Mirela Ciobanu
07 Jul 2026 / 5 Min Read
Why must financial services move beyond today's identity foundations? Independent standards and solutions architect, Juliana Cafik, shares her blueprint for architecting trust in an autonomous future.
In the fast-evolving world of financial services, we stand at a pivotal moment. Markets move at unprecedented speeds, decisions cascade through complex ecosystems, and the promise of AI to drive efficiency, insight, and innovation has never been greater. Yet as leaders in this sector, we must ask ourselves a sincere question: are we building systems that will truly support the autonomous, high-velocity world ahead, or are we reinforcing foundations designed for a different era?
I write this not as someone with all the answers, but as a thoughtful observer examining the intersection of identity, security, and emerging technology. My goal is practical: to outline the challenge honestly, chart a forward path that solves real problems, and offer tactical steps institutions can explore today. This isn't abstract futurism. It's about creating durable trust that lets AI deliver value safely while protecting the stability our economies and customers depend on. My focus here is financial services, with its unique regulatory, risk, and systemic responsibilities, but the principles apply equally to healthcare, energy, telecommunications, and government.
Financial institutions have long excelled at managing identity and access. We verify customers, secure transactions, enforce compliance, and share signals across federated partners. These approaches served us well when humans were the primary actors logging in, approving transfers, and auditing records.
But the ground is shifting. AI agents, autonomous software entities that negotiate, execute, and coordinate, are moving from experimental tools to core operational components. In trading, risk modelling, fraud detection, and compliance monitoring, these agents will form transient meshes: spinning up for specific tasks, interacting at machine speed, and dissolving with minimal persistent artifacts. The high-velocity value creation will happen in these digital interactions, not in traditional human workflows.
This creates a profound mismatch. Our identity and access management systems were built assuming humans as the primary orchestrators, relying on heuristics, behavioural analysis, and after-the-fact review to establish ‘good enough’ trust. Sophisticated AI can mimic or overwhelm those patterns. The result is an expanding attack surface, where a single compromised credential can propagate rapidly across interconnected systems, with real costs: alert fatigue, escalating enterprise risk from every new non-human identity that lacks robust binding, and resources spent on detection tools while the foundational model stays vulnerable. In financial services, where trust is our currency, these gaps are unacceptable.
Many capable vendors are investing heavily in AI-enhanced identity and access management: better anomaly detection, adaptive authentication, smarter privilege management. This work is sincere and delivers value today. But it largely amounts to patching a model that was never designed for autonomous agents. AI excels at optimisation and pattern recognition; it is structurally limited when it comes to non-repudiation and deterministic proof. It produces confidence scores, not unbreakable chains of evidence.
We cannot keep treating security as a reactive bottleneck that AI must route around. Continuing with static identifiers and heuristics while hoping federated signals will suffice is like rowing harder in a rocking chair: significant effort, little forward progress. In core sectors, the stakes are amplified: a compromised agent in payments or risk infrastructure could cascade faster than human oversight can intervene, and regulatory expectations around resilience and auditability demand more than incrementalism. Left unaddressed, this shows up as compounding cost, in breach response, in regulatory exposure, in institutions that fall behind competitors building agent-native architecture from the start. We need a fundamental evolution, not another patch.
I believe the solution lies in redesigning how trust is established, evaluated, and maintained, not by adding AI to old frameworks, but by architecting around the realities of autonomous systems. I call this approach Kinetic Provenance: anchoring verified identity and intent in silicon at the edge, then generating a fresh, ephemeral cryptographic proof for every meaningful transaction.
Instead of presenting a static credential once and reusing it indefinitely, trust is re-earned dynamically, in motion. A hardware root, a secure chip in a device or server, provides the unforgeable foundation. Each interaction carries verifiable provenance: where it originated, under what conditions, with what authorisation. This creates a living chain of trust that persists across transient agent interactions without constant human intervention, and it strengthens rather than replaces the Zero Trust principles many institutions already follow by pushing the control plane closer to the edge, where the actions actually happen.
One refinement matters as this scales: wherever possible, the two parties to a transaction should be able to verify each other directly, against a shared standard, rather than routing every exchange through a central intermediary. A translating middleman still has a role for counterparties not yet equipped to verify directly, but it should be the fallback, not the default. Every unnecessary hop is a place where both speed and resilience quietly leak out, and removing that toll booth from the common path is measured in real, material time saved on every transaction.
A natural question follows: if these proofs are ephemeral by design, what happens to accountability after the fact? This is where the approach is more conservative than it first appears. Each party simply retains its own signed record of what was authorised; the proof itself can expire the moment it's used without erasing the evidence that it existed. For regulated institutions, that record folds directly into recordkeeping obligations we already carry under existing supervisory frameworks. This is not a new compliance infrastructure to build; it is existing infrastructure that this approach can plug directly into.
The payoff is transformative: security becomes the mechanism that lets AI operate at its native velocity without the system losing its balance. In financial services, this could mean safer algorithmic trading meshes, more resilient fraud networks, and automation that auditors verify through tamper-evident provenance rather than exhaustive logs, reducing our reliance on fallible heuristics while strengthening the accountability regulators and customers rightly demand. And it remains humble about the human role: we don't eliminate oversight, we make it more effective, freeing people to focus on exceptions, strategy, and judgment while agents handle routine, high-speed operations securely.
It's also worth watching an adjacent trend: the next generation of mobile network infrastructure is being designed to continuously verify that a connected device is genuine, as a background property of simply being online. That's a promising foundation to eventually build on, though it verifies that a device is real, not what a specific transaction authorises, so it complements this model rather than replacing the work still to be done at the transaction layer.
Practical progress begins with accessible, standards-based foundations that deliver immediate regulatory value while building toward deeper change.
I think we start by accelerating adoption of digital wallets and verifiable credentials, building on mature standards like ISO mDL (mobile Driver's License), which align closely with frameworks such as the EU Digital Wallet and PID (Person Identification Data), emphasising privacy-preserving, cryptographically backed presentation. In the US, aligning with NIST guidance, these support KYC requirements by enabling selective disclosure: sharing only the attributes needed, never full PII. Many institutions already explore this for customer onboarding; extending it to workforce and partner identities is a quick win in both usability and compliance.
From there, advance to standardised metadata claims: work being done in the OpenID Foundation, machine-readable evidence of identity-proofing strength, assurance level, and provenance that agents and systems can consume efficiently, minimising data sharing while still meeting audit needs. This bridges today's customer-facing tools with tomorrow's internal automation.
Ultimately, bind intent explicitly to every presentation request. At the start of any interaction, human or agentic, the requesting party states its purpose according to the institution's policy and governance rules, and that intent becomes intrinsic to the cryptographically backed presentation itself. Governance stops being an afterthought and becomes embedded in the exchange. Combined with edge hardware roots, this realises Kinetic Provenance in a phased, regulator-friendly way: tactical, built on existing standards, and low in disruption while addressing both immediate compliance and long-term autonomy.
Financial services cannot solve this alone. Our economies are too interconnected for that. Industry bodies should drive joint pilots, shared threat intelligence on agent-based risk, and contributions to standards emphasising edge-anchored provenance and runtime governance. No single institution or vendor holds the complete answer.
The future is autonomous, but it need not be uncertain. By anchoring trust in silicon, proving it dynamically, and embedding governance intrinsically, we can enable innovation without sacrificing stability. The ships are turning. The question is whether we help chart the course or simply adjust the sails on outdated vessels. I believe we can, and must, do better, and that the institutions that embrace this thoughtfully will not only manage risk more effectively but also unlock the full potential of AI to serve customers, markets, and society.
About author

Juliana Cafik is an independent standards and solutions architect and two-time tech founder with three decades of experience at the intersection of digital identity, telecom, and finance. She currently leads eKYC/mDL initiatives for the OpenID Foundation and is a member of the ENISA AHWG for digital wallet certification. A former Co-Chair of the DIACC Trust Framework Expert Committee (TFEC), member of the Microsoft identity standards team, and co-architect of the NIST NCCoE mDL project. Her expertise spans EMV, ISO 18013 (mdoc/mDL), ISO 27001, NIST SP 800-63, NIST SP 800-53, FAPI, PCI DSS, DORA, and Digital Wallets.
LinkedIn: www.linkedin.com/in/julianacafik
The Paypers is a global hub for market insights, real-time news, expert interviews, and in-depth analyses and resources across payments, fintech, and the digital economy. We deliver reports, webinars, and commentary on key topics, including regulation, real-time payments, cross-border payments and ecommerce, digital identity, payment innovation and infrastructure, Open Banking, Embedded Finance, crypto, fraud and financial crime prevention, and more – all developed in collaboration with industry experts and leaders.
Current themes
No part of this site can be reproduced without explicit permission of The Paypers (v2.7).
Privacy Policy / Cookie Statement
Copyright