An interview with Fergonn Fernandez
AI-enabled attackers are exposing just how slowly most financial institutions still move, even after years of investment in controls, governance, and cyber tooling. In this Serious Insights interview, NewRocket financial services expert Fergonn Fernandez explains why fragmented risk, security, IT, and operations functions cannot keep pace with machine-speed threats, and what it takes to build truly coordinated cyber resilience. Readers will learn why coordination across business, risk, security, IT, and AI matters more than any single tool, how to rethink static cyber risk models as continuously adapting systems tied to operational risk, and which 90-day actions CEOs and boards should prioritize to harden their institutions against AI-enabled attacks.
Top 3 Takeaways
- AI-enabled attacks are breaking financial firmsโ human-speed controls, governance, and risk processes by operating at machine speed.
- True cyber resilience depends on ruthless prioritization and tight coordination across business, risk, security, IT, and AI rather than more tools, alerts, or committees.
- Static, siloed risk models must evolve into continuously learning systems tied to operational risk so institutions can observe, decide, and adapt faster than attackers.
The Fergonn Fernandez Interview
Financial firms already operate with heavy controls, governance, and risk committees. Why are those structures failing to keep pace with AI-enabled cyber threats?
While financial firms do operate with heavy controls, governance, and risk committees, they are all designed to operate at human speed. What we are seeing with AI-enabled threats, is they operate at machine speed, which condenses the timeline which firms have to respond.
This is breaking the model in two ways: threat prevention and risk management.
When the timeline between vulnerability discovery and exploitation is compressed from weeks to hours, the traditional threat prevention fails. The slower vulnerability patching operates, the more potential there is for bad actors to strike. This gap will continue to widen as AI increases both the velocity and sophistication of attacks.
In traditional risk management, which allows firms to identify the most pertinent threats and the most critical areas to protect, most rely on committees, staged approvals, periodic review cycles. This is slowed further by a complex risk, security, and IT management structure which works in silos. Their risk frameworks are static, backward-looking and struggle to adapt to continuously learning systems. Additionally, because the frameworks exist in isolation, it is very difficult to get a complete picture of a firmโs risk or enterprise-level insights, hampering their ability to make decisions.
You argue that coordination matters more than speed. What does a coordinated cyber response look like inside a bank or financial services firm?
Coordination is what enables speed. This is particularly true when discussing banks or financial services firms, which exist on a complex and interconnected infrastructure but have a well-established and often separated organizational hierarchy.
In the face of AI-enabled cyber threats, organizations need to be ruthless in their prioritization; this requires multiple coordinated steps where business, risk, security, IT, and AI operate as a single system, not separate functions. It requires laying business context over technical assets, enriching vulnerability severity, and asset criticality; pre-authorized actions based upon defined risk thresholds; it requires response orchestrated across systems, not handed manually over to IT from security.
The response model of detect, decide, and execute are still true, but the response must proceed at a much faster pace than organizations are accustomed to. They need to reduce friction between their divisions, reduce it in their processes, automate everything they can both through standard algorithmic automation and through AI.
Where do financial institutions most often confuse activity with readiness when responding to AI-driven attacks?
Most financial institutions will increase the governance, the oversight, and the number of security controls involved when facing a rising cyber security threat. This means more processes, more alerts, more scans, and more approvals.
Thisincreases the noise that teams need to work through, results in more switching between tools, more meetings, and ultimately, more noise than signal.
Readiness is not about volume of activity. It is about how quickly and effectively an organization can act when something actually happens.
AI gives attackers speed, scale, and adaptability. Which of those poses the greatest challenge for firms built around traditional risk management cycles?
Adaptability is what enables speed and scale.
AI-enabled attackers do not just execute faster; they adjust dynamically. They can chain vulnerabilities, alter tactics, and iterate continuously within a single campaign. That fundamentally conflicts with risk models designed around periodic assessment and static controls.
Traditional frameworks assume stability between review cycles. AI removes that stability.
How should financial leaders think about โshadow AIโ differently from shadow IT? Is it mainly a compliance issue, a security issue, or an operating model issue?
Shadow IT was about unauthorized tools. Shadow AI is about unauthorized decisioning. These systems process data, generate outputs, and increasingly influence or execute actions without visibility or governance oversight.
Itโs more than a security issue, or a control gap. When the speed of adoption outpaces the organizationโs ability to govern AI, it reflects an operating model problem. Traditional governance focuses on slowing things down, being methodical in what is approved or not, and making sure all the right processes are followed. In an AI-paced world, governance needs to shift from roadblocks to guardrails enabling AI to move quickly and within clearly defined boundaries.
What are the signs that a financial institutionโs cyber risk model is too static for the current threat environment?
Cyber risk models which are too static, invariably have some, if not all, of the following features. They rely on periodic assessments, rather than continuous evaluation. They treat incidents as one-off events, and do not look for systemic exposure. AI risk is considered as a traditional risk, folded into traditional frameworks. There is confidence that the firm is safe, the visibility is complete, and the model does not need changing.
I want to also call out one of the biggest flaws in cyber risk models which needs to be closed. When a cyber risk model is not related to an operational risk model, and there is no feedback between the two. Cyber, IT, and operational risk are inseparable. Cyber and IT risk exists as the direct result of operational needs. When cyber or IT processes or assets are exposed, so are operations. The risk models should reflect that.
Many firms want faster decision-making, but financial services are built around controls and accountability. How can leaders accelerate response without undermining trust or governance?
Leading firms are not abandoning governance, but they are redesigning it. Much like I said earlier, governance should be about creating an environment where moving fast is empowered but guided with guardrails. This means rather than focusing on an approval-based process, instead create policy-driven execution. Define upfront what decisions can be made automatically and make sure that actions are traceable and auditable. Firms need to focus on removing latency while preserving accountability. This will enable controls that operate at the speed of threat.
You talk about designing systems that can absorb failure rather than simply prevent it. What does that mean in practice for cybersecurity architecture, incident response, and business continuity?
Designing systems to absorb failure accepts reality: failure is inevitable. This shifts the mindset to resilience, instead of pure prevention.
Cyber resilience frameworks increasingly emphasise the ability to predict, withstand, recover, and adapt rather than prevent every incident. In practice, this means architectures that can isolate and contain compromise, response models that trigger automatically, and continuity plans that prioritize maintaining critical services under duress.
This requires a more proactive approach to architecture, response, and recovery which are designed around continuity, not just defense. It also links risk management, where potential adverse events are identified, their likelihood and impact are measured, into traditional cybersecurity design, which reinforces the need for organizations to coordinate for speed. When a firm assesses what could go wrong, how it could go wrong, the likelihood and impact of it, it further supports the cybersecurity focus on the most likely negative outcomes, improving prioritization.
Where does ServiceNow fit into this conversation? Is the opportunity mostly workflow automation, operational visibility, threat intelligence integration, or executive decision support?
The real challenge organizations face is fragmentation. In this conversation, ServiceNowโs advantage is to act as the coordination layer across risk, security, IT, and operations, connecting insight to action at enterprise scale. This is often through the operationalization of processes that either existed in spreadsheets or disparate tools. It also involves the integration of data, such as from threat intelligence tools, which results in operational visibility, enabling better executive insights that supports decision-making at scale.
If a bank CEO or board member asked what they should do in the next 90 days to improve resilience against AI-enabled attackers, what would you tell them to examine first?
The most important role a CEO or board member can play in resilience is sponsorship. Without it, transformation fails. I would recommend they delegate fact-finding efforts to improve resilience, then actively support the transformation to get there. However that is likely to take longer than 90 days.
More tactically, I would recommend three short-term priorities to materially improve resilience:
First, understand where AI is already being used across the organization. Most firms have significant blind spots in this area.
Second, look into open vulnerabilities โ this is one area you can focus on to help close potential exploitation. Are they tied to business context so they can be effectively prioritized? Are the vulnerabilities on your most exposed and most critical assets being closed quickly enough? How can roadblocks be removed to increase velocity from detection to remediation?
Third, test whether the organization can operate as a coordinated system under stress. Many cannot. This will expose weaknesses that can be worked on longer term, and strategically.
We are in an AI arms race. What controls need to be in place to ensure that the โgoodโ AI protecting a firm from malicious AI is up to the task, and will it really ever be for very long?
There is no stable advantage in the current environment. What is good today is not guaranteed to be good tomorrow, and organizations need to rally around a world which now changes at machine-speed.
AI reduces the cost, time, and skill required to execute sophisticated attacks, accelerating the overall threat landscape. Defensive AI will improve, but so will offensive capability.
There are no static controls that will remain relevant for long in an AI-enabled world. The differentiator is not having stronger tools in isolation. It is having a system that can observe, decide, and adapt faster than the threat evolves. It is having an organization which is agile, proactive, and coordinated, that works in harmony, not in silos, and where operations, technology, and cyber are all functioning in an orchestrated manner.
In an AI arms race, resilience, not dominance, is the strategic objective.
About Fergonn Fernandez,
financial services expert, NewRocket
Fergonn Fernandez is a financial services expert for NewRocket, an elite ServiceNow partner. He is a trusted advisor and strategic partner to Canadaโs leading Banking, Financial Services, and Insurance (BFSI) organizations. Fergonn brings a deep understanding of the Canadian financial services landscape, regulatory environment, and emerging trends, including AI, automation, and cloud. He focuses on helping clients accelerate growth, modernize operations, and deliver exceptional value to their customers.
For more serious insights on AI, click here.
Did you find this interview with Fergonn Fernandez useful? If so, please like, share or comment. Thank you!
The cover image is AI-generated from the author’s prompt and Fergonn’s source photos.
Leave a Reply