The OCC’s Two-Sided AI Warning for Banks

AI is changing the cyber threat landscape by making attacks faster, cheaper, and more sophisticated—but it is also giving banks new tools to manage cyber risk and strengthen monitoring. In the OCC’s spring Semiannual Risk Perspective, that two-sided reality sits inside a broader operational and compliance risk cluster that also includes fraud, sanctions risk, and BSA/AML strain.

A few themes stand out:

AI is helping both sides of the fight. The OCC says AI “lowers the barrier to entry for threat actors and increases the speed, scale, and sophistication of cyber-attacks targeting financial institutions and their customers.” It can facilitate fraud, speed vulnerability discovery and exploitation, sharpen social engineering, and enable malware that adapts to evade traditional defenses. But the report also says AI can be used “to defend against threats and to support risk management and heightened threat and vulnerability monitoring processes.” Recent concern around Anthropic’s Mythos model has underscored the report’s broader point: AI is not just improving defenses; it is also accelerating the capabilities available to attackers.

Basic controls still matter. For all the attention on advanced tools, the report points to familiar defenses that remain important. “More stringent security measures, such as multifactor authentication and timely patch management,” the OCC says, help mitigate AI-enabled cyber risks. That is a useful reminder that new technology does not erase the value of disciplined blocking and tackling.

Fraud and scams remain an active pressure point. The OCC says banks continue to face “elevated levels and rising sophistication of fraud and scams,” including impersonation scams facilitated by text messages and social media. Its conclusion is straightforward: “a dynamic and adaptive approach to risk management is warranted.”

Compliance strain is part of the same risk cluster. The report says geopolitical tensions are increasing sanctions and money laundering risk, “straining bank compliance systems” and raising the potential for sanctions and BSA/AML violations. That matters because the OCC is not treating AI, cyber, fraud, and compliance as separate conversations. It is placing them inside the same operational-risk picture.

Banks are moving carefully on newer AI. The OCC says banks are taking “a measured approach” to generative and agentic AI, with adoption “generally limited to specific use cases with guardrails and human-in-the-loop accountability to manage risk.” To date, the agency says, use cases are mainly tied to productivity and customer experience enhancement tools, though banks may consider broader uses over time. Meanwhile, the OCC notes unique challenges around “lack of explainability, data privacy and data poisoning issues, cybersecurity threats, and validation challenges.”

The takeaway: The OCC is not telling banks to hold back from AI. It is telling them to treat AI as both a defense capability and a source of new exposure—and to govern it that way.