Investment firms have spent years hardening their networks, endpoints, and access controls. Many are now deploying AI across research, compliance, forecasting, and trading without applying the same rigor to the models themselves. The assumption is that protecting the environment around a system is sufficient for AI model security.
However, the model is also an attack surface. The vulnerabilities specific to it are ones that most investment management leaders have not yet encountered in accessible language, and that gap is becoming more consequential as AI moves closer to high-stakes decisions.
A different kind of attack surface
Traditional cyberattacks exploit infrastructure: code vulnerabilities, misconfigured systems, stolen credentials. AI-specific attacks exploit model behavior: the way a language model processes inputs, learns from data, and generates outputs. Unlike a software vulnerability that can be patched and verified, AI model security vulnerabilities are often subtle, context-dependent, and difficult to detect because the model continues to function normally under most conditions.
The FINOS AI Governance Framework, developed specifically for financial services, describes the underlying reason this is structurally different: unlike traditional programming languages, large language models do not make a hard distinction between instructions and data. A well-crafted input can become an instruction that overrides the system’s intended behavior. That architectural characteristic is what makes the attack vectors below distinct from the infrastructure threats most investment firms already know how to defend.
Prompt injection: the AI equivalent of phishing
In simple terms, a prompt injection occurs when an attacker crafts an input that causes the model to override its guidelines and behave in unintended ways. This may involve embedding malicious instructions in a document, email, or data source the model processes. Prompt injection is ranked #1 on the Open Worldwide Application Security Project (OWASP) LLM Top 10 for 2025.
The FINOS framework documents specific scenarios for investment firms:
- A direct injection might target an AI-powered advisory or research tool: an attacker prompts it to disclose proprietary investment algorithms, generate fabricated transaction histories, or bypass suitability checks.
- An indirect injection is more insidious: malicious instructions are hidden in a third-party market report, a customer communication, or a document uploaded for analysis. When the model processes that content, the embedded instructions trigger without any further action from the attacker. In multi-agent systems where AI tools execute automated actions, an indirect injection can escalate privileges, send unauthorized communications, or trigger transactions entirely within the model’s execution environment.
- The FINOS framework also identifies a lesser-known exposure: sophisticated prompt injection can be used to probe a model’s internal structure, extracting training data, proprietary configurations, or system instructions. This enables intellectual property theft and can facilitate the creation of cloned models that replicate a firm’s analytical edge.
Data poisoning: corrupting the model at its source
Data poisoning targets the inputs that shape how a model behaves, either during training or in the retrieval systems models use to answer questions in production. The Trilateral Research analysis of documented attacks from August 2024 through August 2025 is a useful reference point here, because it moves beyond theoretical frameworks into specific incidents involving enterprise AI systems that investment firms are already using.
In training-time poisoning, modifications to as little as 0.1% of a dataset can plant behavioral triggers that persist undetected until activated. For example, a fraud detection model retrained on poisoned transaction data could be manipulated into classifying additional fraudulent activity as legitimate. The UK AI Safety Institute’s 2025 study, conducted with Anthropic and the Alan Turing Institute, found this type of attack is significantly more common and easier to execute than previously assumed.
The more immediate risk for most firms is RAG poisoning: attacks targeting the documents, knowledge bases, and data stores that AI assistants retrieve to answer questions. Between 2024 and 2025, AI model security researchers demonstrated successful attacks against Microsoft 365 Copilot, ChatGPT Connectors, and multiple enterprise RAG systems, achieving data exfiltration and decision manipulation through nothing more than a malicious document uploaded to a shared drive.
Output exploitation and hallucination risk
Even a model that hasn’t been attacked can produce outputs that create serious risk if treated as authoritative. The CFA Institute’s risk frontier analysis identifies overreliance on AI outputs as a meaningful threat vector: the less structured a market phenomenon, the more failure-prone model outcomes become. Today’s reasoning models are largely pattern-recognition tools that struggle with the kind of high-complexity, imperfect-market analysis that investment professionals confront regularly.
For example, an AI-driven market analysis tool can confidently generate optimistic earnings projections that look credible but are materially wrong, whether through hallucination or intentional manipulation. The CFA Institute frames this as a governance question as much as a technical one: widespread use of similar AI models introduces systemic risk, including increased market correlation and model opacity, when outputs are accepted without adequate validation.
Output exploitation occurs when an attacker understands a model’s behavior well enough to craft inputs that predictably produce favorable outputs. This is the subtlest of the attack vectors: it leaves no obvious footprint and may not be distinguishable from normal model behavior until the consequences of the biased output become visible.
Shadow AI multiplies all of these exposures
Each of the vulnerabilities above is more dangerous when firms do not know which AI systems are in use. Consider shadow AI: models or applications deployed without formal assessment or governance. HelpNetSecurity’s 2025 analysis of financial sector cyber threats found that shadow AI accounted for approximately 20% of AI-related breaches in 2025; among organizations that experienced AI-related security incidents, 97% lacked adequate AI access controls.
In financial services, an investment analyst using an unvetted AI tool to summarize a deal document, process client data, or draft research has created a model-level attack surface that sits entirely outside the firm’s security perimeter. That tool may connect to external APIs, store sensitive firm data in its training pipeline, or be susceptible to the RAG poisoning techniques, and the analyst’s firm will have no visibility into any of it. Shadow AI is a user discipline problem; but it is also a governance gap that grows in direct proportion to AI adoption, and how useful AI tools become.
What an AI model security posture looks like
The Bank of England, FCA, and HM Treasury’s May 2026 joint statement on frontier AI and cyber resilience offers the most direct regulatory framing of where this is headed. Frontier AI models can rapidly identify and enable exploitation of a potentially large number of vulnerabilities across firms’ technology estates. What’s more, the cyber capabilities of current frontier AI models are already exceeding what a skilled human practitioner could achieve; and at significantly higher speed, greater scale, and lower cost.
Firms that have underinvested in core AI model security fundamentals, the statement notes, are likely to grow more exposed as more advanced models become available.
AI models as governed assets
The organizational moves that matter at the leadership level are less about deploying specific technical controls and more about treating AI models as regulated assets subject to the same governance logic as other critical systems.
That means AI models belong in the firm’s technology inventory, not just the software that runs them. It means the documents and data sources that AI retrieves should be governed with the same access controls as the systems those AI tools are meant to protect. And it means human validation should be explicitly designed into workflows where AI outputs inform consequential decisions: pricing, contract review, investment recommendations, compliance determinations.
Building AI governance frameworks
Investment firms need to build AI governance frameworks that monitor data quality, model assumptions, and alignment with fiduciary principles; they must train teams to challenge AI outputs through scenario analysis and domain-specific judgment, rather than treating model outputs as a shortcut that replaces that judgment. Third-party AI dependencies, service provider concentration, and opaque model behavior are additional risks that extend beyond any individual firm.
Monitoring exposure to AI model security risks
It’s worth noting that investment firms are not the primary targets in most of the published adversarial AI research; that attention concentrates on banks and payment processors. But investment firms have characteristics that make them attractive and, in some respects, more vulnerable. They have high-value assets, increasing AI integration into consequential workflows, and a security posture that has historically focused on network and endpoint defense rather than model-level defense.
The gap between how much these firms have invested in deploying AI and how much they have invested in securing it is the core exposure, and it is one that regulators across the globe are asking firms to address.
How Option One Technologies supports investment firms
Option One Technologies works with investment companies, hedge funds, private equity firms, and asset managers to build and maintain the managed IT and cloud infrastructure that makes AI deployment secure and governable at scale. That includes the access controls, monitoring capabilities, and implementation expertise that close the gap between deploying AI and protecting it. To learn more about how we can help your firm develop a security posture that addresses the model layer, contact a member of our team.
