Welcome to AI for FIs, from Dixon Strategic Labs. Each week, this newsletter curates critical developments in agentic AI and explains why they matter for your FI.
An AI agent deleted a production database in nine seconds. No human reviewed the action.
That same month, Fiserv, Navigator CU, Chime, and Finger Lakes FCU each reported AI deployment results with 63-70% automation across contact centers, member interactions, and credit decisions. Each required someone inside the institution to authorize an AI system to act.
Colorado set a January 1, 2027 deadline for the governance infrastructure behind those authorizations. A federal judge ruled that an institution cannot blame AI for decisions it chose to delegate.
And below: what the 2010 Flash Crash tells financial institutions about governing AI agents before the rules arrive.
Four agent deployments hit 63-70% automation this month
Multiple sources · May 8–18, 2026
Fiserv co-developed agentOS with OpenAI and six bank partners including Boulder Dam FCU. Source: American Banker
Fiserv introduced agentOS on May 14, deploying four agent types across deposits, lending, risk, and payments at six institutions including Boulder Dam Federal Credit Union.
In the same two weeks, Navigator Credit Union automated 70% of contact center interactions and eliminated its outsourced after-hours service. Chime's "Jade" handles 70% of customer interactions with resolution up 40 percentage points. Finger Lakes FCU automated up to 63% of credit decisions with 17% loss reduction.
Why it matters: Four institutions followed the same pattern. AI systems handled 63-70% of routine volume across different functions. Humans handled exceptions. The operating model is the same whether the institution has $80M or $80B in assets.
ServiceNow launched a kill switch after a nine-second database deletion
Fortune / Sidley Austin · May 6–11, 2026
ServiceNow CEO Bill McDermott announced AI Control Tower after an agent deleted a production database. Source: Fortune
At Knowledge 2026, ServiceNow CEO Bill McDermott 😎 described an AI agent that deleted a production database and all backups in nine seconds. ServiceNow launched AI Control Tower in response, a governance layer that can pause or stop any agent across an enterprise.
ServiceNow's AI Control Tower discovers and catalogs every AI agent, model, and dataset across an enterprise. Source: ServiceNow
Five days later, a Southern District of New York ruling held that an organization cannot blame its AI for a process it chose to delegate to AI.
Why it matters: ServiceNow built its entire agent governance layer after the failure. The controls that could have stopped the agent did not exist when it was deployed. Don’t do these things.
Colorado's AI governance deadline is January 2027. JPMorgan isn't ready.
Consumer Finance Monitor / PYMNTS / American Banker · May 12–18, 2026
JPMorgan's payments team called its agentic commerce posture "pretty quiet" until the liability architecture is built. Source: American Banker/Bloomberg
Colorado's governor signed SB 26-189 on May 14, effective January 1, 2027. The law requires notice when covered automated decision-making technology is used and plain-language explanations within 30 days after adverse outcomes.
In the same week, the Financial Data Exchange (FDX) found that the rules governing how apps access bank accounts assume a human is authorizing access, not an AI agent, and started building new ones. JPMorgan's payments team called its agentic commerce posture "pretty quiet" until the liability architecture is built. Filene Research argued that credit unions whose products are not machine-readable are already excluded from AI agent comparisons without knowing it.
Why it matters: Colorado set a hard deadline for AI governance in financial services. FDX and JPMorgan confirmed the authorization infrastructure does not exist yet.
Cloudflare's pointed Anthropic's Mythos Preview at live production infrastructure. Mythos is a frontier AI model built to find security vulnerabilities in code. It can chain multiple low-severity bugs into working exploits, a capability previous frontier models lacked. Cloudflare built a multi-agent harness around it: 50 concurrent hunters, adversarial validation agents, and cross-repository exploit tracing.
“Example of Mythos Preview pushing back on building a working proof of concept.” Source: Cloudflare
Cloudflare also found that Mythos's organic guardrails are inconsistent. The same task framed differently produces opposite outcomes. Cloudflare concluded that capable cyber models need external safeguards beyond baseline model behavior. The lesson extends beyond cybersecurity. Reliable control comes from the deployment harness around the model.
Meanwhile, Mozilla shipped fixes for 271 security bugs in Firefox found with Mythos Preview, 180 rated sec-high.
👀 On the Radar
Superadditive offers a reversibility framework for agent deployments: if the action cannot be undone, it requires human authorization.
Gartner surveyed 350 executives and found AI-augmented workforces outperformed AI-replaced ones on ROI. CNBC found 56% saw their stock decline after announcing AI-linked layoffs.
Ron Shevlin argues ChatGPT's personal finance features are a retention play for the $100/month Pro tier. Plaid connects it to 12,000+ financial institutions.
Risk & Safety
A study tested AI agents on 90 routine tasks and found 80% performed at least one harmful action. Agents optimized for task completion without evaluating consequences, a pattern consistent with the database deletion above.
The European Commission published draft high-risk AI classification guidelines for the EU AI Act. The procedure they recommend goes something like this: classify the system before deployment, document why it is or is not high-risk, then decide what controls apply.
Cornerstone Advisors' GonzoBanker identifies three risks credit unions overlook when scaling AI: unexplainable decisions, eroding staff judgment, and a widening distance between efficiency metrics and member trust.
Tools & Vendors
MeridianLink previewed "Millie", an AI document agent for mortgage origination targeting Q4 2026.
In search of circuit breakers
On May 6, 2010, automated trading algorithms triggered a 998-point drop in the Dow Jones Industrial Average within 36 minutes. Procter & Gamble fell 37%. Accenture briefly traded at one cent. The algorithms executed as programmed. No human reviewed the trades before they fired.
The Dow Jones Industrial Average on May 6, 2010. Automated trading algorithms triggered a 998-point drop in 36 minutes. Source: Wikipedia
The response came in layers: single-stock circuit breakers within months, audit trail requirements within two years. Regulators built the controls around automated trading after it broke.
Sixteen years later, financial institutions are deploying AI agents faster than the governance infrastructure around them.
Three accountability lessons
This month surfaced three versions of the same question: who is accountable when an agent acts?
Unauthorized deployment. A 125-year-old Pennsylvania community bank filed an SEC 8-K this month after an employee used an AI application outside the institution's approved channels. Sensitive customer data was exposed.
Ambiguous accountability. Fiserv's agentOS shipped with governance and kill-switch controls built into the vendor platform. Ron Shevlin's analysis flagged a harder question: when an agent acts through a vendor platform, who owns the failure? The institution authorized the deployment. The vendor built the controls. If the agent produces an adverse outcome, the institution must explain a decision made by infrastructure it did not design.
Unchecked autonomy. Research cited by Gary Marcus reported tool-chaining vulnerabilities and goal drift across 847 autonomous agent deployments. Agents strung together capabilities in sequences no one anticipated, and their objectives shifted during execution. The database deletion fits the pattern.
Accountability demands
The liability direction from the SDNY ruling and Colorado's SB 26-189 is set. Now the state has to figure it out operationally. Colorado's 30-day explanation requirement means an institution must reconstruct what an agent did and why it produced a specific adverse outcome. That means knowing which model version was running, what data it processed, what decision path it followed, and who in the institution approved those parameters.
The rulebook's limit
Traditional model risk management governs systems that produce outputs like credit scores and forecasts. AI agents take actions. SR 26-2, the joint federal update issued April 17, covers scoring and forecasting models but explicitly excludes generative and agentic AI.
Wide Open Ventures surveyed 123 credit union executives this month. Overall AI readiness scored 46 out of 100. Finance and accounting, the functions most likely to handle a 30-day adverse outcome explanation, scored lowest at 2.40 out of 5. The departments that would need to reconstruct what an agent did are the least prepared to do it.
The test
Superadditive’s reversibility framework offers a practical starting point. A loan denial can be reversed with a second review. Member data shared with an unauthorized application cannot be retrieved. The distinction determines where human authorization is required.
After the Flash Crash, regulators added circuit breakers to market infrastructure within months. Those markets were already governed and audited, so the foundation existed. AI agents are being deployed into operational environments with neither. An institution with governance that considers reversibility can reconstruct what an agent did, explain why, and reverse the outcome when possible.
Two questions to consider for every agent deployment are: Can the result be reversed? Who is accountable?
In a moment where agentic AI is rewriting operational rules, I help credit union leaders think about what this means for their strategy and take action. Drop me a note at [email protected].
How this newsletter is made: Brent curates the research and writes the analysis. Claude helps with drafting and editing. Published on Beehiiv. ⚡ Alakazam ⚡.
Know someone who should be reading this? Send them the subscribe link.
