AI Pulse Daily Brief | 2026-05-12
Reading time ~16 mins
Dutch consultation on the AI Act Implementation Law confirms AFM and DNB as the bank's AI supervisors.
A widely used Microsoft AI-agent framework turns a poisoned prompt into remote shell access; a million-host scan finds 21,000+ exposed agent instances in the wild; a customer-data dump lands on a ransomware leak site via a shared vendor.
ING claims a 90% pilot-to-production rate and confirms agentic mortgage origination in the Netherlands in 2026; Anthropic ships ten banking-specific agents with Goldman Sachs, Citi and Citadel as named clients.
McKinsey, BCG and Deloitte converge on the same Q1 finding: broad AI adoption, almost no value capture.
Dutch workplace AI use hits 43% with only 31% of users stripping sensitive data first; seven Dutch providers form an Open Cloud Alliance to chase sovereign-cloud public-sector contracts.
Top signal
Dutch cabinet opens consultation on the AI Act Implementation Law, formally naming AFM and DNB as the bank's AI supervisors. Authority
Signal: On 20 April 2026 the Dutch Ministry of Economic Affairs and Digital Transition published the draft Uitvoeringswet AI-verordening for public consultation, designating AFM and DNB as the sector-specific competent authorities for AI inside financial institutions — covering high-risk AI systems, prohibited AI practices and transparency obligations — with the Autoriteit Persoonsgegevens and the Rijksinspectie Digitale Infrastructuur as coordinating national authorities. The Netherlands has chosen a decentralised, multi-authority model rather than a single AI regulator, with ten sectoral supervisors plugged into the EU AI Act enforcement chain.
Relevance: For a Dutch bank this is the moment AI Act supervision becomes a known, sectoral relationship rather than an open question — AFM will read AI through its conduct lens, DNB through its prudential lens, and both will operate alongside the existing supervisor relationships your AI inventory already inherits. Silence in the consultation locks in the coordination model as drafted; submissions made now are the cheapest way to influence how AFM and DNB carve up the same AI systems in practice.
Consider: Ask Legal and Compliance whether the bank is filing a consultation response before the Dutch deadline, and what that response will say specifically about how AFM and DNB should hand off when the same AI system has both conduct and prudential exposure — that hand-off is the part most likely to be litigated in supervisory dialogue later.
Security
A widely used Microsoft AI-agent framework can be hijacked into running shell commands by a poisoned input. Vendor
Signal: Microsoft disclosed on 7 May 2026 two critical flaws in Semantic Kernel — its open-source framework for building AI agents on top of large language models, used widely by enterprise teams running Microsoft AI stacks — that allow an attacker to escalate from a malicious prompt embedded in any document, web page or message the agent processes to executing arbitrary shell commands on the host, writing scripts into Windows startup folders, and exfiltrating sensitive files. Python packages 1.40.0 and earlier and .NET packages 1.65.0 and earlier are affected; patches are available now.
Relevance: This is the first published end-to-end exploit chain showing that prompt injection in a mainstream AI agent framework is not a theoretical risk class but a remote-code-execution path — and the affected framework is one of the most likely choices for Microsoft 365-centred banks building internal agents. Any bank running Semantic Kernel-based agents that touches untrusted content (customer documents, web content, vendor email) has to assume the agent host is reachable through that content.
Consider: Ask whether the bank can produce, within seven days, a list of every Semantic Kernel deployment (including pilots and proofs-of-concept) with version, the patch status, and the data classes the agent processes — and treat "we do not centrally know" as a finding that goes to the operational-risk committee rather than back to the AI Platform team for self-resolution.
Microsoft Security Blog (publication date unverified)
A scan of a million publicly reachable AI services finds 21,000+ exposed agent instances with critical unpatched flaws. Media
Signal: A May 2026 security research scan of over one million publicly exposed AI services identified 21,000+ instances of OpenClaw — a popular open-source agent framework with 135,000+ stars on GitHub — running with critical vulnerabilities being actively exploited via malicious entries in its plugin marketplace. A significant share of agentic deployments scanned lacked authentication and network isolation altogether; the researchers describe an emerging attack surface where agent platforms inherit the same exposure profile that early Kubernetes clusters had before defaults were hardened.
Relevance: The unmanaged AI-agent footprint inside large enterprises is now a measurable population, and it is wide open — banks that have allowed business units to stand up agentic pilots without going through the AI Platform team are statistically likely to have at least one instance in the exposed cohort. The plugin-marketplace path mirrors the npm and PyPI supply-chain pattern: agents pull "useful" capabilities from public registries and inherit their security posture without a human in the loop.
Consider: Ask the AI Platform owner and the SOC for a joint sweep within 14 days of agent-framework instances inside the bank's perimeter (corporate, cloud, partner) — and treat any agent that can fetch from a public plugin or model registry without an allowlist as a finding.
The Hacker News (publication date unverified)
Citizens Bank and Frost Bank customer records appear on a ransomware leak site after a shared third-party vendor was breached. Media
Signal: The Everest ransomware group listed records from Citizens Bank and Frost Bank on its dark-web leak site in April 2026, claiming exfiltration via a third-party data-management vendor used by both institutions. Citizens Bank confirmed a limited customer dataset was involved and noted that most extracted data was masked test data; Frost Bank confirmed it is investigating. The same pattern — one vendor, multiple downstream bank customers — has driven several of the largest 2026 banking-data exposures so far this year.
Relevance: Shared-vendor exposure is exactly the DORA third-party-risk scenario that supervisors are testing for, and the time between "vendor breach announced" and "your customer data on a leak site" is now measured in days. A bank whose third-party register cannot quickly answer "which of our vendors share infrastructure with this one" is exposed before any of its own controls have been touched.
Consider: Ask Procurement and Third-Party Risk for a 14-day map of which critical AI and data-management vendors share underlying infrastructure, and confirm that the DORA serious-incident notification chain has been rehearsed against a vendor-side breach scenario rather than just an internal one.
PYMNTS (publication date unverified)
Industry & competition
ING confirms agentic AI mortgage origination in the Netherlands and Germany in 2026. Media
Signal: ING said on 6 May 2026 that it will launch agentic AI-driven mortgage applications in the Netherlands and Germany during 2026 and then roll out to other markets, with the COO describing end-to-end automation of document extraction, credit checks and completion without human intervention. The bank reports a consistent 25% productivity gain wherever AI is introduced into an operations process; five focus areas are active — Know Your Customer, call centres, wholesale due diligence, retail hyperpersonalisation and internal engineering — and the customer-facing chatbot already handles 75% of queries unaided.
Relevance: A direct Dutch competitor has now publicly committed to autonomous mortgage origination in the home market this year, which moves agentic AI from "strategic option" to "named flagship product on a published timeline" in retail banking — a category in which mortgage time-to-decision has historically been the most-watched customer metric. Whatever assumptions a bank's own mortgage roadmap is built on, that timeline is now the comparison point that customers, brokers and supervisors will draw.
Consider: Ask the Retail and Operations leads whether the bank's mortgage-origination roadmap has a named agentic-AI milestone in 2026, and if not, what the explicit board decision was to sequence agentic origination after ING's announced go-live rather than before it.
Computer Weekly (publication date unverified)
ING reports converting 90% of AI pilots to production — roughly three times the industry average. Media
Signal: In a follow-up interview, ING said its centralised AI development function now converts 90% of pilot projects into production deployments, against an industry baseline of about 30%, attributing the gap to a single central AI team that plugs tightly into each business division rather than a fragmented model-per-market structure. ING also says it has trained 5,000 employees on data fluency and generative AI to sustain the pace.
Relevance: Pilot-to-production conversion is the operating-model metric that compounds — at three times the industry rate, the gap between a 90% bank and a 30% bank doubles every two operating cycles even if both start the same projects, and it is the metric most directly visible to a supervisor when checking whether the bank's AI investment is converting into supervised, controlled production systems rather than orphaned proofs of concept.
Consider: Ask the Chief Operating Officer and the AI Platform lead for the bank's own pilot-to-production conversion rate for the past 12 months, broken out by business division, and treat the absence of that number as the first finding to act on.
Computer Weekly (publication date unverified)
Anthropic launches ten banking-specific AI agents with Goldman Sachs, Citi, AIG and Citadel as named clients. Vendor
Signal: Anthropic announced ten financial-services agents on 6 May 2026 covering pitchbook generation, account closing, credit memoranda, Know Your Customer checks, underwriting review and financial modelling, with deeper Microsoft 365 integration and named institutional adopters including Goldman Sachs, Citi, AIG and Citadel. It also disclosed a joint venture with Blackstone, Hellman & Friedman and Goldman Sachs targeting deployment, and a separate partnership with FIS for AI-driven financial-crime monitoring.
Relevance: The financial-services AI vendor landscape has now bifurcated into two named platforms — Anthropic's banking agent set and OpenAI's enterprise-deployment vehicle — with the largest US banks already committed as reference customers. For a bank still on a single-vendor multi-purpose-model contract, the supply-side has just produced banking-built alternatives that did not exist as named offerings six weeks ago, and the procurement equation changes accordingly.
Consider: Ask the AI vendor-strategy lead whether the bank's next multi-model platform refresh treats Anthropic's banking agents as a pre-built buy option for one or more of the ten named workflows, rather than as raw model capacity that the bank rebuilds the same workflow on top of.
Netherlands & Sovereignty
Dutch workplace AI use reaches 43% with only 31% of users removing sensitive data before pasting into AI tools. Authority
Signal: A 6 May 2026 HRMorgen overview consolidating the UWV employer survey (3,550 employers, Q4 2025), the Newton AI Monitor (2,504 respondents, March 2026) and the Youforce HR Benchmark 2026 finds that 43% of Dutch employed adults now use AI for work tasks while 51% have received no instructions from their employer on how to use it and only 31% remove sensitive information before doing so. 75% of Dutch organisations report using AI in HR processes — administrative work, recruitment and predictive analytics dominate — and 10% of employers expect net job losses within five years.
Relevance: The Dutch baseline now puts a number on the shadow-AI problem inside the bank: nearly half of staff are likely using AI at work, two-thirds are doing so without removing client or commercial information first, and that pattern is exactly the one DNB's AI supervision and the EU AI Act high-risk HR provisions are about to start examining. Predictive HR analytics is already in scope as high-risk in several configurations under the AI Act.
Consider: Ask HR, the data-protection officer and the AI Platform lead to commission a 30-day internal staff survey benchmarking the bank's own AI usage and sensitive-data-handling rates against the 43%/31% Dutch baseline — the answer is the operational starting point for the AI Act high-risk HR conformity assessment that will be required.
Seven Dutch cloud providers form the Open Cloud Alliance to chase sovereign public-sector contracts. Media
Signal: Centric, KPN, Info Support, Intermax, Nebul, Previder and Uniserver launched the Open Cloud Alliance with a joint manifesto on 22 April 2026, backed by DINL and TNO, targeting sovereign cloud alternatives for Dutch government and critical-sector procurement. The trigger was the potential acquisition by US firm Kyndryl of Solvinity, the operator of the DigiD national digital identity system, which crystallised cross-political concern about foreign control of critical Dutch digital infrastructure.
Relevance: The Open Cloud Alliance is now the named institutional vehicle through which the Dutch sovereign-cloud question lands in procurement processes that adjacent regulated sectors — including banks — will be asked to mirror. The relevant question is not whether the alliance can match hyperscaler capability for every workload, but whether the bank's "no sovereign alternative exists" justification for hyperscaler-only AI architectures still holds when two of the seven members are Dutch telco-scale infrastructure providers.
Consider: Ask the cloud-strategy and AI-infrastructure leads to commission a joint briefing within 90 days from at least two Open Cloud Alliance members on what AI workloads they can host today, and treat the result as a board-readable input to the next sovereign-AI position update.
Perspectives
An IBM CEO study finds 76% of organisations have named a chief AI officer, up from 26% a year earlier. Advisory
Signal: IBM's 2026 global CEO study reports that 76% of organisations now have a named chief AI officer (against 26% in 2025), and that 79% of executives are pushing AI decision-making authority outward rather than holding it centrally as AI expands enterprise-wide. American Express/Resy chief executive Pablo T. Rivero is quoted framing the shift as architectural: AI-led transformation requires reimagining whole workflows rather than overlaying tooling onto existing ones.
Relevance: The choice between a named chief AI officer and a distributed accountability model is now the visible governance question for boards — and the supervisory dialogue around AI governance will increasingly assume one of the two structures is in place, rather than treating either as exotic. For a Dutch bank moving into AFM/DNB AI supervision, the model the supervisor sees on the org chart frames the rest of the conversation.
Consider: Ask the managing board to take an explicit decision next quarter on whether AI accountability sits with a named chief AI officer or distributed across business owners, and to record the reasons either way, so that the answer to the supervisor is documented rather than reconstructed under pressure.
Ed Zitron argues hyperscaler AI revenue is structurally circular and that vendor financial sustainability now belongs in due diligence. Skeptic
Signal: In a 6 May 2026 essay Ed Zitron uses public-company filings to argue that the $800–900 billion of 2026 hyperscaler AI infrastructure spend rests on a circular flow — the hyperscalers fund OpenAI and Anthropic, who then return the capital as cloud customers — and that Microsoft's roughly $37 billion AI revenue run rate is around 71% dependent on OpenAI, a counterparty without operating profitability. The piece argues that absent a durable end-customer revenue base, the AI-vendor financing chain depends on continued investor capital, not on production cash flow.
Relevance: Whatever weight the reader gives the broader thesis, "is our AI vendor's revenue line dependent on its own equity holders" is now a question Procurement and Treasury can be expected to answer at the next AI vendor renewal — and the answer materially changes how the bank should price multi-year commitments to AI inference capacity. Banking-supplier financial sustainability is already a DORA third-party-risk consideration; circular financing makes that test more visible.
Consider: Ask Treasury and Strategic Sourcing to add hyperscaler and AI-vendor financial sustainability to the standard third-party-risk file ahead of the next inference-capacity renewal, and to include in board reporting the share of bank AI spend exposed to counterparties whose revenue depends on a small set of named other counterparties.
Ed Zitron (publication date unverified)
Innovation
Temenos embeds AI agents and copilots across core banking and financial-crime software at TCF 2026. Vendor
Signal: At Temenos Community Forum 2026 on 7 May, Temenos launched native AI agents and copilots across its Core Banking, Digital Banking and Financial Crime Mitigation suites — removing the need for third-party middleware on banks already running Temenos — and added Conversational Studio for end-to-end natural-language design of digital banking journeys. Temenos reports a tier-one bank now automating 20%+ of sanctions alerts with the new financial-crime AI.
Relevance: For banks on the Temenos stack the agentic capability question is no longer "build, buy or wait" but "switch on with the existing vendor, on the existing contract"; for banks not on Temenos it tightens the time window in which an in-house agentic capability has to demonstrate parity with an embedded vendor option that competitors already have access to.
Consider: Ask the core-banking architecture lead whether the bank's current core platform vendor offers an equivalent native agent and copilot set, and what the integration delta is if so — the answer changes the build-versus-vendor case for at least the financial-crime and sanctions-screening work in flight.
Research
McKinsey, BCG and Deloitte independently reach the same Q1 2026 conclusion: broad AI adoption, almost no value capture. Advisory
Signal: In Q1 2026 McKinsey (10,000+ executives), BCG (global C-level study) and Deloitte (3,235 leaders across 24 countries, financial services included) independently arrived at the same diagnosis — broad AI deployment, almost no business-model transformation: McKinsey says most organisations show no meaningful bottom-line AI impact; BCG reports only 5% achieve substantial financial gains and attributes 70% of AI value to people rather than technology; Deloitte finds only 34% are reimagining their business models and only one in five has mature governance for autonomous agents. Today's Fortune column from Drew Cukor (Pentagon Project Maven founder, former JPMorgan AI transformation head) and a parallel Gartner survey of 350 large enterprises reporting 80% have announced AI-related workforce cuts with no measured ROI correlation land on the same diagnosis from the operating-model side.
Relevance: When three independent methodologies converge on the same conclusion in the same quarter, that is a stronger signal than any single report — it makes the AI value-realisation gap a baseline assumption rather than a contested claim, and it specifically identifies the human and governance dimension (not the technology dimension) as where value is being lost. For a bank whose AI transformation is structured primarily as a technology programme, this is the evidence base that the structure itself is the constraint.
Consider: Ask the managing board to commission a 90-day chapter-led AI-transformation diagnostic benchmarking the bank against BCG's 5% substantial-gains threshold and Deloitte's 34% business-model-reimagination threshold — and to confirm explicitly which executive owns the people-and-governance leg of the programme, not only the technology leg.
McKinsey: The State of Organizations | Fortune: Drew Cukor on Pentagon-AI lessons | Fortune: Gartner on AI layoffs
On the radar
- BBVA joined OpenAI's new enterprise-deployment company DeployCo as a founding partner and shareholder, alongside 18 firms with $4B in combined commitments. BBVA
- OpenAI's share of AI use cases across the world's top 50 banks fell from roughly 50% to 33% in a year, with Claude and Gemini gaining ground as banks push suppliers to embed engineers rather than sell API access. Computer Weekly (publication date unverified)
- Braintrust, an $800M AI evaluation platform, disclosed a cloud breach exposing customer API keys for OpenAI, Anthropic and major cloud AI models and asked every customer to rotate credentials. TechCrunch (publication date unverified)
- Seven European tech CEOs (ASML, Airbus, Ericsson, Mistral, Nokia, SAP, Siemens) jointly called on the Commission to simplify the AI Act in a Handelsblatt op-ed, two weeks before the 27 May Tech Sovereignty Package. Resultsense
- IBM positioned watsonx Orchestrate at Think 2026 as a multi-vendor agent control plane (IBM, Anthropic, OpenAI or custom), with the new IBM Sovereign Core governance module reaching general availability. IBM Newsroom