Banks should govern employee AI use as an identity and data handling problem, not just a policy issue. The control point is intent, context, and runtime enforcement. If staff can paste client or trading information into unmanaged tools, security teams need visibility into the interaction, not just the network.
Why This Matters for Security Teams
Banking AI governance fails when employee use of tools is treated like a simple acceptable-use issue. The real risk is that regulated data can move into unmanaged prompts, plugins, or browser-based assistants without a durable identity trail. That creates exposure across regulatory and audit perspectives, because investigators need to know who interacted with what data, under which approval, and whether secrets or client records were retained. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it pushes banks toward governance, asset visibility, and controlled access rather than after-the-fact policy reminders.
Security teams also need to recognise that employee AI usage often creates an NHI problem indirectly: the user may be human, but the tool, connector, or agent acting on their behalf behaves like an identity with access to sensitive systems. NHIMG research shows how quickly compromise can cascade when secrets are exposed, and the same lesson applies to prompt leakage and unmanaged integrations. In practice, many security teams encounter the breach only after a spreadsheet, chat transcript, or trading note has already been copied into a third-party model.
How It Works in Practice
Effective governance starts by classifying employee AI use by data sensitivity and action type, not by application name. Banks should define which datasets can be summarised, which can be queried, and which are prohibited from external AI entirely. Current guidance suggests combining RBAC with intent-based authorisation so access decisions reflect the user’s purpose, the data classification, the device posture, and the destination model or connector. That approach fits the broader NHI lifecycle guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.
In practice, three controls matter most:
- JIT access for high-risk actions, so approval and privilege exist only for the task window.
- Ephemeral secrets and workload identity for approved AI services, rather than long-lived API keys embedded in scripts or plugins.
- Runtime inspection of prompts, attachments, and outputs, with DLP and policy-as-code enforcement at the interaction layer.
This is where the identity model matters. If a bank allows employee-created workflows to call models, retrieval systems, or MCP-connected services, those workflows should authenticate as workloads, not as borrowed human accounts. That aligns with Top 10 NHI Issues, especially around secret sprawl, unmanaged machine access, and over-privileged service accounts. The operational question is not only “can the user use AI?” but “can the bank prove what the AI was allowed to see, do, and retain?” These controls tend to break down when staff use personal accounts in consumer copilots because the bank loses visibility into data residency, retention, and downstream sharing.
Common Variations and Edge Cases
Tighter AI control often increases friction for front-office teams, requiring banks to balance fast analysis against supervision, retention, and legal hold obligations. That tradeoff is real, especially in trading, wealth management, and client service, where employees may want rapid summarisation of emails, call transcripts, or research notes. Best practice is evolving, but current guidance suggests separating low-risk productivity use from regulated-data workflows and granting exceptions only with logging, expiry, and review.
There is also no universal standard yet for employee prompting of internal models versus external SaaS copilots, so banks should set policy by risk tier and data class, then enforce it technically. The strongest pattern is to pair governance with evidence: who approved the use case, what data class was involved, whether output was stored, and whether any secrets were present. NHIMG’s Ultimate Guide to NHIs — Key Research and Survey Results is useful context because it reinforces how fragmented controls and weak remediation habits create avoidable exposure. The DeepSeek breach is a reminder that accidental exposure at model or data-layer scale can turn governance gaps into record-level risk.
For banks adopting agentic or tool-using assistants, NIST Cybersecurity Framework 2.0, NIST AI RMF, and Zero Trust Architecture principles should be interpreted together: govern the data, verify the workload, and enforce at runtime.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control and least privilege are central to regulated AI use. |
| NIST AI RMF | AI RMF GOVERN and MAP functions fit bank oversight of AI use. | |
| OWASP Agentic AI Top 10 | LLM07 | Tool-enabled AI can leak data or misuse permissions through prompts and connectors. |
Treat AI tools as governed runtimes with prompt, connector, and output controls at execution time.
