Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
Marcelo Delima | Senior Manager, Global Solutions Marketing
More About This Author >
Security teams in the financial services industry are not lacking investment, tools, or regulatory clarity. What they are short on is time to adapt. The Thales 2026 Data Threat Report for Financial Services highlights a sector being reshaped by AI and agentic technologies faster than its security operating model can keep pace.
Consider the pressure point: only 49% of sensitive cloud data is encrypted, down from 60% a year ago, while AI and agentic applications are being granted access to more of it than ever.
This is not so much a budget problem as a coordination issue between data visibility, identity controls, and the speed of AI adoption.
AI Is Now the Primary Force Reshaping Financial Services Security
The shift to AI is no longer exploratory, but operational, and increasingly adversarial.
Some 86% of financial services firms have already invested in specific security tools or services due to AI concerns, and 30% now operate with a dedicated AI security budget, up from 24% year over year.
Yet more than half (56%) are still funding AI security from existing budgets.
That mismatch signals that AI has been absorbed into the security program tactically, but not structurally.
At the same time, the threat model is shifting. 70% cite the pace of change in the AI ecosystem as their top AI security risk, with trust (60%) and confidentiality (51%) are the second- and third-ranked concerns. In addition, 60% have experienced deepfake attacks, and 50% claim their reputations have suffered due to AI-generated misinformation.
The time when financial services entities were preparing for AI risk is over. Now, they are actively defending against AI-enabled attacks.
The more important insight is how AI changes the nature of access. AI systems, and particularly agentic workflows, are granted broad, often implicit access to enterprise data. They retrieve, correlate, and act across systems at a velocity no human user can match.
As the report puts it, AI is the new insider threat, not because it is malicious, but because it enjoys privileged access, at scale, in real time, under conditions of opacity. The funding model is not yet in step with this reality.
The Cloud Data Protection Paradox
If AI is the accelerant, cloud data is the exposure surface.
For the third consecutive year, cloud-based assets remain the top attack targets, including cloud storage (38%), cloud applications (32%), and cloud management infrastructure (29%).
The dominant attack vector is also clear: 70% of organizations report rising credential theft and the misappropriation of secrets.
At the same time, the volume and sensitivity of data in the cloud continue to grow. The proportion of cloud data classified as sensitive grew from 44% in 2024 to 55% in 2026.
Yet protection is moving in the opposite direction. As noted earlier, encryption coverage has dropped to 49%.
This is the central tension of the report: Financial services organizations are accumulating more sensitive data in the cloud, protecting a smaller share of it, and granting AI systems access to it at speed.
Compounding this is a visibility gap. Only 32% of businesses report complete knowledge of where their data is stored, and just 35% say they can fully classify all their data.
This means security practitioners are being tasked with protecting information they cannot identify, categorize, or manage, while AI has the upper hand, as it can find and use the same data.
Tool Sprawl Is Amplifying the Leading Cause of Breaches
The report unearths a persistent misalignment between perceived and actual risk.
Nation-state actors are the top concern for 66% of respondents, yet the leading cause of data breaches remains human error (34%). The connection between the two is operational complexity.
Financial services businesses now operate an average of 7 data protection tools, 5 discovery and classification tools and 5 key management tools . AI security tooling follows the same trajectory, with an average of six tools and 62% reporting five or more.
Not surprisingly, only 40% of respondents express confidence in their understanding of their data security tools.
This creates a feedback loop. More tools increase operational complexity, which increases the likelihood of misconfiguration and human error. This leads to breaches, which prompt more investment in tools.
Quantum and Sovereignty Are Already Operational Concerns
Quantum is often framed as a future disruptive event. In financial services, it is already an active engineering concern. 61% say potential encryption compromise is their greatest worry, while 58% fear harvest now, decrypt later (HNDL).
This perception drives 61% to prototype and test post-quantum cryptography, while 47% have identified, or are experimenting with quantum-related projects.
In parallel, 57% of firms are refactoring applications and data architectures to meet data sovereignty objectives.
For financial services, sovereignty is not just regulatory compliance. It is about maintaining control over data portability, jurisdiction, and access in increasingly distributed, AI-enabled environments.
Key management and encryption are critical aspects within this sphere. Nevertheless, 38% of enterprises are convinced that relying solely on cryptography is enough to establish sovereignty: an assumption worth challenging, given the operational and jurisdictional dimensions that sovereignty also entails.
Quantum and sovereignty are converging into a single question: how to maintain trust in data, wherever it resides, amid accelerating change.
What Financial Services Security Leaders Should Do Next
The findings point to a set of practical, high-leverage actions:
- Close the cloud data visibility gap: Identify, categorize, and encrypt sensitive information. Since around half of all sensitive cloud data is unencrypted, this is still the number one risk surface to control.
- Consolidate before adding new tools: Overload is the main source of human error. Simplification enhances security performance and process understanding.
- Fund AI security as a distinct program: Current budgets have no choice but to accommodate AI security. Funding enables proactive measures rather than just reactive responses.
- Begin PQC and CLM modernization now: The 47-day TLS certificate lifetime arriving by 2029 is the forcing function. Plan CLM automation and PQC readiness as a single program, not two.
Download the Report for the Full Picture
The Financial Services Executive Summary goes deeper, breaking down findings by role, including notable gaps between executive and practitioner awareness of breaches, and providing detailed benchmarks across AI security, cloud exposure, and sovereignty strategy.
Download the Thales 2026 Data Threat Report: Financial Services Executive Summary.
Attend our webinar on June 4th: 2026 Financial Services Security Threats and Challenges – with S&P Global, Microsoft, and Thales.