Liquibase has published an analysis warning that banks are focusing on AI security on models and applications while leaving databases exposed. It argues that databases have become the primary risk for autonomous AI-driven attacks in financial institutions.
The analysis outlines a new class of AI-enabled threat, described as "Mythos-class", that can scan enterprise systems, identify weaknesses across multiple layers and exploit them without direct human intervention. This, it argues, compresses the time between discovering a vulnerability and launching a working attack, especially in complex banking environments where legacy systems sit alongside newer digital tools.
At the centre of the argument is the claim that many governance frameworks used by banks were designed for human-led processes and do not extend far enough into the systems where final records are stored. According to Liquibase, the gap emerges after an AI system or software application has taken an action, when that action is written into a database and becomes part of the organisation's system of record.
This shifts attention away from headline concerns about model behaviour and towards a more prosaic but consequential layer of enterprise technology. Databases hold customer records, transaction histories, internal reconciliations, pricing data and risk information. Changes to those records can be difficult to detect if they resemble legitimate activity.
Ryan McCurdy, Vice President at Liquibase, said banks were making a fundamental error in their approach to AI oversight.
"Financial institutions are entering a phase of AI adoption under a dangerous assumption: that governance frameworks built for human-driven systems can be extended to autonomous agents. That assumption is now demonstrably false. The critical miscalculation is governance that ends too early," McCurdy said.
The analysis argues that the most significant danger is not limited to data theft. Instead, it highlights what it calls "silent state corruption", where schema changes, data updates or transaction alterations appear valid in logs or workflows but gradually undermine ledgers, customer data or risk models.
State corruption
In practice, this could include changed credit limits, amended reference data, altered pricing tables or modified risk settings that pass basic controls yet originate from compromised or ungoverned AI-driven processes. Such changes may not trigger alerts designed to spot a conventional breach because they can come through trusted applications or approved access paths rather than through an obvious external intrusion.
The analysis also warns that audit and forensic processes may struggle to keep pace if AI agents can manipulate both activity flows and logging trails. In regulated sectors such as banking, the issue quickly moves beyond incident response into compliance, because institutions must show who changed what, when and under which controls.
That raises concerns for frameworks including SOX, PCI DSS, SOC 2 and DORA, all of which depend on reliable evidence and traceability. If records of change cannot be independently verified, a bank may struggle to reconstruct events after an incident or demonstrate that controls were applied consistently.
Control gap
Liquibase argues that many banks remain heavily invested in model governance, API controls and application-layer security, while the database remains the least-governed layer in the stack. This imbalance, it says, leaves institutions vulnerable because the database is where AI-generated decisions are persisted, reconciled and checked against financial reality.
The analysis describes the database as the "final attack surface" in this threat model. In this framing, the database is no longer simply a storage layer but the endpoint where actions become durable and where the truth of a system can either be verified or corrupted.
Financial institutions may be particularly exposed because they operate highly interconnected systems, often with legacy infrastructure and strict audit requirements. Those factors can create a broader attack surface while increasing the operational and regulatory cost of any error or unauthorised change.
Liquibase argues that institutions need to move governance "down the stack" and enforce controls before database changes are executed rather than relying on retrospective review. It says changes should be policy-bound, independently validated and cryptographically traceable so they cannot be altered or disputed after the event.
Wider debate
The warning adds to a broader discussion in financial services about how AI is changing cyber risk. Much of the public debate has centred on chatbot misuse, model errors and data leakage in front-end tools, but suppliers and security teams are increasingly focused on what happens when autonomous software interacts directly with operational systems.
That includes the possibility that machine-led attacks will exploit weaknesses across the application, infrastructure, and data layers faster than current governance processes can respond. In such a scenario, a manual ticket, a script or a delayed review may offer little protection if the underlying records have already been changed.
Liquibase is using the analysis to argue for stronger database change controls in banks and other regulated sectors.
"If governance does not reach the database, then control does not exist," McCurdy said.