All articles

Governance-First Preparation Is Making Agentic SOC Viable For Banking Security

The Security Digest - News Team
Published
July 15, 2026

Md. Abul Kalam Azad, CISO at Eastern Bank PLC, lays out how banks are building toward autonomous SOC by anchoring adoption in governance and integration.

Credit: The Security Digest

Make The Security Digest one of your go-to sources on Google

Add The Security Digest on Google

Once we can implement agentic SOC, it’s really game changing. It can detect lots of threats ahead of time, analyze the threat, and really reduce the false positives.

Md. Abul Kalam Azad

CISO

Md. Abul Kalam Azad

CISO
Eastern Bank PLC

Agentic AI is the cybersecurity industry's current obsession, built on the conceptual promise of autonomous systems that run detection, triage, and response with minimal human input. Vendors are pushing fully autonomous security operations architectures into the market, but many banking security leaders are moving cautiously. Under the regulatory guidelines governing modern financial services, the next few months for most large institutions are going toward defining use cases, evaluating integration paths, and drafting governance policies before any autonomous action layer touches the SOC.

Md. Abul Kalam Azad, CISO at Eastern Bank PLC, works inside the kind of regulated environment where the agentic SOC conversation is landing hardest. He brings over two decades in regulated financial services to that seat, along with top-tier risk credentials (CISSP, CISA, CISM, CRISC) and a GRC background that has produced peer-reviewed research on the specific governance questions the sector is now navigating. Azad frames the AI question around a discipline banks often skip: before a bank deploys AI, it has to define the exact problem the system is being deployed to solve.

"Once we can implement agentic SOC, it's really game changing. It can detect lots of threats ahead of time, analyze the threat, and really reduce the false positives," says Azad. From Azad's perspective, the game-changing potential doesn't translate into a purchasing decision. His framework treats AI readiness as an operating exercise that runs across several stages. It starts with defining the specific problem the system needs to solve and building use cases against it, moves through implementation testing and SOC team training, and lands on measuring outcomes and putting governance around ethical and practical AI use.

The autopilot SOC vision

Banking security leaders are running the agentic SOC evaluation with a specific leadership vision in mind, one where the SOC operates on autopilot and the analyst team gets pulled off the repetitive detection work. The appeal is straightforward on paper: an autonomous layer that handles the volume, learns from what it sees, and pushes updates back into the security stack without waiting on manual review. "From a leadership point of view, we expect that an agentic SOC will work in an automated, autopilot mode," Azad says. "It can automatically detect threats, learn by itself, improve detection capabilities, and reduce false positives. It will update signatures and push IOCs to defined security devices like firewalls, IDS, and IPS."

Eastern Bank is one of the institutions actively evaluating agentic tooling under that vision, and it is holding off on deployment for the next three to six months while the technical prerequisites get built out. Institutional risk appetite and scrutiny from domestic regulators shape how quickly banking security teams can move on autonomous response, and internal capability gaps inside the SOC combine with the deep work of modernizing legacy financial infrastructure to define the actual runway. Azad points to the integration layer specifically as the bottleneck banks underestimate most consistently. "We need to integrate the SIEM, SOAR, and all other solutions where logs originate to deploy the agent," Azad advises. "Deploying agents is quite difficult. It requires a lot of complexity, log normalization, and things of that nature, especially when dealing with legacy systems that lack compatible integrations."

Defining accuracy as the trust threshold

Trust in autonomous response only builds when the system's accuracy is demonstrable at a level regulated environments can defend. Azad works from a specific numerical threshold: 95% detection accuracy on the attacks the SOC actually sees, established through highly curated training datasets and detection frameworks mapped natively into the platform. The mathematical bar is deliberately high because the alternative is worse: an autonomous system operating below the confidence threshold produces the same compliance exposure a poorly documented manual process would, at faster speeds. "I specifically want to see that AI has at least 95% accuracy. Out of 100 attacks, it must detect 95 automatically," Azad notes. "When we see those results, our confidence will grow."

Reaching that threshold has direct consequences for how the SOC is staffed. High-volume triage work becomes the natural first workload for autonomous systems, and the practitioners doing that work move up the stack into reskilled supervisory roles focused on managing the automation itself. Azad is clear that the automation still needs an irreversible threshold of human oversight running above it, because the judgment layer above the detection layer is where the actual risk decisions get made. "Humans possess natural knowledge, skill, and common sense. Developing common sense in AI is still very difficult," Azad warns. "Humans have one type of capability, and AI has another. If you combine them properly, you get the best results."

A research-backed framework for readiness

Azad believes the trajectory pointing at the broader banking sector is a compressed six-to-twelve-month adoption window where AI deployment expands across cybersecurity, operational excellence, and customer service simultaneously. Institutions using that window to build governance frameworks and map their data pipelines will scale AI without hitting the friction that has stalled early enterprise deployments elsewhere. Institutions treating adoption as a procurement exercise will end up rebuilding the same integration and governance work under time pressure later.

The practical framework Azad points to for that preparation work comes from his own peer-reviewed IEEE research, which maps out how banks can evaluate AI readiness against specific institutional vulnerabilities and match deployment sequencing to the areas of highest operational return. "In our paper, we broadly identified areas where banks can deploy AI, including operations, customer service, credit scoring, fraud detection, and cybersecurity," Azad concludes. "For a short-term strategy, we identified some quick wins. For the long-term strategy, we identified the need to develop AI governance policies and ensure the ethical use of AI."