Lloyds Banking Group is treating agentic AI not as a theoretical threat or boardroom buzzword, but as an engineering problem to be designed, constrained and tested at scale.

In a candid session at the Open Worldwide Application Security Project’s (OWASP) GenAI Security Summit during Infosecurity Europe, two members of Lloyd’s security function laid out how the UK’s largest bank is operationalizing AI security across product lifecycles, governance and real-time defenses – all while supporting customers safely and meeting regulatory expectations. 

Speaking at the summit, Manija Poulatova, director of security engineering & operations at Lloyds Banking Group, started with an honest admission: “The only way we can actually embed security into adoption of AI and agents is to first understand what AI and agentic AI are.”

She said the company articulated its AI and innovation roadmap around 11 “bets” and security as the 12^th bet, with “the purpose of understanding agentic AI and actually building security controls to secure its use cases.”

“Security teams have been the ‘ministry of no’ for too long, and we want to change that,” she added.

Kirsty Montignani, head of security data and AI at Lloyds, reinforced this pragmatic posture: “The AI big bets are all low‑risk, high‑value use cases that serve our customers.”

She noted that investments, pensions and customer support were initial priorities because they deliver tangible customer benefit while limiting exposure.

“We want to be really precise in our use cases,” Montignani added.

Lloyds’ “AI Safe Adoption” Strategy

​Montignani further detailed Lloyds’ “AI safe adoption strategy,” which spans the entire lifecycle, from engineers pulling packages and building agents to promotion, runtime observability and decommissioning.

A key component is an internal agent marketplace, which Montignani described as “a single pane of glass for all agents.”

“All the agents are in the same place, which allows us to then protect and control appropriately,” she said.

Rather than siloing security, compliance and responsible AI, Lloyds assembles multidisciplinary feature teams around each use case.

“We bring the right people with the right skills that work together on the use case,” Montignani said.

Production gating is collective: a use case doesn’t go live until all accountable owners are satisfied that risks are appropriately managed. That collective model enforces accountability while aligning adoption with the bank’s mission to serve customers safely.

“We are developing the understanding and the governance, but we also have the deterministic part, the security tooling, to make sure that when the AI agents,  probabilistic systems by nature, are interacting with our systems, the customers are getting a consistent experience,” Montignani explained.

Agent Identity Management: A Core AI Governance Challenge

As agent-based systems evolve, identity management has emerged as a central governance challenge.

“The biggest question right now in the agentic space is identity, and it’s really hard to answer,” Poulatova acknowledged, describing a phased, multi‑vendor approach using native cloud tools while the industry converges on standards.

The bank is explicit that agent identity must be designed to enable containment and behavioral analysis so misbehaving agents can be shut down or constrained.

The bank’s multi‑vendor, phased design allows platform‑native controls while pursuing a strategic goal of a scalable, multi‑cloud identity model.

Montignani also described how Lloyds limits the actions agents can take by constraining tooling and capabilities.

“Make sure tools are signed every time, so that an agent, every time it calls a tool, can only call the wanted tool. It cannot create tools, it cannot create skills.”

She explained that this pattern reduces blast radius and produces auditable trails regulators require.

Lloyds’ Top 10 Agentic Application for Red-Teaming Exercises

Lloyds deployed the world’s first application of OWASP Top 10 for Agentic in a production red‑teaming environment in collaboration with OWASP team members, John Sotiropoulos, co‑lead of OWASP’s GenAI Security Project, said.

Poulatova highlighted that human testing alone cannot scale to hundreds of agentic projects. Lloyds is experimenting with automated offensive tooling to scale defensive assurance and to surface attack classes like goal manipulation and agent hijack.

“We did see evidence of agent hijack,” Montignani said, underscoring why runtime detection and behavioral monitoring are non‑negotiable.

According to Montignani, the bank has around 23 million customers that generate about seven billion logs every year.

“Our estate is vast, multi-cloud and, just like many organizations, we have a lot of tech debt.”

Despite this tech debt, Poulatova said Lloyds aims to become one of the leading digital banks and has been adopting new technologies very fast.

What Security Leaders Should Take Away

For security leaders, Lloyds’ AI agent playbook centers on three actionable elements:

• Pick precise, low‑risk, high‑value use cases
• Codify and automate security controls to scale
• Invest in runtime observability plus automated adversarial testing to keep up with agentic behaviors

In Lloyds’ view, that mix of hands‑on experimentation, engineering rigor and cross‑functional governance is the pragmatic path to secure agentic AI at enterprise scale.

Poulatova urged the audience: “Get hands on. Start testing.”

The OWASP conference session at Infosecurity Europe comes as Lloyds Banking Group recently said generative AI delivered around £50m ($67.3m) of value for the company in 2025. More than £100m ($134.6m) in additional value is expected this year as the group extends its AI leadership position.

The group also said it rolled out over 50 AI use cases, including:

• Athena Knowledge Management Tool, an AI‑powered internal search and knowledge assistant that helps colleagues quickly find information to answer customer queries. Lloyds claimed it has reduced search times by 66% on average, enhancing customer service and convenience
• GitHub Copilot for Engineers, used by around 5000 Lloyds engineers, with the company claiming it is driving a 50% improvement in converting code for established systems, accelerating upgrades to key customer‑facing technology
• AI HR Assistant: which Lloyds claimed is resolving around 90% of HR queries correctly on first contact

Lloyds Banking Group said many more GenAI and agentic AI use cases will be launched in 2026 alongside an AI Academy for 67,000 employees.