The dangerous illusion of security
2nd July 2026 • Park Plaza Victoria, London, UK
Fragmented security architectures struggle to detect threats that span identity, data and systems, leaving critical gaps in how financial institutions understand risk. AI makes all this much worse. So, what's the answer?
Security without visibility: defending what you can't see
Modern attacks use legitimate access and move across systems undetected-because no single control sees the full picture. Endpoint solutions check device behaviour; identity solutions check for valid logins and authentications; Saas usage looks normal; network traffic looks normal. And yet attacks bypass all of these checks and get through anyway.
Local visibility is not delivering global understanding. Security tools validate individual events. They do not inherently understand the relationships between events occurring in different parts of the environment. As a result, they cannot detect patterns that only emerge when activity is viewed as a connected whole.
This creates a dangerous Illusion of security. What is needed is a new approach that manages the blind spots.
Do identity differently: traditional models treat identity as a gatekeeper-something that determines whether access should be granted. But attackers can easily acquire valid credentials or tokens and login. For CISOs, this means moving beyond authentication and focusing on how identities are actually used. The focus therefore needs to shift from "who logged in" to "what did they do next."
Understand connections: the modern enterprise is defined by integrations: Saas platforms linked through APls, workflows that span multiple applications, and data flowing continuously between services. Yet in many cases, these connections are only partially documented or understood. Understanding these pathways begins to reveal the routes attackers are most likely to take.
OAuth permissions and API access are a key blind spot: designed to enable seamless interoperability between systems, these create persistent, often invisible trust relationships. Once granted, these permissions can allow access to data and functionality without further authentication. Bringing these under scrutiny can close off entire classes of attack that would otherwise go undetected.
Focus on movement not access: even relatively basic monitoring of data movement across key systems can provide a level of insight that traditional access controls do not- unusual transfers between applications, and APl-driven extraction patterns, for example. But this data is rarely brought together in a way that reveals how events relate to one another. This is about looking at risk, not individual solution dashboards.
Apply all security measures to Al as well as humans: as organisations introduce Al-driven automation, this approach must be extended to include non-human actors. Al agents and automated workflows should be treated as privileged identities in their own right, with clear visibility into what they access, what actions they perform, and what data they touch. Banks are already warning about uncontrolled agent and API sprawl. How bad is it?
Reduce unnecessary complexity: while wholesale consolidation is rarely achievable in the short term, incremental rationalisation-eliminating redundant tools, standardising on core platforms, and simplifying the operating model-is key. Fewer well-understood tools deliver better outcomes than many poorly integrated ones.
The big question though: in the longer term, what happens to these unconnected, local visibility solutions in a world in which a connected platform is really the answer?
Is the UK's Cyber Security and Resilience (Network and Information Systems) Bill a regulation too far? Do prescriptive requirements risk forcing investment into compliance over real risk reduction, duplicating existing frameworks and increasing reporting and assurance burdens without improving visibility into modern threats? Will liability for third-party and systemic failures be pushed disproportionately onto banks, despite their limited control over cloud providers and critical vendors, creating cost, accountability, and insurability challenges.
The Securing Financial Services Summit will look at how leading institutions are continuing to develop their security and resilience programmes in the era of AI.
Join our real-life case studies and in-depth technical sessions from the security and privacy teams at the UK and Europe’s most sophisticated firms.
Key themes will include:
Identity, authority, and control for non-human actors
CISOs must rethink core identity and governance frameworks, including the adoption of robust agent identity models (spanning machine, service, and workload identities), and clearly defined delegation structures that determine what authority an agent holds and who grants it. What technologies can help them maintain visibility and control?
Securing algorithmic insiders
What does "insider threat" mean when the actor is non-human? For CISOs, the focus shifts to monitoring the behaviour of agents as well as users, developing capabilities to detect anomalous machine activity, and establishing effective controls that balance guardrails, detection, and containment. Do you need Al defences to do that?
Data control when there is no perimeter
How can firms enforce confidentiality when data is constantly in motion across systems the firm does not fully control? For CISOs, does this mean that the focus must shift toward controlling data itself rather than the environments it resides in? If so, what kinds of architectures and solutions can deliver security in that context?
The power of automation
There's too much manual intervention in security. SOAR pulls data from SIEMs, EDRs, firewalls, cloud APls, ticketing systems threat intelligence feeds, and even email servers and coordinates actions across tools via APls and prebuilt integrations and intelligent playbooks. Well, that's the theory. How does it work in the real world?
Integrity and the Al-enabled supply chain
Al-native operating models imply dependence on a complex supply chain of foundation models, internal systems, and external APls and orchestration layers that collectively produce legal work. Imagine the consequences of hacking such a system. So how do CISOs stop that happening?
Dealing with regulations
CISOs now must build a single coherent security program that simultaneously satisfies divergent regulatory demands; they must interpret vague legal standards into technical architectures, and they risk non-compliance if auditors, regulators, or courts interpret differently later; they face unrealistic expectations around incident reporting; and they face personal liability. Can RegTech help?
