shift to Runtime Identity. When identity lives at runtime, every action becomes verifiable, governed, and attributable.
This ensures that as institutions adopt more advanced forms of AI, they do not compromise on the principles that underpin their licence to operate.
The stakes are high. Institutions that fail to establish continuous, contextual authorisation risk falling foul of regulators, exposing themselves to new forms of cyber threat, and eroding customer confidence.
Conversely, those that invest early in runtime identity controls stand to benefit from faster innovation, improved efficiency, and stronger differentiation in an increasingly competitive market.
