Cyber security has long been built on assumptions about trust, verification and who or what is allowed to act inside a system. According to Jason Donnan, Security Manager at Apex Fintech Solutions, many of those assumptions are no longer safe.
Drawing on experience across both the health service and FinTech sectors where cyber failure can have consequences far beyond financial loss Jason believes some of today’s most serious risks remain absent from mainstream risk registers. Not because they are obscure, but because they challenge longstanding mental models of security itself.
At the centre of that shift sits a deceptively simple concept: identity.
Most organisations still frame identity risk narrowly, focusing on credential theft, weak multifactor authentication or privileged access abuse. While these remain real and prevalent threats, Jason argues they represent only the visible surface of a far deeper problem.
READ MORE: The Human Touch: How One Fintech Firm is Keeping Engineers at the Centre of The AI Revolution
“The more fundamental issue is that identity itself, our ability to reliably establish who or what is acting in a system, is becoming unreliable,” he says.
This breakdown is happening on multiple fronts simultaneously. At the human layer, deepfake audio and video have moved rapidly from theoretical concern to practical fraud vector. Voice calls and visual confirmation, once treated as inherently trustworthy, can now be convincingly replicated at scale and low cost.
“Our training and verification instincts were built in a world where hearing someone’s voice carried evidential weight,” Jason notes. “That assumption is now exploitable, and most organisational controls haven’t adapted.”
Beyond human users, the nonhuman layer presents an even larger and more poorly governed attack surface. Modern systems rely on service accounts, API keys, OAuth tokens and automation credentials often numbering many times more than human identities, yet subject to far less scrutiny.
“It’s a vast, poorly mapped exposure,” he says. “And it’s only growing.”
Agentic AI threatens to amplify the problem further. As organisations deploy AI systems capable of taking autonomous actions, they create an entirely new class of identity, one that most governance frameworks do not recognise at all.
Few organisations, Jason argues, have asked basic questions: what can an AI agent not do? Who is accountable if it behaves unexpectedly? How would compromise even be detected?
The deeper concern lies in how these issues are framed. Identity and access management, fraud, AI governance and thirdparty risk are typically treated as separate disciplines. In practice, they are converging on the same structural vulnerability.
“Identity has always been the loadbearing wall of access control,” Jason says. “Right now, it’s becoming unreliable across every layer of the stack at the same time.”
Until this is treated as a unified, systemic risk, it will remain underappreciated.
FinTech operates under some of the most demanding regulatory and operational resilience frameworks of any sector. Jason is clear that this has real value. Regulation has raised the minimum standard across the industry, forcing organisations to take resilience, incident response and thirdparty risk seriously.
However, regulatory maturity can also create false confidence.
“Regulation is necessarily retrospective,” he says. “It codifies risks we’ve already understood well enough to legislate.”
Many of the most dangerous AIrelated failure modes do not fit neatly into current frameworks. Model drift under adversarial pressure, emergent behaviour in multiagent systems, and the illusion of control created by documented-but-ineffective safeguards all sit largely outside regulatory scope.
The risk, Jason warns, is that compliance activity replaces genuine threat modelling. AI risk assessments become documentation exercises because regulators have not yet asked hard questions, precisely the gap adversaries are most likely to exploit.
Several blind spots are particularly concerning. There is no adequate regulatory model for nonhuman identity or autonomous agent behaviour within regulated processes. AI supplychain risk is significantly underaddressed, with thirdparty models and services operating inside regulated perimeters but outside meaningful organisational control. And the pace of AI development means the gap between regulation and reality is widening, not closing.
“Treat regulation as the floor, not the ceiling,” Jason advises. Boards should be briefed not only on compliance status, but on frontier risks that regulation has yet to reach.
“Mistaking compliance for security has always been dangerous,” he says. “In the context of AI, it could be catastrophic.”
Another longstanding assumption under pressure is patching as a primary defensive strategy. As AIenabled systems begin discovering and chaining vulnerabilities faster than human teams can respond, “keeping up with patching” alone is no longer viable.
“We need to reorient toward reducing exploitability, not just reducing exposure,” Jason explains.
That shift begins with aggressive attacksurface reduction. Systems that do not need to be externally reachable should not be exposed. Remediation SLAs for internetfacing assets must tighten, while patching should be automated where technologies are stable and risk is low.
Equally important is prioritisation. Moving away from generic severity scores toward exploitbased assessment allows teams to focus effort where it matters. Organisations also need more flexible change windows that reflect the reality of accelerating vulnerability cycles.
The end goal is a move from reactive vulnerability management to proactive exposure management, a mindset change that many organisations have yet to make.
AIdriven financial fraud is already scaling in ways that challenge traditional detection models. Attackers benefit from asymmetric economics: they can afford repeated failures so long as a single attempt succeeds.
While both attackers and defenders increasingly use similar AI tools, Jason highlights one important defensive advantage, contextual depth.
“External systems have to infer behaviour,” he says. “Internal systems know what ‘normal’ actually looks like.”
By training AI models on genuine customer behaviour, transaction patterns and historical anomalies, organisations can detect when interactions appear constructed rather than organic. This requires a shift from pattern detection toward reasoning detection.
Technical measures alone will not be enough. Adversarial testing, sound verification architecture and effective collaboration across institutions are essential.
“Threat actors share intelligence exceptionally well,” Jason notes. “Defenders need to do the same.”
Industry forums and informationsharing bodies such as FSISAC provide mechanisms for collective defence but remain underutilised. For Northern Ireland’s tightly connected financial and technology sectors, better collaboration could become a genuine strategic advantage.
For midsized FinTech firms without the scale or resources of larger institutions, Jason’s advice is uncompromisingly practical: map your assets and data first.
“You can’t protect what you don’t know.”
While most organisations have a reasonable grasp of human identity management, very few have equivalent visibility over nonhuman identities, service accounts, APIs, automated workflows and AI agents.
That mapping exercise quickly exposes the most significant control gaps. From there, measures such as attacksurface reduction, data classification and third and fourthparty risk monitoring become far more effective.
Despite the escalating threat landscape, Jason remains optimistic about the cyber security sector in Northern Ireland.
READ MORE: A day in the life – Hannah Fitzpatrick, Security Operations Analyst at Apex
At Apex Fintech Solutions, significant investment is made in upskilling across engineering teams, including graduate security roles. While technical foundations are expected, they are rarely the deciding factor.
Curiosity, structured problemsolving, calm judgement under pressure and a genuine commitment to continuous learning consistently outweigh specific tools or certifications. Candidates who ask questions, challenge assumptions and share knowledge thrive in a field where change is constant.
The future of cyber security, Jason makes clear, will not be defined by technology alone. It will be shaped by how people and organisations think about risk, trust and responsibility.
Read the Summer 2026 edition free online →
Stay connected with NI's tech community:
