By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: SeamfixPublished December 4, 2025

TL;DR: Banks at the New Age Banking Summit in Lagos focused on cloud adoption, AI-enabled banking, data-driven customer decisions, and digital kiosks, with the source article citing that 62% of banks globally have already adopted cloud strategies. The governance challenge is not adoption itself, but whether identity, data, and trust controls are mature enough to support it.


At a glance

What this is: Seamfix's summit summary argues that cloud, AI, data, and digital channels are now central to Nigerian banking transformation, with cloud adoption already at 62% globally.

Why it matters: For IAM, NHI, and security teams, the message is that digital banking expansion increases the importance of identity verification, access control, and data governance across both customer and machine identities.

By the numbers:

👉 Read Seamfix's summary of the New Age Banking Summit lessons for banking digital transformation


Context

The core issue is not whether banks should digitise, but whether the controls around cloud, AI, customer data, and digital access can keep pace with the business model. Once banking services move into shared infrastructure and software-driven decision paths, identity becomes the control plane for both humans and non-human identities.

In practical terms, cloud adoption and AI-assisted banking expand the number of systems, privileges, and integrations that must be governed. That makes KYC, access assurance, and secrets management part of the same risk conversation, rather than separate technology projects.


Key questions

Q: How should banks govern cloud and AI access when digital banking scales quickly?

A: Banks should treat cloud and AI access as an identity governance problem, not just an infrastructure rollout. That means assigning owners to human and non-human identities, limiting standing privilege, reviewing secrets, and logging delegated actions. If a workflow can reach customer data or customer decisions, it needs the same access discipline as any other sensitive banking process.

Q: Why do cloud and digital channels increase identity risk in banking?

A: Cloud and digital channels increase identity risk because they expand the number of access points, credentials, integrations, and trusted systems that must be controlled. A bank may secure the application while leaving service accounts, API keys, or kiosk recovery paths weakly governed. The result is more places for fraud, takeover, or data exposure to begin.

Q: What do banks get wrong about AI in banking programmes?

A: Banks often treat AI as a feature project and under-specify its authority. The real issue is whether the system is allowed to read sensitive data, trigger actions, or influence decisions without clear governance. If that boundary is vague, the bank creates machine-driven access paths that auditors and IAM teams cannot easily see.

Q: Who is accountable when a digital banking channel weakens identity assurance?

A: Accountability should sit with the business owner of the channel, the security owner of identity controls, and the data owner for the exposed records. If a kiosk, AI workflow, or cloud integration weakens assurance, it is not just a technology issue. Regulators and auditors will expect a named owner, a control rationale, and evidence that the risk was reviewed.


Technical breakdown

Cloud adoption in banking and the identity boundary

Cloud use in banking changes where trust is established. Instead of keeping workloads and data entirely inside a fixed perimeter, banks rely on identity, policy, and provider controls to decide who or what can reach sensitive systems. That creates a stronger need for authenticated access, least privilege, and continuous review of service accounts, API keys, and privileged roles. The article's 62% cloud-adoption figure matters because scale turns governance into an operational discipline, not a one-time migration task.

Practical implication: banks should map every cloud-connected identity, including machine identities, to an owner, purpose, and review cycle.

Artificial intelligence in banking needs governance, not just automation

AI in banking is not only a technology choice. It changes how decisions are made, what data is used, and which systems are allowed to act on behalf of the institution. In a banking context, AI can influence customer service, risk signals, and internal workflows, which means model access, data access, and delegated execution all need governance. Without that, the bank can scale bad decisions as quickly as it scales efficiency.

Practical implication: banks should treat AI systems as governed digital actors and define who approves their data sources, actions, and exceptions.

Digital kiosks extend the identity perimeter

Digital kiosks and alternative channels broaden the point at which customer identity must be established and revalidated. That matters because every extra channel introduces more opportunities for impersonation, credential misuse, or weak offboarding of access paths. In practice, this shifts the focus from a single onboarding event to ongoing assurance across the customer lifecycle. The article's KYC point is directionally right, but the stronger governance lesson is that identity assurance must persist after account creation.

Practical implication: banks should align kiosk access, remote onboarding, and customer authentication to the same assurance and audit standards.


Threat narrative

Attacker objective: The objective is to abuse trusted banking access paths so the attacker can steal data, manipulate transactions, or disrupt customer-facing services.

  1. Entry begins when banks expose cloud services, digital channels, or AI workflows that depend on externally reachable identities and credentials.
  2. Escalation occurs when weak access governance lets an attacker or rogue actor reuse standing privileges, stale tokens, or poorly governed integrations.
  3. Impact follows when compromised access reaches customer data, banking workflows, or decision systems, allowing fraud, data exposure, or service abuse.

NHI Mgmt Group analysis

Cloud-first banking creates an identity-governance problem before it creates a technology problem. The article's 62% cloud-adoption statistic shows that banking is already operating in a trust model where identity, not network location, is the control boundary. That means IAM, PAM, and secrets governance now sit inside banking resilience, not beside it. Banks that treat cloud as infrastructure only will miss the real risk surface, which is delegated access across human and non-human identities. The practitioner conclusion is to govern cloud as an identity programme.

AI in banking is becoming a governance issue for both model access and delegated authority. Banks are not only adopting AI to automate tasks, they are embedding software into decision flows that affect customers and operations. That creates a new class of machine-held privileges, data dependencies, and approval paths that must be audited like any other sensitive identity. The named concept here is delegated banking authority: when systems are allowed to act with partial institutional trust, the bank must prove who granted that trust and under what limits. The practitioner conclusion is to define control ownership before AI use expands.

Digital kiosks widen the customer identity boundary and increase lifecycle risk. Alternate channels can improve reach, but they also multiply the number of places where identity proofing, credential recovery, and session assurance must hold up. That is a lifecycle issue, not just a front-end experience issue. If identity assurance weakens at any handoff, fraud and account takeover become easier to scale. The practitioner conclusion is to align channel expansion with stronger identity assurance, not with looser onboarding shortcuts.

The article correctly points to data as the centre of transformation, but data value without access governance creates unmanaged exposure. Banking programmes often move faster on analytics and channel innovation than on entitlement hygiene, secrets rotation, and auditability. That imbalance turns useful data into a broader blast radius when credentials or identities fail. For practitioners, the conclusion is that data strategy and identity strategy must be implemented together, or digital transformation becomes a control gap.

What this signals

Identity and access teams should expect digital banking expansion to expose control gaps faster than governance cycles can absorb them. The practical challenge is not whether cloud or AI is useful, but whether every identity touching those systems has an owner, scope, and review path. Where that is missing, the bank will accumulate entitlement debt and secrets debt at the same time.

Delegated banking authority is becoming a programme design issue. Once AI systems, kiosks, and cloud services can influence customer journeys, teams need to decide which identities can act, which can only read, and which must be blocked entirely. The strongest programmes will align access assurance, secrets hygiene, and customer identity proofing rather than managing them as separate workstreams.

The banking lesson is that transformation programmes should be measured by control coverage, not by the number of channels or automation features shipped. If ownership, logging, and rotation are not part of the release criteria, the programme is creating scale without assurance.


For practitioners

  • Map cloud and AI identities Inventory every human and non-human identity touching cloud workloads, customer data, and AI-assisted workflows. Assign an owner, business purpose, and review cadence to each one so standing access does not outlive the use case.
  • Tie digital kiosks to identity assurance Apply the same KYC and authentication standard across branch, mobile, kiosk, and assisted channels. Where channels differ, document the risk acceptance and the compensating controls instead of assuming the customer journey is equivalent.
  • Review secrets and service account exposure Find API keys, tokens, certificates, and service accounts used in banking integrations, then rotate or retire anything that lacks clear ownership or current use. Hidden credentials in automation flows create an access path that board-level cloud strategy does not see.
  • Separate AI enablement from AI authority Approve AI use cases only after defining which data sources, actions, and exception paths the system may touch. If the model or workflow can influence customer outcomes, require explicit governance and logging before production use.

Key takeaways

  • Cloud adoption in banking shifts the control boundary from network location to identity governance.
  • AI, kiosks, and digital channels expand the number of trusted identities, credentials, and access paths that must be controlled.
  • Banks should tie transformation to ownership, lifecycle review, and secrets hygiene before scaling customer-facing automation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity and credential control are central to cloud and AI banking governance.
NIST SP 800-53 Rev 5IA-5Secrets and authenticator management directly address banking credential exposure.
NIST Zero Trust (SP 800-207)Zero trust fits banking environments where identity is the new access boundary.
GDPRArt.32Banking identity and data flows can involve personal data protection obligations.

Use zero-trust principles to verify each banking request rather than assuming network location implies trust.


Key terms

  • Delegated Banking Authority: The level of permission a banking system, workflow, or AI service is allowed to exercise on behalf of the institution. It matters because modern banking increasingly relies on software acting with partial trust, which requires clear limits, ownership, and auditability.
  • Identity Assurance: The strength of confidence that a user, customer, or system is who or what it claims to be. In banking, assurance must be maintained across onboarding, transactions, recovery, and alternate channels such as kiosks and cloud-based services.
  • Secrets Governance: Secrets governance is the discipline of controlling where credentials are stored, who can use them, how long they remain valid, and how they are removed. It links discovery, rotation, offboarding, and auditability so that a secret does not outlive the legitimate need for access.

What's in the full article

Seamfix's full article covers the summit discussion detail this post intentionally leaves for the source:

  • The panel-level discussion on why banks are prioritising cloud frameworks and where information security concerns still sit.
  • The article's specific observations on artificial intelligence adoption in Nigerian banking and the infrastructure gap it raises.
  • The detailed rationale behind digital kiosks as an alternate revenue and acquisition channel for banks.
  • The broader summit context behind the Bank Zero Gravity and KYC discussion, including how the event framed customer intelligence.

👉 The full Seamfix article expands on cloud adoption, AI in banking, digital kiosks, and the Bank Zero Gravity discussion.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and workload identity. It helps practitioners connect identity controls to the broader security programme that digital transformation depends on.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org