David Cass Addresses Agentic AI Third-Party Risk and Governance Gaps in Financial Services at RSAC Conference 2026
GovInfoSecurity, published by ISMG, has released a video interview with David Cass — CISO at Keyrock, President of CISOs Connect, and adjunct faculty at Harvard Extension School — recorded at RSAC Conference 2026. In the interview, Cass examines the growing challenge CISOs face in managing third-party risk as agentic AI systems become more deeply embedded in financial services operations (Source).
Cass argues that AI governance must function as a live, ongoing discipline rather than a static compliance checkbox, and that financial institutions cannot afford to treat agentic AI vendors through the lens of traditional third-party risk frameworks alone. He urges organizations to inventory the third-party embedded AI systems and shared libraries in their environment, and to apply attribute-based access controls that limit the blast radius of any single compromise (Source).
With formal regulatory guidance still lagging behind the pace of AI adoption, Cass contends that longstanding "safety and soundness" principles drawn from financial regulation offer a practical framework for filling those gaps — providing CISOs and risk leaders with a foundation for accountability where specific AI rules do not yet exist (Source).