TL;DR: Banking digitalisation, automation, cyber security, AI for AML, and customer experience across life, health, wealth, lending, and payments cluster into a pattern that financial services programmes now have to align operational change with identity and control decisions, according to Comarch. The governance issue is not whether to digitise, but how to keep access, trust, and user experience coherent while processes become more automated.
At a glance
What this is: A Comarch content roundup focused on digital transformation themes in financial services, especially automation, AI, cyber security, and customer experience.
Why it matters: It matters because banking and insurance teams must align IAM, NHI, and lifecycle governance with automation and AI-driven service delivery without weakening trust or control.
👉 Read Comarch’s overview of digital transformation themes in financial services
Context
The primary keyword here is banking digitalisation, and the article is really a thematic roundup of financial services transformation topics rather than a single technical argument. It points to the pressure on banks, insurers, and related financial firms to make customer journeys more digital while keeping cyber security, access control, and operational trust intact.
For IAM and NHI practitioners, the important signal is that digital transformation no longer sits outside identity governance. Automation in lending, payments, wealth management, and AML changes who or what is acting, what access is needed, and how long that access should exist, which makes lifecycle discipline and controls part of the transformation programme rather than a downstream security task.
That same shift also affects human identity programmes because user-friendly access, customer experience, and strong security are being treated as the same design problem. Teams that separate business process automation from identity governance will miss the control gaps created when finance workflows become more software-driven.
Key questions
Q: How should banks govern access for automated lending and payments workflows?
A: Banks should govern automated lending and payments workflows as identity subjects with clear ownership, least-privilege scope, and a defined revocation path. Each service account, API token, or delegated permission should be tied to a specific business process, then reviewed when that process changes. The control objective is lifecycle alignment, not just initial provisioning.
Q: Why do AI-supported AML processes create extra identity governance risk?
A: AI-supported AML processes create extra identity governance risk because they expand who or what can see sensitive financial data and influence compliance decisions. If access boundaries are vague, the model can operate beyond its intended remit. The key question is whether the AI is constrained by a bounded, auditable identity perimeter.
Q: What do security teams get wrong about user-friendly controls in financial services?
A: Security teams often treat usability and assurance as opposing goals. In financial services, that is a mistake because poor user experience drives bypass behaviour, shadow workflows, and weak recovery patterns. The better approach is to build step-up, delegation, and recovery options into the identity design so the control remains usable under pressure.
Q: When should identity teams recertify access in a banking transformation programme?
A: Identity teams should recertify access whenever a lending, payments, insurance, or customer-experience workflow changes in substance. That includes new automation, new data sharing, or a new AI-assisted decision path. Access that was correct for the old process may be over-privileged or irrelevant once the workflow is redesigned.
Technical breakdown
Automation in lending and payments changes the access model
Automation in financial workflows changes more than speed. When lending, payments, or customer servicing is automated, the system doing the work often needs service credentials, API permissions, or delegated access that outlives a single transaction. That creates identity sprawl if teams treat every integration as a one-off technical link rather than a governed identity subject. The real issue is lifecycle discipline: who provisioned the access, who can revoke it, and how the access is reviewed when the process changes. Practical implication: model automated finance workflows as governed identities, not just application integrations.
Practical implication: model automated finance workflows as governed identities, not just application integrations.
AI in AML depends on controlled data and bounded authority
AI can help surface patterns that traditional AML systems miss, but it does not remove the need for bounded authority. If an AI system can inspect customer, transaction, or case-management data, the supporting access model must be explicitly constrained and auditable. Otherwise, the control problem shifts from rule accuracy to access excess, where the model sees more than it should or triggers actions without clear accountability. In practice, the governance question is not only whether AI improves detection, but whether it is operating inside a clearly defined identity and data boundary. Practical implication: pair AI-enabled AML use cases with tightly scoped access and traceable decision paths.
Practical implication: pair AI-enabled AML use cases with tightly scoped access and traceable decision paths.
Customer experience and cyber security are now the same governance conversation
The article’s repeated focus on user-friendly security reflects a real tradeoff in financial services: frictionless access can improve adoption, but it can also weaken assurance if identity checks are simplified too aggressively. For banks and insurers, this is where IAM and customer experience must be designed together. Strong controls do not have to be unusable, but they do need to be explicit about step-up points, delegation, and recovery flows. The operational mistake is to treat usability and control as opposing goals when they are actually part of the same trust architecture. Practical implication: design customer journeys so that security controls support, rather than interrupt, the intended workflow.
Practical implication: design customer journeys so that security controls support, rather than interrupt, the intended workflow.
NHI Mgmt Group analysis
Digital transformation in finance is now an identity governance problem, not just a channel strategy. The article spans banking, insurance, wealth management, lending, payments, and AML, which shows how broad the operational change has become. Once business processes are mediated by software, identity decisions move into the core of service delivery. Practitioners should treat process digitisation as a driver of entitlement design, lifecycle control, and auditability.
Automation in regulated workflows increases the number of governed identities without reducing governance burden. Lending automation and AI-supported AML both create more machine-mediated action, which means more service access, delegated authority, and exception handling. That does not eliminate control requirements, it multiplies them. The practical conclusion is that identity teams need to govern the automated actors behind finance workflows with the same seriousness they apply to human access.
User-friendly security is not a soft requirement in financial services, it is part of the control design. The article repeatedly links cyber security with usability, which is the right framing for customer-facing finance programmes. If users bypass controls because the journey is too painful, the security model fails operationally even if it looks sound on paper. Practitioners should design identity controls that preserve assurance without forcing workaround behaviour.
AI in AML should be judged by bounded authority, not by detection ambition alone. The value of AI is not that it replaces controls, but that it operates inside them. When an AI system can inspect financial data or influence case handling, its access boundary becomes part of the risk model. IAM and governance teams should evaluate whether the AI is acting within a clearly defined identity perimeter.
Banking digitalisation creates a recurring lifecycle issue: access granted for one transformation phase often persists into the next. The article’s broad scope implies continuous change across products and channels, which is exactly where entitlement drift appears. What was provisioned for one lending workflow or one AML use case rarely stays aligned as the process evolves. Practitioners should expect lifecycle cleanup to be a permanent part of transformation, not a one-time project.
From our research:
- Organizations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- For teams building digital finance workflows, the next question is whether that fragmentation is showing up in lifecycle control, which is why the NHI Lifecycle Management Guide matters here.
What this signals
Secrets fragmentation is the hidden cost of transformation. As banks and insurers digitise more workflows, identity teams should expect the number of control points to rise faster than the number of visible owners. The practical signal is whether service credentials, API keys, and delegated permissions are still being tied back to business process ownership, or whether they are accumulating in the background.
Financial services programmes should also prepare for more cross-functional governance. When customer experience, cyber security, and automation are being discussed in the same article, that usually means identity controls are no longer a back-office concern. The teams that respond early will be the ones that can explain access decisions to risk, audit, and operations in the same language.
For practitioners
- Map automation to identity subjects Inventory every automated lending, payments, and AML workflow as a governed identity subject with an owner, purpose, and revocation path. Separate human access, service credentials, and delegated application access so that each can be reviewed on its own lifecycle.
- Define access boundaries for AI-enabled finance workflows Document which data sources, case queues, and transaction actions an AI-supported process may touch. Require traceability for any AI-assisted recommendation that influences a financial decision or compliance action.
- Align user experience with assurance controls Review where security friction causes staff or customers to bypass intended identity controls, then redesign the journey around explicit step-up, recovery, and delegation paths rather than workarounds.
- Re-run lifecycle reviews after each process change Treat product, channel, and workflow updates as triggers for entitlement recertification. Remove access that no longer matches the current finance process, especially for integrations created during earlier transformation phases.
Key takeaways
- The article is best read as a financial services digitalisation brief, but its real security implication is that automation changes the identity model behind customer and compliance workflows.
- As lending, payments, AML, and customer experience become more software-driven, the governance burden shifts toward lifecycle control, access boundaries, and auditability.
- IAM and NHI teams should treat transformation programmes as recurring entitlement-review events, not one-time technology projects.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access management is central when finance workflows become automated and AI-assisted. |
| NIST Zero Trust (SP 800-207) | Zero trust fits customer and machine access when finance workflows are increasingly distributed. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Service accounts and API credentials underpin automated lending, payments, and AML flows. |
Map automated finance access to PR.AC-4 and review every delegated entitlement against current process need.
Key terms
- Digital Transformation: Digital transformation is the redesign of business processes, customer journeys, and operating models around software and data. In identity terms, it changes who or what is acting, which permissions are needed, and how control must follow the process as it evolves.
- Automated Workflow Identity: Automated workflow identity is the access used by software to complete business tasks such as lending, payments, or case handling. It usually involves service accounts, API credentials, or delegated permissions that must be governed through ownership, scope, and lifecycle review.
- Access Boundary: An access boundary is the set of data, actions, and systems an identity is allowed to reach. For AI or automated finance processes, it defines where the workflow may operate and where additional approval, logging, or restriction is required.
- Entitlement Recertification: Entitlement recertification is the periodic review of whether access still matches business need. In transformation programmes, it matters because access granted for an earlier workflow often persists after the process, system, or ownership has changed.
What's in the full article
Comarch's full article covers the thematic detail this post intentionally leaves for the source:
- Examples of how Comarch groups digital transformation themes across life, health, banking, wealth management, and payments.
- The specific business questions the vendor associates with automation, customer experience, and AI in financial services.
- The source article's broader content collection and video prompts for practitioners exploring adjacent transformation topics.
- The vendor's own framing of how cyber security, digitalisation, and customer satisfaction intersect in financial workflows.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org