Welcome to AI for FIs, from Dixon Strategic Labs. Each week, this newsletter curates critical developments in agentic AI and explains why they matter for community financial services.
This week, AI agents were handed authority. Anthropic's head of banking told banks to stop prompting their models and start delegating whole jobs. Lloyds pushed agents deeper into fraud defense, and toward the moment of payment. nCino's lending agent turned a tax return into a credit analysis in about a minute.
The same week, the tools to keep those agents in check arrived alongside them. Google DeepMind published a playbook for watching a capable agent the way a security team watches a privileged insider. Google and other companies shipped open standards to authenticate agents and log what they do. Banco Santander open-sourced and gave away AI safety tools its lab built.
Let’s dig in.
Google DeepMind · Jun 18, 2026

DeepMind's roadmap escalates two sets of controls as agents get more capable. Detection runs from watching an agent's reasoning (D1) up to harder cases when it learns to hide (D4), and response runs from after-the-fact alerts (R1) up to real-time blocking and shutdown (R3). Source: Google DeepMind.
Google DeepMind published a roadmap for keeping autonomous agents in check, and the framing is blunt: treat a capable agent the way a security team treats a privileged employee who could go wrong. It treats the agent as untrusted from the start, whether it is manipulated or just starts making bad calls on its own, and puts a trusted supervisor on it to watch its reasoning and its actions.
It also names the metrics, including the share of activity monitored, the share of harmful actions caught, and the time to respond, scaling from after-the-fact review to blocking a risky action in real time.
→ See the feature below for a closer look at how folks are managing agents’ access and accountability.
Why it matters: A frontier lab publishing controls for its own agents, not just new capabilities, shows how seriously the risk is now taken. It puts named, measurable controls on a problem that usually gets only buzzwords. For an agent working near accounts or payment rails, that means controls an examiner can measure, not just promises a vendor makes.
American Banker · Jun 19, 2026

Anthropic says 82% of the code it ships to production is now written by Claude, the marker McNamara used for how far delegation can run. Source: American Banker.
At the 2026 New York Banking Summit, cohosted by Fitch Ratings and KPMG, Anthropic's head of banking, Katie McNamara, gave FIs one mantra: stop prompting, start delegating. Instead of asking a model one question at a time, she said, hand an agent a whole job to plan and finish.
Her test for whether it is working is the unit of work. "When we start to change the unit of work from 'Did it give me a good answer?' to 'Did it get the job done?' That's when you know you've accelerated," she said.
She sorted where FIs are putting agents into three types:
Internal productivity: agents that speed up an employee's own work, like writing code or drafting documents.
Faster workflows: agents that run an existing process faster, in the back office and in customer-facing journeys.
Net-new products: agents that let an institution build products it could not offer before.
She placed today's agents at the level of a junior analyst for a financial firm, and said that if the exponential holds, they will soon work at the senior-analyst or VP level.
Why it matters: The payoff sits in the second and third types, faster workflows and new products. The first, internal productivity, is where a lot of bank AI budgets have gone with little to show. On governance, she warned against one central AI hub, and said the staff closest to the work should run the experiments while safety and controls stay central.
Fintech Global · Jun 17, 2026

Lloyds says it prevented more than £1 billion of attempted fraud in 2025 and is moving AI fraud checks toward the moment of payment. Source: Scottish Financial News, photo by George Iordanov-Nalbantov.
Lloyds is pushing AI agents deeper into fraud defense. Built on the bank's secure AI platform, Envoy, multiple agents now run during customer interactions, helping fraud teams handle identity checks, transaction analysis, and scam-risk scoring in real time, with people making the final call.
A new tool called Scam Check, due later this year, will move the check to the moment a customer pays. When someone tries to send money to a new recipient, Scam Check will scan the details and look for red flags, including:
Price being too good to be true
Seller's account being new or having no ratings
Vague description of item
Deposit required
Urgency or pressure tactics
It will weigh those factors to judge the odds of a scam. If the risk is high, it will ask a few questions and request a screenshot before the money moves.
Why it matters: Moving the catch to the moment of payment beats catching it after. An alert that fires once the money is gone cannot pull it back. On real-time rails, a payment clears in seconds, with no window to reverse it.
📡 On the Radar
Rep. Bill Foster: "we are not ready" for agent-speed bank runs. In House testimony, the congressman and physicist warned agentic AI could move deposits faster than humans can watch, leaving concentrated deposit bases exposed first to a machine-speed run.
Agents are turning solved fraud cases into new detection rules. A Unit21 product chief describes AI that reads how investigators cracked past cases and writes their reasoning back into the system as new rules. The same article notes INTERPOL's warning that agentic AI can now run an entire fraud scheme on its own, start to finish.
Google's lawsuit reveals an AI phishing kit that rents for $88 a week. A toolkit named Outsider builds convincing fake sites for trusted brands, including FIs, from more than 290 templates. A believable fake now costs under $100 a week.
⚙️ Tools & Vendors
Banco Santander open-sourced its AI safety tools. Its AI Lab released more than a dozen of them, free for any institution to copy and use, including autoguardrails, which tests an AI against a written policy, and a mechanical governance framework that caps the high-stakes decisions an AI is allowed to make.
Backbase bought Kasisto, the agentic-banking platform behind several large credit unions. Kasisto's banking-tuned agents now run inside Backbase's banking OS. Navy Federal, BECU, and Alliant were already customers, so a platform some credit unions run on just changed hands.
nCino's credit-analyst sub-agent turns a tax return into a credit analysis summary in about a minute. It runs in production at an enterprise institution, with a human-in-the-loop pause before anything is final.

nCino's credit-analyst agent spreads a 2024 tax return on request, then stops and asks a human to review before it locks the period and writes the summary. Source: nCino.
Give an AI agent a badge and a logbook
An AI agent that does a staff member's job needs a staff member's limits. Those limits come as four controls, the same ones a credit union already gives its people: a badge and a logbook to use today, a directory and a shared language on the way. Here is what each one does.

The badge and the logbook are here today; the directory and the shared language are still being written.
A new worker, and the risk
The word 'agent' gets used loosely, so it helps to start plain. An older AI tool answered a question and stopped. An agent does a job. It logs into the systems a staff member would use, looks things up, and takes steps on its own until the task is finished. Think of it as a new hire who can carry a file from start to finish.
That is the promise, and it is also the problem. When a credit union first plugs one of these agents into its systems, it usually hands the agent a master key. The agent can open any door a person can open, and it leaves almost no record of where it went. That is fine in a demo. It becomes a worry once the agent is working near member accounts and money, because no one set a limit on what it can reach, and no one can say afterward what it did.
The badge and the logbook
The first is a badge. A teller's badge opens the branch floor, not the vault and not the server room. A badge for an agent works the same way. It opens only the doors the job needs. The agent that reads loan files can reach loan files and nothing else. It cannot wander into payroll, and it cannot move money. Its access is limited to its job, the way a person's is.
The second is a logbook. Every employee leaves a trail. The door system records who badged in, and the teller system records who ran each transaction. An agent needs to leave the same trail: a record of every system it touched and every action it took. When something goes wrong, or an examiner asks what the agent has been doing, the credit union can show the log rather than guess.

A logbook is a plain old idea, a dated record of what happened, one line at a time. NASA keeps one by hand for its Ingenuity helicopter on Mars, open here to flights 9 and 10. If a Mars helicopter has a handwritten logbook, an AI agent inside a credit union can keep one too. Source: NASA/JPL-Caltech, via Wikipedia.
The directory and the shared language
The last two controls are still being written, and they cover what a worker needs to deal with other workers.
One is a staff directory. Sometimes one agent needs another. A fraud-check agent might need the agent that confirms a member's identity. It needs to look that second agent up in a trusted directory and confirm it is the approved one before relying on it, the way a careful employee calls IT back at the listed number instead of trusting whoever just called.
The other is a shared language. Agents are built by different companies, so an agent from one stays stuck inside that vendor's product and cannot work with the rest. A shared language fixes that. It lets agents from different makers cooperate, the way two employees from two departments can sit down and finish something together.
What this means in practice
A capable new worker arrived fast, and at first it came with a master key and no sign-in sheet. The work now is to give it the badge and the logbook that every other worker already has, and to ask vendors to show both. The directory and the shared language will follow. None of this is new. It is the governance the institution already trusts for its people, pointed at a new kind of worker.
Here now: the badge is Model Context Protocol's Enterprise-Managed Authorization, and the logbook is Arcade.
Coming: the directory is Agentic Resource Discovery, and the shared language is Google's year-old A2A protocol.
In a moment where agentic AI is rewriting operational rules, I help community finance leaders sort out what this means for their strategy. Drop me a note at [email protected].
How this newsletter is made: Brent curates the research and writes the analysis. Claude helps with drafting and editing. Published on Beehiiv. ⚡ Alakazam ⚡.
If a colleague is sorting out AI governance, vendor risk, lending, fraud, or member and customer trust, send them this issue.


