AWS Security Blog

Preparing for agentic AI: A financial services approach

Deploying agentic AI in financial services requires additional security controls that address AI-specific risks. This post walks you through comprehensive observability and fine-grained access controls—two critical capabilities for maintaining explainability and accountability in AI systems. You will learn seven design principles and get implementation guidance for meeting regulatory requirements while deploying secure AI solutions.

Financial institutions navigating this landscape face a dual challenge. They must comply with an evolving regulatory environment—including frameworks such as SR 11-7 in the US, SS1/23 in the UK, and ECB guidelines in the EU—while simultaneously addressing the unique security considerations that agentic AI introduces. Unlike traditional software systems, agentic AI can make autonomous decisions and take actions that potentially impact customers, operations, and institutional reputation. This autonomy demands a security approach that goes beyond conventional controls.

Organizations aligning to established frameworks such as ISO 27001 and the NIST Cybersecurity Framework have a strong foundation, but you need to add AI-specific security measures to address the unique risks of agentic AI. Using agentic AI requires augmentation of these traditional controls with AI-specific security measures. The non-deterministic nature of AI systems, their ability to act with significant autonomy, and the complexity of multi-agent interactions introduce new dimensions of risk that must be carefully managed.

In financial services, you need clear explainability and accountability for effective model risk management. When AI agents make decisions or take actions on behalf of your organization, you need clear visibility into what was done, why it was done, and who—or what—was responsible. This transparency helps you maintain trust, meet regulatory obligations, and deploy AI responsibly according to AWS Responsible AI practices.

This post outlines security principles for implementing agentic AI in financial services. We focus on two critical enablers: comprehensive observability of agentic workflows and fine-grained control over agent tool access permissions. Together, these capabilities provide the foundation for explainability and create a control environment that facilitates accountability.

Our approach is structured in two parts. First, we explore seven core design principles that serve a dual purpose: guiding solution architects during the design of AI systems and providing risk management teams with a framework for identifying critical risk factors. Second, we provide detailed implementation guidance with practical insights to help you deploy secure and compliant AI solutions in the financial sector. Consult with your compliance and legal teams to determine specific requirements for your situation. Regulatory requirements establish minimum baselines, but organizational risk considerations—including reputational risk and potential customer harm—often require additional controls.

Core design principles for agentic AI observability and tool access control

In this section, we outline key design principles for agentic AI systems in financial services. These principles help address fundamental observability and access control requirements for secure AI implementations. While specific compliance requirements vary by jurisdiction and use case, these design principles provide a foundation for secure and governable AI systems.

  • Human-AI security homology
    Understand the human controls and determine applicability to agents and agentic workflows and document the agent personas. Implement agent identities in addition to traditional role and attribute-based permissions, logging and behavioral monitoring. Ensure critical actions have supervision (agentic or human), define agent scope in workflows and consider change and incident management, segregation of agent duties for actions and tool usage, maker-checker verification, logging, and behavior monitoring.
  • Modular agent workflow architecture
    Use specialized sub-agents in workflows. Attach fine-grained permissions to narrow the focus of sub-agents to reduce the scope of permissions each agent requires, increase modularity and reusability, simplify maintenance, and enhance observability and therefore explainability.
  • Workflow and agent logging and tracing
    Implement comprehensive logging and tracing to track decisions, actions, activity workflows, specific caller context, and reasoning steps to enable better explainability. AI systems explainability—and monitoring of inter-agent interactions, context sharing, and emergent behaviors—enables a holistic observability of the multi-agent workflow operations and dynamics.
  • Segregated AI least-privilege
    Enforce least privilege and segregation of duties in automated workflows through clearly defined operational boundaries for AI agents. The boundaries should be supported by authorization controls, bound to the caller permissions with support for contextual verification, and supported by circuit breakers such as human oversight. This approach helps ensure that agents operate within appropriate limits and boundaries while enabling necessary human intervention, balancing automation with security and control.
  • Governance integration
    Integrate agent observability into existing governance frameworks through alignment with established risk management and compliance processes, while implementing standardized evaluation frameworks and test harnesses that measure agent performance, compliance, and business value alignment.
  • Agentic operational controls
    Provide business-friendly guardrails for defining and managing agent behavior policies while maintaining comprehensive cost controls through monitoring and optimization of resource utilization at both individual and workflow levels. Through this approach, business users can manage agent constraints.
  • Risk management and compliance
    Integrate comprehensive activity tracing (see Workflow and agent logging and tracing) with existing governance frameworks to support audit requirements, regulatory compliance, and align with established risk management processes. This approach helps ensure thorough oversight and compliance across all agent activities within the organization’s existing governance structure.

Implementation guidance

In the following sections, we provide specific implementation guidance and recommendations that directly help you apply the seven core design principles discussed above. With these guidelines in place, your solution architects can design and deploy secure AI agent systems on AWS. Our aim is not to provide exhaustive technical solutions, but rather to guide implementations. We recommend that enterprise customers work closely with their assigned AWS Solutions Architect to discuss and develop detailed implementation practices tailored to their specific architecture.

Monitor and understand AI agent behavior

The following guidance aligns with the Human-AI security homology and Workflow and agent logging and tracing principles in the previous section.

Implement end-to-end agent workflow visibility
Document agent workflows and personas, implement comprehensive tracing of agent workflows that captures inputs, reasoning steps, outputs, and tool usage. Amazon Bedrock AgentCore Observability provides purpose-built solutions for tracing, debugging, identifying, and monitoring agent performance in production environments. This visibility provides data for understanding how agents interact with critical financial systems and data. Implement a tagging strategy for agents to enhance visibility, use descriptive role names for intended use cases for agents, and anticipate use of these tags to be used in downstream agentic permissions and upstream workflows.

Establish agent activity dashboards
Deploy operational dashboards, with Amazon CloudWatch for example, that provide a view into agents’ operational health. These dashboards should track key metrics including successful completions, failures, latency, and resource utilization.

Integrate agent telemetry with existing monitoring systems
Use common standards such as OpenTelemetry (OTel) using AWS Distro for OpenTelemetry to integrate agent telemetry with your existing monitoring infrastructure. Common standards mean that financial institutions can maintain their investments in monitoring tools while extending visibility to agent activities.

Establish agent server-side (tool-side) checks
Implement a standardized access control for agents using tools to apply consistent controls following AWS security best practices for tool integration. Ensure validation and sanitization checks are in place on inputs at the point of tool usage to detect unintended behavior for both user-to-agent and agent-to-agent interactions.

Manage change in agentic AI environments

The following guidance aligns with the Governance integration and Agentic operational controls principles.

Adapt change management for AI agent workflows
Modify your current change management processes to accommodate the dynamic nature of AI agents while maintaining appropriate controls. Review approval processes integrated into agent deployment pipelines, adapt those approval processes to an iterative nature of small increment improvements, implement human in the loop breaks into agentic operations.

Monitor for agent behavior drift
Implement continuous monitoring of agent traces into a test harness with tools such as Amazon CloudWatch and AWS X-Ray to watch for changes in agent behavior patterns that might indicate execution drift or unexpected learning. This is particularly important for maintaining compliance with regulatory requirements that might dictate specific operational boundaries.

Implement the principle of least privilege for AI agents

The following guidance aligns with the Human-AI security homology and Segregated AI least-privilege principles.

Define granular permission boundaries for agent actions
Implement fine-grained permission controls to limit permissions to those necessary for agent functions using, for example, Amazon Bedrock AgentCore Policy. Consider separation of duties for agents by segregating functions and tool access permissions to reduce the scope of impact of unintended actions. Ensure user prompt-driven agent actions and agent-to-agent actions are separately identifiable.

Implement authorization monitoring
Deploy observability tools, such as Amazon Bedrock AgentCore Observability, that continuously monitor agent authorization patterns and flag anomalous access attempts.

Establish agent action audit trails
Maintain comprehensive audit trails of agent actions that affect production systems and sensitive data. These audit trails should be immutable and integrated with existing compliance reporting systems. This is to help ensure that agent-to-agent actions and the original source and lineage of the request be preserved.

Implement guardrails and behavioral controls for AI agents

The following guidance aligns with the Agentic operational controls and Risk management and compliance principles. It’s recommended to take a crawl, walk, run approach to control implementation, start with the minimum required set of controls and evolve over time using feedback from monitoring.

Deploy policy configuration Implement user-friendly interfaces for defining agent behavioral policies and compliance rules. Through such interfaces, risk and compliance teams can directly manage agent guardrails without technical intervention.

Enable real-time guardrail enforcement Deploy automated systems that validate agent actions against defined policies in real time. For example, use Amazon Bedrock Guardrails to implement content filtering, personally identifiable information (PII) detection, and response validation before agent outputs reach production systems.

Establish human oversight workflows Implement review workflows as control points for critical agent actions with clear escalation paths. Define triggers for human review and maintain feedback collection mechanisms for continuous improvement.

Detecting and recovering from AI agent failures

The following guidance aligns with the Workflow and agent logging and tracing and Risk management and compliance.

Implement agent health and performance monitoring
Deploy comprehensive health and performance monitoring for AI agents that can detect both hard failures and degraded performance. Amazon Bedrock AgentCore Observability provides specialized capabilities for understanding agent health beyond traditional application metrics.

Establish agent failure recovery procedures
As in traditional deployment pipelines, develop and test automated recovery and manual behavioral modification procedures for different types of agent failures. These procedures should include appropriate circuit breakers and human escalation paths for scenarios requiring judgment.

Monitor for reasoning quality degradation
Implement monitoring for subtle degradation in agent reasoning quality that might not trigger traditional failure alerts.

Ensuring consistent agent performance across environments

The following guidance aligns with the Workflow and agent logging and tracing, Agentic operational controls, and Risk management and compliance principles.

Implement modular agents with performance baselines
Implement modular, reusable agents with established performance baselines for agent operations across development, testing, and production environments. Monitor for deviations that might indicate environment-specific issues.

Deploy canary testing for agent behavior monitoring and resilience testing
Implement small-scale release testing practices for agent changes, with comprehensive observability to detect unexpected behavior changes before full deployment and at runtime. Use positive testing where valid inputs produce expected outputs and negative testing where improper inputs still achieve the desired output. Test agent resilience under various failure conditions. Use change control for canary tests to ensure tracking over time as testing expands and matures.

Managing multi-agent workflow interactions

The following guidance aligns with Modular agent workflow architecture and Workflow and agent logging and tracing principles.

Monitor agent collaboration patterns
Implement monitoring for agent-to-agent communications within predefined workflows and dynamic workflows, context sharing, and collective behaviors. Track interaction patterns to identify potential risks or inefficiencies.

Detect emergent behaviors
Deploy behavioral trace tests to identify unexpected patterns or outcomes arising from multi-agent interactions. Establish baselines for normal collaborative behavior and alert on deviations, include extreme scenarios in testing.

Maintain interaction audit trails
Record non-repudiable and comprehensive logs of agent interactions, including context exchanges, handoffs, and outputs. Ensuring agent-to-agent actions, the original source and lineage of the request must be preserved.

Optimize AI agent resource utilization & costs

The following guidance aligns with the Agentic operational controls principle.

Implement agent resource and cost consumption monitoring
Deploy monitoring for agent resource consumption patterns, including compute, memory, API usage, and costs using (for example) Amazon CloudWatch. This enables optimization of resource allocation and cost management.

Establish agent performance metrics
Define and monitor key performance indicators specific to agent operations, such as reasoning step performance efficiency, tool usage patterns, and completion times.

Implement agent performance anomaly detection
Deploy anomaly detection for agent performance metrics to identify potential issues before they impact business operations.

Conclusion

The adoption of agentic AI in financial services requires carefully balancing innovation with control. The seven core design principles outlined here provide a framework for implementing explainable, governable, and in general responsible AI systems that align with existing security and compliance requirements. By treating AI agents with the same security rigor applied to human employees—through robust access control, role and attribute-based permissions, and comprehensive monitoring—organizations can safely deploy these systems while maintaining compliance with key regulatory frameworks.

The purpose-built solutions available from AWS provide the technical foundation, but success also requires clear policies and human oversight mechanisms. Financial institutions that establish these fundamental security and governance capabilities will be well-positioned to leverage agentic AI while contributing to the security, explainability and compliance with industry standards of their systems.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Security, Identity, & Compliance re:Post or contact AWS Support.
 

Raphael Fuchs

Raphael Fuchs

Raphael is a Principal Security and Compliance Specialist for AWS Financial Services in Switzerland and EMEA. He helps financial services customers translate compliance and regulatory requirements into technical and organizational measures in the AWS Cloud. Raphael previously served as Chief Information Security Officer at TWINT AG, the leading Swiss mobile payment solution, bringing deep industry expertise to his current role.

Raphael Fuchs

Simon Lawrie

Simon is a Principal Security Solutions Architect and leads a team of Security and Compliance Specialists across Asia. Working with the largest Financial Services organizations, he helps them efficiently deploy security controls and assurance in the AWS Cloud. Simon previously served as the Head of Cyber Security Defense APAC and EMEA for Bank of America.