Your AI agent just sent customer data to OpenAI. Nobody noticed.

Not a hypothetical. Not a warning about the future.

This is happening right now, in production systems, at companies that believe their AI implementation is “under control.”

In February 2026, researchers documented CVE-2025-32711 — nicknamed EchoLeak — where a crafted email caused Microsoft Copilot to automatically exfiltrate data without any user interaction. CVSS score: 9.3 out of 10. No click required. No warning. The agent just did it.

At Black Hat 2025, live demonstrations showed successful exploits against Copilot, Salesforce, and Google Gemini — including an agent that granted access to a connected Google Drive after receiving a single malicious email.

And in r/cybersecurity this week, someone noted that 74.8% of AI agent attacks detected in production were security-related — prompt injection, logic manipulation, agents with permissions they should never have had.

Here is the part that keeps me up at night.

I spent 14 years in banking. I understand what “financial firewall” means — not as a concept, but as a lived operational reality. In banking, you do not let any system touch money, data, or customer records without layered controls. Separation of duties. Audit trails. Hard limits. Human approval for anything above a threshold.

We built all of that for financial systems over decades of painful lessons.

And then in 2024–2025, organizations started deploying AI agents with effectively zero of those controls in place.

Agents with wallets (token budgets they can spend freely).
Agents with access to CRM data, customer records, internal documents.
Agents that can send prompts containing your customer’s SSN, medical history, or financial data — to a public model — without anyone reviewing it first.

No budget caps. No PII filters. No injection detection. No audit log.

Just a dashboard that shows you what happened after.

CFOs: this is now your problem, not just IT’s.

A CFO at Thumbtack said it directly at the end of 2025:

“In 2026, AI will either become the CFO’s greatest advantage or their biggest liability — and the difference will come down to how well they govern it.”

Half of finance chiefs surveyed named digital transformation as their top priority for 2026. The same survey shows CFOs are embedding AI agents directly into finance workflows.

That means agents touching financial data. Agents making decisions. Agents with access to things that, if leaked or manipulated, create regulatory exposure under GDPR, CCPA (California), PIPEDA (Canada), and a tightening US federal landscape.

OWASP has ranked prompt injection as the #1 vulnerability for LLM applications going into 2026. Not a niche developer concern. The top risk.

And agents amplify it. What was once a single manipulated output is now an orchestrated chain — hijacking planning, triggering tool calls, exfiltrating data across multiple systems before anyone realizes what happened.

What a financial firewall for AI actually looks like

The architecture exists to prevent this. Budget enforcement, PII detection, injection defense — applied before the request hits the model, not reported after. The question is whether teams build it before or after their first incident.”

Before any request hits OpenAI, Gemini, or your local model:

• Does this call exceed the budget for this client or workflow? If yes — blocked before tokens are generated. Not after.

• Does this prompt contain PII, PHI, or sensitive financial data? If yes — flagged, paused, routed to human approval.

• Does this look like a prompt injection attempt? Six attack vectors scanned in real time.

It’s not observability. Observability shows you what already happened.
This stops it before it does.

Three steps to set up. No code changes. You swap your existing API base URL for the proxy URL, set a budget cap, and it starts working.

The specific populations I’m thinking about when I say this

AI agencies running workloads for multiple clients: one misconfigured agent leaking a client’s customer PII is not just a technical incident. It’s a contract termination and a regulatory conversation.

Institutions with heavy agent usage — healthcare, finance, legal: you are operating in regulated environments. The agent doesn’t know it’s not supposed to send a Social Security Number to a public model. You need a layer that does.

CFOs moving AI from pilots to production in 2026: the financial governance frameworks you already understand — cost centers, spending limits, audit trails, approval workflows — those need to exist for your AI stack. Right now, for most organizations, they don’t.

The honest version of where we are

2025 was the year everyone deployed AI.
2026 is the year everyone discovers what they forgot to control.

The teams that build the financial firewall now — budget enforcement, PII guardrails, injection defense, human approval gates — will be the ones who can actually scale agents safely.

The teams that don’t will be explaining incidents to regulators, clients, and boards.

I know which conversation I’d rather have.

Want to see what a control layer looks like in practice?
Visit aicostops.com  — I’m happy to walk through the architecture.