On a February afternoon in 2024, an employee at the engineering giant ¹Arup dialled into a video call with his CFO and several finance colleagues. Everyone looked right. Everyone sounded right. Over the call, he was talked through fifteen transfers totalling USD 25.6 million and authorised everyone.
Nobody on that call was real, except him. No firewall was breached, no server compromised. The company's systems worked exactly as designed. What failed was the assumption underneath them: that a voice on a screen means a human decision behind it.
That assumption is the one agentic AI is now quietly retiring, and not just for fraudsters.
For a decade, the industry's comfort sentence was simple. AI advises, a human decides. Somewhere between a model's output and its consequence, a person stood and checked. Agentic systems remove that person: they reconcile ledgers, release payments, decline transactions and write their own audit notes, start to finish. Gartner expects 90% of finance functions to deploy AI by 2026, with 15% of daily decisions made autonomously by 2028. Goldman Sachs already runs such agents in production for reconciliation and trade accounting. 2025 was the year this became real; 2026 is the year it has to become accountable.
The symmetry problem
In November 2025, ²Anthropic disclosed what it believes was the first large-scale cyberattack carried out mostly by AI agents: a suspected state-linked group manipulated an AI tool into attempting intrusions against roughly thirty organisations, several of them financial institutions, with the AI itself executing an estimated 80 to 90% of the operation.
Put that next to the pitch every vendor makes: an agent that catches a suspicious transfer at 2 a.m. and logs the decision without waiting for anyone to wake up. Both are the same capability pointed in opposite directions.
Autonomy does not care whose side it is on. Only the quality of the controls wrapped around it does.
And most institutions still have controls built for a system that suggests, not one that acts.
That is the structural problem. An agent chains actions, pulling data, updating a file, approving or declining a payment, inside one workflow with no pause button. "Review the output before acting" assumes a gap between the two, and agentic AI closes it. The control has to move upstream, from checking what the system produced to bounding what it is allowed to attempt, before it goes live.
Two-way exposure
Finance cannot absorb error the way other functions can, a misfiring agent produces a material misstatement at machine speed. The CFO's office also remains the most impersonated seat in any company, which is what made the Arup call work.
³INTERPOL's March 2026 assessment put global financial fraud losses at roughly USD 442 billion for 2025, with AI-enhanced fraud 4.5 times more profitable than the traditional kind; RBI's latest annual report puts Indian bank frauds at a‚⁴48,021 crore in FY26, up over 46% year on year. The fix is not exotic: verify payments through a different channel than the one that requested them, and make dual authorisation above a set value mandatory, not optional.
Bound, then permit
The old model was trust, then verify; the agentic model has to be bound, then permit: autonomy dialled up by level, nothing executed that cannot be reversed, deterministic logic wherever money moves, a log an auditor and a machine can both read. Map it to frameworks auditors already recognise, NIST's AI Risk Management Framework, ISO/IEC 42001, rather than inventing new language for the board.
Regulation has caught up. ⁶RBI's FREE-AI framework expects a board-approved AI policy and quarterly review, and under ⁵SEBI's Regulation 16C, the deploying firm, not the vendor, is solely responsible for what its AI produces. "The model did it" stops being a usable sentence in a hearing.
A checklist you can take into the room
Six questions, deliberately plain, because the failures that matter are rarely exotic. Before any agent goes live in production, you should be able to answer yes to all six. A "no" is a control gap, not a technology problem.
- Is its autonomy capped by amount, entity and risk class, and configurable by you, not the vendor?
- Is every action it takes reversible, and logged in a record you can actually read?
- Is there a hard sign-off threshold above a defined transaction value?
- Has it been tested in simulation, with at least one incident drill run before it goes live?
- Is there a named board-level owner for AI risk, on a recurring review calendar?
- Are out-of-band verification and dual authorisation mandatory, not discretionary, for high-value instructions?
Where DSP stands
We manage other people's money for a living, which means we spend more time asking how a system fails than how it sells. Autonomy is not the risk. Ungoverned autonomy is, and the institutions that earn trust through this cycle will be the ones whose control architecture grows at least as fast as their agents' authority.
The same agent that pauses a fraudulent transfer can, left ungoverned, become the opening an attacker walks through, which is why the six questions above apply whether the next incident starts inside your systems or is aimed at them.
Sources: ¹BBC News (Arup deepfake case, February 2024); ²Anthropic Security Research / System Card (November 2025); ³INTERPOL Global Financial Fraud Threat Assessment (2026); ⁴Reserve Bank of India, Annual Report 2025–26; ⁵Securities and Exchange Board of India (SEBI), Consultation Paper on Guidelines for Responsible Usage of AI/ML in Indian Securities Markets (June 2025); ⁶Reserve Bank of India, Framework for Responsible and Ethical Enablement of Artificial Intelligence (FREE-AI) (August 2025).
Subscribe to DSPIM #InvestForGood Blog
Investment Insights, Evidence & Stories that matter
Read over 6 million+ times
Written by
Disclaimer
All content on this blog is the intellectual property of DSPAMC. The user of this site may download materials, data etc. displayed on the site for non-commercial or personal use only. Usage of or reference to the content of this page requires proper credit and citation, including linking back to the original post. Unauthorized copying or reproducing content without attribution may result in legal action. The user undertakes to comply and be bound by all applicable laws and statutory requirements in India. In this blog, DSP Asset Managers Private Limited (“the AMC”) has used information that is publicly available, including information developed in-house. While utmost care has been exercised while preparing this blog, neither the AMC nor any person connected warrants the completeness or accuracy of the information and disclaims all liabilities, losses and damages arising out of the use of this information. The recipient(s), before acting on any information herein, should make his/her/their own assessment and seek appropriate professional advice. The statements contained herein may include statements of future expectations and other forward-looking statements that are based on prevailing market conditions / various other factors and involve known and unknown risks and uncertainties that could cause actual results, performance or events to differ materially from those expressed or implied in such statements.
DSP Mutual Fund: MF/036/97/7
Mutual Fund investments are subject to market risks, read all scheme related documents carefully.

.
Write a comment