A two-hundred-and-forty-year-old bank gave one hundred and thirty AI agents their own login credentials, email accounts, and human managers. The world's largest custodian just answered the agent identity question. The industry data says almost nobody else has.
BNY Mellon — the world's largest custodian bank, responsible for more than fifty trillion dollars in assets under custody — has deployed over one hundred and thirty autonomous AI agents as what it calls Digital Employees. Each one has its own system login credentials. Each one is assigned to a specific team. Each one reports to a human manager. Each one is being given its own email account and, eventually, access to Microsoft Teams so it can contact colleagues directly.
The agents run on BNY's Eliza platform, named after Eliza Hamilton. The platform is model-agnostic — agents switch between GPT-4 for complex reasoning, Google's Gemini Enterprise for multimodal research, and specialized Llama-based models for internal code tasks. Every agent passes through a Model-Risk Review before deployment, with detailed documentation for auditors. One hundred and twenty-five use cases are live. Twenty thousand human employees have been trained to build and manage agents on the platform — forty percent of the global workforce.
A two-hundred-and-forty-year-old institution just decided that AI agents are employees. Not tools. Not automations. Not chatbots. Workforce members with the same identity infrastructure as the humans sitting next to them.
The Exception
The Gravitee State of AI Agent Security survey — nine hundred and nineteen respondents across enterprises — measured how organizations actually treat their AI agents. The number that matters: twenty-one point nine percent of teams treat AI agents as independent, identity-bearing entities.
Twenty-one point nine percent. Nearly seventy percent of enterprises run agents in production. Fewer than one in four give them an identity.
The rest operate agents on shared API keys — forty-five point six percent use them for agent-to-agent authentication. Twenty-seven point two percent have reverted to custom hardcoded logic for authorization. Only fourteen point four percent report all AI agents going live with full security and IT approval.
BNY Mellon is in the twenty-one point nine percent. The question is what the other seventy-eight percent are doing — and why.
The Regulatory Forcing Function
BNY did not credential its agents because it read a thought piece about identity governance. It credentialed them because financial regulation demands it.
In custody banking, every action on a client asset must be attributable to an identity. This is not a preference. It is a regulatory requirement enforced by the SEC, the OCC, and the NYDFS. When an agent validates a payment instruction, routes a settlement, or remediates a failed trade, someone must be accountable. If the agent operates under a developer's API key or a shared service account, the attribution breaks — the action happened, but no auditable identity performed it.
The Model-Risk Review process BNY applies to every agent before deployment is the same framework it uses for quantitative trading models. It was not invented for AI agents — it was inherited from decades of financial model governance. The documentation requirements, the audit trail expectations, the accountability chains — these are regulatory infrastructure that BNY already had. It adapted them for agents the way it would adapt them for any new system that touches client assets.
This is the structural insight. BNY's approach to agent identity is not more enlightened than the industry average — it is more regulated. The institution was forced to answer the identity question because its regulatory environment does not permit the alternative. Every action must trace to an accountable entity. When you deploy an agent that acts on assets, that agent must be an entity.
What the Gap Predicts
The seventy-eight percent of enterprises that have not credentialed their agents are not negligent. They are operating in environments where the regulatory demand for individual attribution has not caught up with agent deployment.
This will not last. The EU AI Act mandates human oversight measures for high-risk AI systems — monitoring, interpretation, override capability. The NIST AI Agent Standards Initiative, announced in February, is building industry-led standards for agent identity and security. The U.S. Treasury published an AI dictionary for the financial sector. When the government starts defining your terms, regulation follows.
The sequence is predictable because it has happened before. When algorithmic trading reached scale, regulators required order attribution — every trade traced to a specific algorithm, registered and auditable. When cloud computing moved critical infrastructure off-premises, regulators required third-party risk management frameworks. When cryptocurrency custody emerged, the OCC issued interpretive letters defining what a qualified custodian meant in a digital asset context. Each time: deployment first, regulatory catch-up second, industry-wide compliance third.
AI agents are in phase one. BNY Mellon is already in phase three. The industry data says most companies have not started phase two.
The Attribution Layer
What BNY built is not primarily a security system. It is an attribution system. The distinction matters because it changes what the rest of the industry will eventually have to build.
Security asks: how do we prevent unauthorized actions? Attribution asks: when an action occurs, can we prove who or what performed it, when, under what authorization, and with what outcome?
Security is a wall. Attribution is a ledger. You can have walls without a ledger — and seventy-eight percent of enterprises do. You cannot have a ledger without identities to write in it.
The fourteen point four percent of organizations where all agents go live with full security approval are building walls. BNY, with its login credentials and email accounts and Model-Risk Reviews, is building a ledger. The wall protects. The ledger proves. In a regulated environment, proof is what matters — not because security is unimportant, but because the regulator does not ask whether your agent was authorized. The regulator asks you to demonstrate it.
One hundred and thirty agents at the world's largest custodian bank now have credentials that can appear in an audit log. Their actions are attributable. Their permissions are scoped. Their managers are named.
At most companies, the agent accessed the database. Which agent? The one running on the shared key. Who authorized it? Unclear. When were the permissions last reviewed? Unknown. What did it access? Check the logs — but the logs attribute the action to a service account shared across fourteen agents, so you cannot distinguish this action from the other thirteen.
The credential is not a security measure. It is an answer to a question that regulators have not yet asked most industries — but will.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)