Lloyds Banking Group is treating agentic AI not as a theoretical threat or boardroom buzzword, but as an engineering problem to be designed, constrained and tested at scale.

In a candid session at the Open Worldwide Application Security Project’s (OWASP) GenAI Security Summit during Infosecurity Europe, two members of Lloyd’s security function laid out how the UK’s largest bank is operationalizing AI security across product lifecycles, governance and real time defenses, all while keeping regulators and customers front of mind.

Speaking at the summit, Manija Poulatova, director of security engineering and operations at Lloyds Banking Group, started with an honest admission: “We decided the only way we can actually embed security into adoption of AI and agents is to actually understand what is AI and agentic.”

She said the company articulated its AI and innovation roadmap around 11 “bets” and security as the 12^th bet, with “the purpose of understanding agentic AI and actually building security controls to secure its use cases.”

“Security teams have been the ‘ministry of no’ for too long, and we want to change the game,” she added.

Kirsty Montignani, head of security data and AI at Lloyds, reinforced the pragmatic posture: “The AI big bets are all low‑risk, high‑value use cases that serve our customers.”

She noted that investments, pensions and customer support were initial priorities because they deliver tangible customer benefit while limiting exposure.

“We wanted to start fresh, and we want to be really precise in our use case,” Montignani added.

Lloyds’ “AI Safe Adoption” Strategy

​Montignani further detailed Lloyds’ “AI safe adoption strategy,” which spans the entire lifecycle, from engineers pulling packages and building agents to promotion, runtime observability and decommissioning.

The team created an internal agent marketplace which Montignani described as “a single pane of glass for all agents.” The marketplace aims to centralize registration, governance and controls.

“All the agents are in the same place, which allows us to then protect and control appropriately with auditability, traceability, etc.,” she said.

Rather than siloing security, compliance and responsible AI, Lloyds assembles multidisciplinary feature teams around each use case.

“We bring the right people with the right skills that work together on the use case,” Montignani said.

Production gating is collective: a use case doesn’t go live until all accountable owners are satisfied that risks are mitigated. That collective model enforces accountability while aligning adoption with the bank’s mission to serve customers safely.

“We are developing the understanding and the governance, but we also have the deterministic part, the security tooling, to make sure that when the AI agents,  probabilistic systems by nature, are interacting with our current account systems and our loan systems, the customers are getting a consistent experience,” Montignani explained.

Agent Identity Management: A Core AI Governance Challenge

As Lloyds develops two main agents, the Threat Hunting agent and the Solicitors Regulation Authority (SRA) agent, alongside third-party agents used by its workforce, Poulatova said identity management quickly emerged as the company’s top agentic AI challenge.

“The biggest question right now in agentic space is identity, and it’s really hard to answer,” Poulatova acknowledged, describing a phased, multi‑vendor approach using native cloud tools while the industry converges on standards.

The bank is explicit that agent identity isn’t simply a copy of human identity. Agent identity must be designed to enable containment and behavioral analysis so misbehaving agents can be shut down or constrained.

Poulatova explained they are working with both Microsoft and Google to pilot identity approaches. “They both have an idea of how to approach AI agent identities. We’re working with both of them, because right now there’s no one vendor that actually covers it all,” she said.

The bank’s multi‑vendor, phased design allows platform‑native controls (Google Cloud Platform native tools for Google cloud Enterprise workloads, Microsoft Azure native tools for Azure workloads) while pursuing a strategic goal of a scalable, multi‑cloud identity model.

Montignani also described how Lloyds limits the actions agents can take by constraining tooling and capabilities.

“Make sure tools are signed every time, so that an agent, every time it calls a tool, can only call the wanted tool. It cannot create tools, it cannot create skills.”

She explained that this pattern reduces blast radius and produces auditable trails regulators require.

Lloyds’ Top 10 Agentic Application for Red-Teaming Exercises

Lloyds deployed the world’s first application of OWASP Top 10 for Agentic in a production red‑teaming environment in collaboration with OWASP team members, John Sotiropoulos, co‑lead of OWASP’s GenAI Security Project, said.

Poulatova argued that human testing alone cannot scale to hundreds of agentic projects. Lloyds is experimenting with automated offensive tooling to scale defensive assurance and to surface attack classes like goal manipulation and agent hijack.

“We did see evidence of agent hijack,” Montignani said, underscoring why runtime detection and behavioral monitoring are non‑negotiable.

Sotiropoulos highlighted that the complexity of Lloyds Banking Group’s IT system makes red-teaming exercises challenging.

According to Montignani, the bank has around 23 million customers that generate about seven billion logs every year.

“Our estate is vast, multi-cloud and, because we are a 200-year-old bank, it’s got some legacy devices and technologies. Just like many organizations, we have a lot of tech debt.”

Despite this tech debt, Poulatova said Lloyds aims to become one of the leading digital banks and has been adopting new technologies very fast.

What Security Leaders Should Take Away

For security leaders, Lloyds’ AI agent playbook centers on three actionable elements:

• Pick precise, low‑risk, high‑value use cases
• Codify and automate security controls to scale
• Invest in runtime observability plus automated adversarial testing to keep up with agentic behaviors

In Lloyds’ view, that mix of hands‑on experimentation, engineering rigor and cross‑functional governance is the pragmatic path to secure agentic AI at enterprise scale.

Poulatova urged the audience: “Get hands on. Start testing.”

The OWASP conference session at Infosecurity Europe comes as Lloyds Banking Group recently said generative AI delivered around £50m ($67.3m) of value for the company in 2025. More than £100m ($134.6m) in additional value is expected this year as the group extends its AI leadership position.

The group also said it rolled out over 50 AI use cases, including:

• Athena Knowledge Management Tool, an AI‑powered internal search and knowledge assistant that helps colleagues quickly find information to answer customer queries. Lloyds claimed it has reduced search times by 66% on average, enhancing customer service and convenience
• GitHub Copilot for Engineers, used by around 5000 Lloyds engineers, with the company claiming it is driving a 50% improvement in converting code for established systems, accelerating upgrades to key customer‑facing technology
• AI HR Assistant: which Lloyds claimed is resolving around 90% of HR queries correctly on first contact

Lloyds Banking Group said many more GenAI and agentic AI use cases will be launched in 2026 alongside an AI Academy for 67,000 employees.

Image credits: Piotr Swat / J2R / Shutterstock.com