To keep up with the rising tide of AI implementation, many FIs are turning to vendors — a process that can increase security risks if the institution and provider are not on the same page in terms of data protection and cloud defense.
“Even though you’re outsourcing some of the services and some of the capabilities, you never outsource the responsibility,” Troy Leach, chief strategy officer at the nonprofit Cloud Security Alliance (CSA), told FinAi News. “One of the most popular things that banks have embraced … is a shared security responsibility model for each and every control.”

FIs and third-party service providers (TPSPs) must hammer out a comprehensive contract that includes each company’s responsibilities, expectations and policies regarding cybersecurity, Leach said.
FI professionals identified third-party and supply-chain risk as the greatest security threat to their cloud infrastructure, according to a CSA survey report, “The State of Cloud and AI for Financial Services,” released in June.
Implementing adequate controls for agentic AI
FIs historically have been reticent to implement new technologies, but that is not the case with AI, Leach said. He said FIs have been using some form of AI for cybersecurity and fraud analytics for more than a decade.
“I think they hear AI and they’re more comfortable that, ‘Oh, this is something that we’ve been using for quite some time,’” Leach said. “But agentic AI is something that is dramatically different.”
Agentic AI goes beyond a prompt-and-response model by autonomously making decisions, creating plans and completing multi-step actions.
As third-party AI systems are granted more autonomy, instituting proactive safeguards is vital, Leach said. These safeguards include:
- FI awareness of the third-party’s operations, offerings and methods;
- Third-party awareness of FI policies and financial service legislation;
- An exit strategy in case things don’t work out;
- Continued monitoring of a third-party’s processes; and
- Data encryption.
“It remains encrypted even though you’re working with it in real time … and the service provider has no visibility into that data,” Leach said.
The Basel Committee on Banking Supervision, a standards-setting organization in Europe, advised FIs to maintain complete, up-to-date registers of all TPSP contracts, as well as any companies involved in the TPSP’s supply chain, according to the committee’s December 2025 report, “Principles for the Sound Management of Third-Party Risk.”
Selecting the right TPSP
When evaluating TPSPs for potential contracts, FIs should use a risk-based vetting process that goes beyond the partnership’s potential ROI and weighs the vendor’s financial stability, operational capabilities and strategic alignment, Rob Hoyle, chief people and technology officer at Vantage West Credit Union, told FinAi News.
“Because banks and credit unions operate in such a heavily regulated environment, vendors must show auditable security controls,” Hoyle said.
“Protecting member and customer data comes first and approval ultimately hinges on a vendor’s ability to prove, not just claim, that its controls will protect that data.” — Rob Hoyle, chief people and technology officer, Vantage West Credit Union
The FI and TPSP must trust that each with adhere to mutually agreed-upon policies and standards.
“The relationship has to make business sense, provide a clear value for the investment and be with a company we trust to operate with the same standards of security, compliance and service that we hold ourselves to,” Garrett Laws, chief lending officer at Granite Credit Union, told FinAi News.
Register here for the FinAi Lending Summit, set for Oct. 7-8 in Las Vegas.






