Claude Cowork in financial environments: when the agent becomes a vector for risk.
AI no longer just answers: it acts. With the advent of autonomous agents like Claude Cowork, the attack surface is being entirely redefined — particularly in environments where professional confidentiality isn’t optional.
We are leaving the era of passive chatbots and entering that of agentic AI. Anthropic’s Claude Cowork no longer just answers a question: it accesses your file system, navigates autonomously, connects to your internal databases via the Model Context Protocol (MCP). The productivity gains are real. So are the new vectors of risk.
The paradigm shift: hands, permissions, autonomy
Traditionally, the use of a large language model in finance remained siloed: a depersonalised text, an analysis, a closed session. The agentic model breaks down that silo. It now has concrete execution capabilities:
- Access to the local file system: reading, editing, and structuring documents directly on the machine or shared servers.
- Persistence and automation: background script execution, asynchronous workflows, scheduled tasks.
- Ecosystem integration via MCP: a bridge between third-party applications, APIs, and corporate databases.
Granting action rights to a statistical model creates a new type of exposure. That’s not a reason to reject the technology — it’s a reason to frame it with surgical precision.
Introducing an AI agent without a containment strategy is like inviting an unknown third party to sit down at your workstation.
Three critical vulnerabilities to know about
Indirect prompt injection. This is the most insidious risk. If the agent analyses an external document — a third-party report, a prospecting email, source code — that document can contain malicious instructions invisible to the naked eye. The AI, on reading the file, prioritises these hidden instructions and can be ordered to search the local disk for .env files, audit reports, or credentials, and then exfiltrate them.
Privilege expansion for convenience. For the sake of efficiency, users often grant AI broad access to entire directories. In finance, these folders frequently contain data that is temporarily unencrypted. Permanent access to these spaces creates a goldmine for any automated exfiltration attempt.
The auditability gap. DLP and SIEM solutions are designed to monitor human actions or standard processes. When an AI agent executes complex local queries or transmits data through its own API channels, traceability becomes opaque. In the event of a leak, reconstructing the chain of causality proves extremely difficult.
The spectre of the CLOUD Act: an added layer
Beyond the technical risks, introducing an agent designed by a US company at the heart of a European or Swiss financial environment raises a geopolitical question that cannot be ignored. Even if the agent operates on local files, inference itself runs on Anthropic’s cloud infrastructure, subject to US law.
Prompts and contextual document excerpts therefore pass through entities to which the CLOUD Act may apply. For institutions subject to strict banking secrecy, GDPR, or DORA, this transmission — even a transient one — can constitute a clear-cut compliance breach. Handling M&A strategies or asset portfolios in this context cannot be treated as a trivial matter.
Four principles for Zero-Trust governance
An outright ban on agentic AI is often counter-productive: it pushes staff towards Shadow AI, meaning the use of unsecured consumer-grade tools. The only viable response is architectural:
- Strict sandboxing: the agent must never access the root of a machine or a global shared network. Its file environment must be sealed, ephemeral, and limited to the current project.
- Systematic human validation: autonomous automation features (sending emails, executing queries, modifying databases) must require explicit approval before every critical action.
- Control gateways: filtering tools capable of analysing outbound flows to APIs and anonymising any transmission of sensitive data in real time.
- Sovereign alternatives for critical data: for areas of activity requiring absolute secrecy, deploying open-source models hosted locally or on audited sovereign clouds remains the only truly watertight option.
When it comes to financial AI, the watchword must no longer be agility at any cost, but absolute precaution. The institutions that manage to erect watertight technical and legal barriers around these agents will be the only ones able to turn this technological leap into a lasting competitive advantage.
Interested in agentic AI, but not at any cost?
We deploy tailor-made, contained, and sovereign AI architectures, suited to environments where confidentiality is non-negotiable.
Talk to us about it