Thought Leaders

AI Agents Are Racing Ahead of Financial Security. Is the Industry Ready?

mm

I’d like to buy some British Airways

When I started on a City trading desk in the 1980s, the phone was the interface. A client would call, usually a man who had made his money in something boring and wanted a little of it in shares, and he would say he fancied some British Airways. Someone on the desk took the order, and that was the trade. Two people, a handset, and a fair amount of trust in both directions.

The industry then spent forty years getting rid of the phone call. First the dealing screens. Then the electronic terminals. Then the APIs that let a fund fire thousands of orders a second without anyone saying a word. We called it progress, and for the most part it was.

Now the loop is closing. The newest idea in the business is to let the client talk to the machine again, except this time the machine answers. You tell an AI agent, in more or less plain English, to run a pairs trade across two asset classes, or to keep an options position optimised against a handful of conditions you reel off, and it goes and does it. We spent a generation replacing the man on the desk. We are now about to rehire him in silicon.

I have no great objection to any of this. What worries me is the wiring underneath, which is a good deal younger than the marketing.

The plumbing is younger than the hype

The thing quietly powering most of this integration wave is the Model Context Protocol, or MCP, and it is barely eighteen months old. Anthropic open-sourced it in late 2024 to solve an internal problem of its own: how to connect language models to outside tools and data without writing bespoke integration code for every pairing. By the time Anthropic handed the protocol over to the newly formed Agentic AI Foundation in December 2025, it was already running more than 10,000 public servers and had been picked by ChatGPT, Gemini, and Microsoft Copilot, among others. That is the kind of adoption curve that makes “first to integrate” feel like the only question anyone should be asking.

It solves a real engineering problem. Rather than hand-code an integration for every institutional tool, you publish one uniform catalogue of capabilities and let the model read from it. A frontier model can then talk to a thirty-year-old database as if the two had been introduced at a party.

The trouble is that the same uniformity walks straight past the network perimeter you spent a decade building. The interface that lets the model reach the legacy database lets it reach anything else exposed on the same interface. And an agent doing a real job in a real trading firm has to read the outside world to function: market commentary, news feeds, the file someone just dropped in. The moment it starts reading untrusted text, the instructions and the data are arriving down the same pipe, written in the same language, with no dependable way for the model to tell which is which.

Tricking the model is easier than breaking the bank

This is not a hypothetical. A 2026 study set out to measure how well AI agents actually resist prompt injection, the trick of hiding instructions inside the content an agent is reading so that it quietly does something other than what its owner asked. Across thousands of simulated attacks on agents built on frontier systems such as GPT-5 and Gemini, direct injection succeeded more than 79% of the time, and indirect attacks, where the instruction is buried in ordinary web content or metadata, landed somewhere between 41% and 68%. Not one configuration they tested held the line completely.

The OWASP GenAI Security Project made a quieter but related point in its 2026 report on agentic AI security, published in June. The first edition had catalogued risks that were mostly plausible on paper. The 2026 edition is built on recorded incidents, vendor advisories and registered vulnerabilities attached to very nearly every category of risk it tracks. Two years, and the theoretical became the logged. That alone is an argument for knowing exactly what you are connecting, and to what, before you connect it.

A machine that writes its own exploits

Then the picture changed again. In April 2026 Anthropic disclosed Claude Mythos Preview, a heavily restricted, frontier-class model built for cyber work. According to Anthropic’s own technical write-up, Mythos could autonomously find zero-day vulnerabilities across major operating systems and web browsers and produce working exploits for them, with no human holding its hand. The United Kingdom’s AI Security Institute checked the claim independently and found that Mythos completed an end-to-end simulated 32-step corporate network attack and solved 73% of expert-level challenges.

Mythos itself is kept on a short lead, restricted to a handful of infrastructure providers under something called Project Glasswing. But its existence settles an argument. Offensive capability is now running well ahead of the governance meant to contain it. Put a capability like that in the wrong hands, point it at an agent that has authority to move money, and you have a pipeline that can hijack the underlying APIs and fire off asset liquidations or outbound transfers nobody authorised.

None of this requires breaking the encrypted database. That is the part worth sitting with. Traditional financial systems run on deterministic code, where the same action gives you the same answer every time, and reliably. An agent runs on probabilistic reasoning, which is a polite way of saying it does not come with hard edges. So the attacker skips the vault entirely and simply talks the model into misreading its instructions. Why pick the lock when you can talk your way past the guard?

What actually protects you sits below the model

There is a cost angle here too, and it points the same way. MCP is chatty. It needs a lot of back-and-forth, and that back-and-forth burns tokens, which is to say money. As that bill climbs, my expectation is that serious firms will drift away from the generic open standard and toward tightly optimised proprietary endpoints of their own. Cheaper, and a good deal easier to lock down.

Because the model’s own safety guardrails are not remotely enough to protect other people’s capital. What actually protects it sits below the model, in the plumbing. A serious deployment starts with device-level gatekeeping. At EXANTE, we build the compliance framework straight into that layered architecture: before a single word reaches the language model, a hardware-secured perimeter has already established who is on the other end of the conversation.

Below that, the APIs themselves have to be rebuilt for a machine to use, not a person. A human developer gets a fairly permissive interface because you trust their judgement. An autonomous agent gets a rigid schema that sharply limits what it can ask the backend to do, because an agent will cheerfully use everything you leave lying around. Give it access to a thing, and it will find a use for the thing. So production should expose as little as it can get away with.

The agent’s work should then run inside a ring-fenced environment, with the pipe that reads the world kept structurally apart from the machinery that can act on it. Reading and acting are different jobs and belong in different rooms. And for anything genuinely high-risk, a person still has to say yes. Someone with a name and a login approves the transaction before it goes anywhere. That step is not up for negotiation.

The tortoise has a point

You know the story. A hare so pleased with its own speed that it stops for a nap, and a tortoise that wins by the radical tactic of not stopping. It is a fable, not an operating manual, and I would not lean on it too hard. But the current race does rhyme with it. The firms sprinting hardest are collecting the most coverage, and coverage is not the same thing as lasting. The market tends to remember the broker who moved a quarter too early for a lot longer than it remembers the one who waited.

Meanwhile, the rules are catching up. As frameworks like the European Union’s AI Act tighten the oversight of automated systems in finance, treating compliance as something you bolt on afterwards stops being an option and starts being a fine. When a compromised agent does something it should not, the liability lands on the infrastructure that let it, not on the model that was fooled. Durability in this era will belong to the firms that keep client assets properly segregated, keep the lights on when things break, and can show their working on where the data went. Not to whoever wired up the flashiest connection first.

Which brings me back to my man on the phone in 1985. For all his faults, he had one advantage over the agent we are busy building to replace him. When he told you to buy British Airways, he bought British Airways. You could not talk him into wiring the account to a stranger by means of a cleverly worded headline. Progress, then. Of a sort. At EXANTE we are spending a fair amount of effort making sure the silicon version is at least as hard to con as the bloke with the handset was, which tells you something about where forty years of innovation has landed us.

Richard Forss is the Chief Technology Officer at EXANTE, a global prime broker, with 30+ years of experience designing and scaling technology for financial institutions, hedge funds, and fintech companies.