AI governance in finance: why identity security is the control point

TL;DR: Financial services AI governance is converging on identity security as the control layer that ties together access, auditability, and Separation of Duties across human identities, service accounts, and AI agents, according to SailPoint and the U.S. Treasury’s FS AI RMF. The audit question is no longer theoretical: without identity governance, AI controls lose practical enforceability.

NHIMG editorial — based on content published by SailPoint: The unbreakable link between AI in financial services and identity security

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should financial services teams govern AI agents that access regulated data?

A: Treat AI agents as identities that must be governed through entitlement scope, policy enforcement, and audit evidence.

Q: Why do AI agents complicate least privilege in regulated environments?

A: AI agents complicate least privilege because their runtime behaviour is not fully known when access is granted.

Q: What do IAM teams get wrong about AI governance in finance?

A: They often treat AI governance as a model oversight issue instead of an identity problem.

Practitioner guidance

• Map AI-enabled workflows to accountable identities Inventory which human users, service accounts, and AI agents can access regulated data and APIs, then tie each workflow to a named owner and policy record.
• Rebuild SoD checks around runtime action chains Evaluate whether an AI workflow can combine steps that should remain separated, especially when the agent can call multiple tools in one session.
• Require auditable policy evidence for every AI action Capture the identity, entitlement, data touched, and action result so auditors can reconstruct why a workflow was allowed to run.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The specific capabilities the vendor says it uses to discover unauthorized AI tools and map their access patterns.
• The whitepaper referenced in the post, which expands the Treasury framework mapping for financial CISO teams.
• The roundtable invitation and registration details for practitioners who want the vendor's live discussion format.
• The product framing for continuous governance across human and non-human identities in regulated workflows.

👉 Read SailPoint's analysis of AI governance and identity security in financial services →

AI governance in finance: why identity security is the control point?

Explore further

View Full Forum →  |  NHI Foundation Course →