On 9 June 2026, the Cloud Security Alliance (CSA), a non-profit organisation for cloud and AI security, published its report "State of Cloud and AI for Financial Services 2026". The study is based on 340 responses, collected between 15 January and 1 March 2026, and has since been cited above all with one figure: 62 per cent of the financial institutions surveyed have AI agents in use. This figure is not wrong, but it is the less important one. Anyone reading the study as a supervisor, risk officer or security chief should turn their attention elsewhere: to the admission by 41 per cent of respondents either to have experienced an AI security incident or simply not to know whether there was one. That is not an adoption finding, it is a control finding. And it is precisely there that it is decided whether the fast deployment of autonomous agents holds up in a regulated sector.
What: CSA report "State of Cloud and AI for Financial Services 2026", published on 9 June 2026, 340 respondents, surveyed January to March 2026, commissioned by the confidential-computing provider Anjuna
Headline figure: 62 per cent use AI agents – but only 35 per cent in active production and 9 per cent in advanced adoption; the rest are exploring or piloting
The more important figure: 20 per cent report known AI security incidents, a further 21 per cent do not know whether there were any – together 41 per cent without a reliable view of their own AI security posture
Agentic finance: 85 per cent expect agents to initiate payments autonomously in future; 65 per cent consider a new authorisation model necessary for this
Regulatory link: The visibility gap goes straight to the DORA obligations to detect and report ICT incidents and to the supervisory expectations of BaFin and the ECB
The Figure Behind the Headline
62 per cent sounds like blanket adoption. The breakdown puts that into perspective: 35 per cent of respondents use AI agents actively in production, a further 9 per cent are in advanced adoption, almost half are exploring or launching pilot programmes. Only 27 per cent report no use at all. For a supervisory perspective that asks for genuine productive systems in regulated core functions, the figure of 44 per cent is therefore more honest than the eye-catching 62 per cent. Added to this is a definitional question the study leaves open: what exactly counts as an AI agent? The leading use cases are customer service at 63 per cent and cybersecurity operations at 47 per cent – fields in which older, rule-based automations and simple chatbots can also hide, sharing little with an agent that genuinely acts autonomously.
The sample, too, demands caution. The 340 respondents were recruited through the CSA's membership network, its Financial Services working group and industry events – a cloud- and security-affine population that tends to sit above the market average on adoption questions. For comparison: the more broadly designed Cambridge 2026 study, produced with the Bank for International Settlements, the International Monetary Fund and the World Economic Forum, arrives at an adoption rate of only 52 per cent for agentic AI. And finally, the commissioning party: the report was commissioned by the confidential-computing provider Anjuna – a company whose product addresses precisely the data-leakage risk the study emphasises. That does not make the data wrong, but it makes their weighting interest-led. Anyone citing the study should supply both: the figure and the context of its creation.
The Real Signal: the Visibility Gap
As much as the adoption figures need qualifying, the central risk finding cannot be argued away. 20 per cent of respondents report known AI security incidents. A further 21 per cent simply do not know whether there were any. Taken together, then, 41 per cent have no reliable view of their own AI security posture. And because security incidents are systematically understated in self-reports – detecting AI-specific incidents is technically demanding, and there are incentives not to report them – the 20 per cent mark is more of a lower bound than a realistic value.
It is precisely here that the finding becomes tangible in regulatory terms. The Digital Operational Resilience Act (DORA) has obliged financial entities since 17 January 2025 to detect, classify and report major incidents in information and communication technology (ICT). An AI agent is no special case here, but a regular information system within the meaning of the regulation. But anyone who does not know whether their agent has caused an incident can neither classify nor report it – and thereby misses a core obligation. The visibility gap in the CSA study is therefore not only a security problem, but a compliance problem. It is the gap a BaFin or ECB examination will address first.
Agentic Finance Is at the Door
A third finding points beyond the status quo. 85 per cent of respondents expect AI agents to initiate and execute payments on behalf of customers in future. 65 per cent consider a new authorisation model necessary for this. The reason is fundamental: today's payment and authentication procedures were designed for a human confirming a transaction – not for a delegated software agent that independently negotiates, selects and pays on the customer's behalf. If this expectation comes true even in part, the security question shifts from detecting individual incidents to the basic question of how an agent is authorised to move money at all.
For European institutions, this outlook falls into a phase in which the regulatory infrastructure for agentic payments is only emerging. Anyone piloting agents in payment-adjacent processes today builds on authentication models not made for that purpose. That is no reason to refrain – but a reason to treat the authorisation logic from the outset as its own control topic, not as a technical detail.
What the Study Does Not Say
A clean assessment names the blind spots. Three are relevant. First, the definitional vagueness: without a clear distinction between rule-based automation, simple generative application and a genuine, tool-using agent, the 62 per cent mark remains hard to interpret; the Cambridge study distinguishes these categories explicitly, the CSA does not. Second, the sponsor bias: the emphasis on data leakage as the top risk and the alarm about missing visibility fit strikingly well with the product promise of the commissioning party, Anjuna. Third, the missing regional breakdown: the study does not distinguish between the United States, the EU and Asia. For the European region in particular, where the EU AI Act and DORA set more restrictive guardrails, actual adoption figures could be lower and governance maturity higher than the global average suggests.
None of these caveats devalues the study. They only make it what it is: a valid seismograph for a global direction, not a precise measuring instrument for the German or European market. The direction itself – more agents, more autonomy, more open security questions – is robustly evidenced.
What Risk and IT Leaders Should Do Now
Four work packages follow from the finding. They do not require buying a particular product, but bringing one's own visibility and control up to the level supervisors expect anyway.
Now: The study's most important lesson is not the adoption figure, but the admission of missing visibility. Anyone who does not know whether a deployed agent has caused an incident should first build the detection – logging of every agent action, anomaly detection, a clear incident definition for AI-specific events.
By the next examination cycle: Under DORA, an AI agent is a regular ICT system. The existing incident classification and reporting should explicitly cover the case where an agent triggers or obscures a major incident. Settling this now avoids the first supervisory examination finding the gap.
Before any pilot in payment-adjacent processes: Existing authentication models were built for human confirmation, not for delegated agents. Anyone bringing agents close to payments should treat the authorisation logic – who may approve what within which limits – as a control topic from the start, not as a technical footnote.
Ongoing: Anyone citing adoption figures in board papers or strategy documents should name the sample, the commissioning party and the definitional basis. The CSA study's 62 per cent is a different finding from the 44 per cent of genuine productive use – and both come from a cloud-affine, sponsored survey.
Risks and Open Questions
Three caveats belong to a sober evaluation. First, representativeness: the self-selected, cloud-affine sample very probably overstates adoption, and the missing regional breakdown makes a transfer to the German market uncertain. Second, self-reporting: both the incident rate and the autonomy figures rest on self-assessment, with the known tendency to understate security incidents. Third, the interest context: the study was financed by a provider whose business depends on the risks it emphasises. None of these points refutes the core finding, but each demands that the figures be cited with context rather than in a vacuum.
The strategic consequence: the CSA study is less evidence that AI agents are everywhere than evidence that control lags behind deployment. "Deployed faster than secured" is no sensationalist sharpening, but the core statement of its own authors. For regulated institutions this means: the competitive advantage of the coming years lies not in operating as many agents as early as possible, but in bringing their security and governance up to the level at which supervisors will measure them anyway.
Christian Schablitzki
Strategy & Management Consultant · Agentic AI expert for financial institutions
Over 20 years in investment banking and derivatives trading, followed by more than 10 years advising financial institutions. Currently a Partner at Infosys Consulting in Germany. Certified in Google AI, Generative AI Leader (Google Cloud) and IBM RAG and Agentic AI.
LinkedIn profile →Read on – every 14 days in your inbox.
Capital markets insights, regulatory updates and AI trends. Concise, well-founded, free.
GDPR-compliant. Unsubscribe at any time.