"We decided the only way we can actually embed security into adoption of AI and agents is to actually understand what is AI and agentic," Manija Poulatova, director of security engineering and operations at Lloyds Banking Group, told an OWASP GenAI Security Summit panel at Infosecurity Europe.
Lloyds' AI safe adoption strategy across the lifecycle
Lloyds Banking Group has framed security as a deliberate, technical bet alongside 11 other "bets" in its AI and innovation roadmap, making security the 12th. Kirsty Montignani, head of security data and AI, described an "AI safe adoption strategy" that spans the full lifecycle: from engineers pulling packages and building agents, to promotion, runtime observability and eventual decommissioning. The bank built an internal agent marketplace intended as "a single pane of glass for all agents" to centralize registration, governance and controls so that agents are auditable and traceable.
Agent identity management: a core governance challenge
Identity for agentic systems emerged as Lloyds' top challenge. Poulatova said "the biggest question right now in agentic space is identity, and it's really hard to answer." Lloyds is pursuing a phased, multi‑vendor approach using native cloud tools while the industry converges on standards. The bank is explicit that agent identity must not be a copy of human identity but must enable containment and behavioral analysis so misbehaving agents can be shut down or constrained. Lloyds is piloting approaches with Microsoft and Google and intends platform‑native controls for each cloud while aiming for a scalable, multi‑cloud identity model.
Marketplace, controls and multidisciplinary feature teams
Rather than isolating security, compliance and responsible AI, Lloyds assembles multidisciplinary feature teams around each use case. Production gating is collective: a use case does not go live until all accountable owners agree that risks are mitigated. Montignani said this enforces accountability and aligns adoption with the bank's mission to serve customers safely. She also described deterministic controls to limit agent actions — for example, requiring tools to be signed so an agent "every time it calls a tool, can only call the wanted tool. It cannot create tools, it cannot create skills." That pattern is intended to reduce blast radius and produce auditable trails regulators require.
Red‑teaming, OWASP Top 10 for Agentic, and runtime detection
Lloyds deployed what the bank described as the world's first application of OWASP Top 10 for Agentic in a production red‑teaming environment, in collaboration with OWASP GenAI Security Project co‑lead John Sotiropoulos. Poulatova argued human testing alone cannot scale to hundreds of agentic projects and that automated offensive tooling is being experimented with to scale defensive assurance and surface attack classes such as goal manipulation and agent hijack. Montignani reported, "We did see evidence of agent hijack," underscoring why the firm treats runtime detection and behavioral monitoring as non‑negotiable. Sotiropoulos noted the complexity of Lloyds' estate complicates red‑teaming: the bank has around 23 million customers, generates about seven billion logs every year, and carries legacy devices and technologies as a roughly 200‑year‑old institution.
Deployment scale, measured gains, and the next phase in 2026
Lloyds said generative AI delivered around £50m of value for the company in 2025 and that more than £100m in additional value is expected in 2026 as the group extends its AI leadership position. The group said it has rolled out over 50 AI use cases and plans many more GenAI and agentic deployments in 2026 alongside an AI Academy for 67,000 employees. Named examples include:
- Athena Knowledge Management Tool — an internal search and knowledge assistant Lloyds said has reduced search times by 66% on average;
- GitHub Copilot for Engineers — used by around 5,000 Lloyds engineers and claimed to drive a 50% improvement in converting code for established systems;
- AI HR Assistant — which Lloyds claimed is resolving around 90% of HR queries correctly on first contact.
How security teams, regulators and engineers are responding
Security teams: Lloyds' playbook emphasizes three repeatable elements for defenders — pick precise, low‑risk, high‑value use cases; codify and automate security controls to scale; and invest in runtime observability plus automated adversarial testing. Poulatova urged peers to "Get hands on. Start testing."
Regulators and compliance owners: Lloyds has designed auditable trails, traceability and production gating so accountable owners must sign off before use cases go live — a governance posture explicitly mindful of regulatory expectations and customer protection.
Engineers and platform teams: The bank's internal agent marketplace and platform‑native controls signal a push to centralize agent registration, limit capabilities through signed tooling, and enforce deterministic behaviors when agents interact with critical systems such as current account and loan platforms.
For Lloyds the path is pragmatic and engineering‑led: experiments with cloud vendors, automated red‑teaming, and tight operational controls aiming to make agentic AI a managed, auditable capability rather than a boardroom abstraction. The unresolved technical knot remains agent identity at scale — Lloyds is piloting options today with Microsoft and Google while pursuing a multi‑cloud, phased model as the industry standards landscape evolves.
https://www.infosecurity-magazine.com/news/lloyds-agentic-ai-security-playbook/
