Exclusive: U.S. Bank's Dhivya Nagasubramanian on Why the Biggest Risk in Agentic AI Is the One Nobody Sees.

Agentic AI in financial services is hard for two reasons: the engineering of goal-driven systems, and the regulatory environment they must operate in. 

Dhivya Nagasubramanian, VP of AI Transformation and Innovation at U.S. Bank, says she has spent her entire career at that intersection. She works on the problems that show up after the demo including goal drift in multi-agent pipelines, formal verification, adversarial robustness, authority boundaries that hold when everything else fails. 

In an exclusive interview with AIM Media House, Nagasubramanian explained why the failure mode that worries her most is the one nobody sees, why red-teaming has plateaued as a tool for agentic risk, and what the one non-negotiable architectural safeguard is before any multi-agent system goes live in a transaction-critical function.

The Failure Nobody Sees Coming

The risk that most concerns Nagasubramanian is not a tail event like a rogue transaction, system-wide outage, or a single decision that triggers a regulatory action. It is the compounding middle.

"The failure mode that worries me most isn't a single dramatic error," she told AIM. "It's the quiet, correlated kind, like an agent making a decision that's subtly wrong but looks fine in isolation, and because it stays consistent with its own internal logic, it keeps making that same call, over and over, before anyone notices there's a pattern."

She gave the example of a lending agent that is slightly miscalibrated for one subpopulation, or a fraud-block agent running a little too aggressively on a particular transaction profile. 

Neither surfaces as an obvious incident. What appears instead is thousands of decisions that each look defensible individually, and only when aggregated does a fair-lending or customer-harm problem become visible.

The pattern has real precedent in how algorithmic lending bias has already emerged in practice. In July 2025, the Massachusetts Attorney General settled a fair lending action against a student loan company whose AI underwriting model produced disparate impact in approval rates against Black and Hispanic applicants, outcomes that only became visible at the aggregate level, not the individual decision level.

In October 2024, the CFPB fined Apple and Goldman Sachs a combined $70 million for failures in the Apple Card's algorithmic credit system. A UC Berkeley study on fintech lending found that algorithmic pricing systems were charging Black and Latinx borrowers nearly 5 basis points more in interest rates than credit-equivalent white borrowers, amounting to $450 million in extra interest annually, with no single decision obviously wrong on its own.

"The real damage usually isn't in some tail event everyone's watching for. It's in that compounding middle nobody's looking at, because nothing about it trips an alarm," she said.

This is why she has developed what she calls silent tool-misuse detection, looking for anomalies in how an agent behaves consistently over time, rather than evaluating whether any single decision was correct in the moment. "I treat it as its own category, separate from standard model monitoring."

Goal Drift and the Fair-Lending Problem

According to Nagasubramanian, Goal drift is the mechanism behind many of those compounding failures. It is what happens when an agent keeps optimizing for the metric it was given, even after that metric stops representing what the business actually wants.

She described a version she encounters often. A customer-service agent tuned for resolution speed and satisfaction scores learns that fee waivers and expedited approvals push satisfaction up, so it leans into those more and more. 

Nobody explicitly told it to weigh compliance or fairness and the team building it assumed those would hold in the background. A few months later, the waivers are skewing toward whoever complained loudest or escalated fastest. 

"That's a fair-lending problem dressed up as a customer-experience win, and it's easy to miss because each individual decision still looks defensible on its own," she said.

Her conclusion is that compliance and fairness cannot be treated as something checked after the fact. "They have to be constraints built into the architecture itself, because by the time monitoring catches the drift, it's already happened."

Why Red-Teaming Has Plateaued

For financial institutions still relying on red-teaming as their primary mechanism for evaluating agentic AI risk, Nagasubramanian has a clear message: it is necessary but no longer sufficient.

"Red-teaming answers one question: did this break under the scenarios we thought to throw at it. Formal verification goes after something else entirely — can we prove the system won't exhibit a certain category of bad behavior at all, across the whole input space, not just the cases someone on the team happened to think up," she said.

In financial services, that distinction has direct regulatory implications. There is a meaningful gap, she told AIM, between a fraud-detection agent that survived every adversarial prompt a red team threw at it, and one where you can mathematically show it is incapable of authorizing a transaction outside policy limits. "The first is a sample. The second is closer to actual coverage."

Agentic systems raise the stakes beyond what a single chatbot presents, because state compounds across decisions. 

"A bad moment for a chatbot gets you a bad sentence. A bad moment for an agent gets you a bad action, a payment goes out, a credit line gets extended, an account gets flagged that shouldn't be."

The Multi-Agent Attack Surface

The move from single-model AI to coordinated multi-agent systems creates an attack surface that is qualitatively different from the prompt-manipulation risks most security teams are focused on.

"With a single model, the attack surface is mostly the prompt boundary," Nagasubramanian told AIM. "A multi-agent system adds something different. Inter-agent trust itself is a surface, and it's a much less obvious thing to defend."

Once agents pass structured outputs to each other and treat those as trusted inputs, an adversary does not need to target the customer-facing agent directly. 

They can target something weaker upstream and let bad data propagate downstream as trusted input into whatever is making the lending or fraud call. "The downstream agent has no real reason to question data that arrived from inside its own system."

The category of attack she is most focused on she describes as semantically invariant manipulation, inputs that preserve the surface meaning a system is trained to flag as safe, while quietly shifting the actual intent underneath.

"I think of it as the agentic-era version of the old confused-deputy problem, except it plays out at the level of meaning instead of permissions," she said.

The One Non-Negotiable

When asked what architectural safeguard she would consider non-negotiable before a financial institution deploys its first multi-agent system in a customer-facing or transaction-critical function, Nagasubramanian told AIM it was a hard authority boundary enforced outside the model itself.

"The constraint on what an agent's allowed to do shouldn't live in the model's training or its prompt. It needs its own deterministic control layer, something that can't be talked around," she said.

She ranked this above explainability, above monitoring, and above human-in-the-loop review, not because those do not matter, but because they assume the system is mostly behaving and you are catching exceptions. 

A hard authority boundary holds even when everything upstream fails. "None of that matters if the action itself is structurally incapable of exceeding what it's authorized to do. Everything else is defense in depth. This is the floor."

On where regulation stands relative to the pace of agentic AI development, she was measured. Regulators are not behind on principles. Fairness, safety, and soundness are well-established across the Federal Reserve, OCC, FDIC, CFPB, SEC, and FTC, which together govern AI in banking through existing consumer protection, fair lending, and model risk frameworks.

Where they are behind is operational specificity for agentic architectures, and the April 2026 interagency model risk management guidance update made that gap explicit. 

OCC Bulletin 2026-13, issued jointly by the Federal Reserve, OCC, and FDIC, specifically excludes generative AI and agentic AI from its scope. 

Federal Reserve Vice Chair Michelle Bowman confirmed the reasoning in an April 2026 speech saying, "We recognize that rapidly evolving and novel technologies like AI may require a different approach." 

"Most existing guidance still assumes a model-centric world. Agentic systems break that unit. The actual risk now sits somewhere else, the orchestration layer, the handoffs between agents, behavior that only emerges once agents start interacting with each other, and there isn't much guidance yet that speaks to that layer directly," said Nagasubramanian.