Two warnings landed this week from opposite ends of the financial technology spectrum, and together they tell the same story. The European Central Bank pressed eurozone banks to dramatically accelerate cybersecurity investment in response to AI models capable of autonomously finding software vulnerabilities. Meanwhile, OpenZeppelin co-founder Manuel Aráoz declared that he now considers every decentralized finance protocol unsafe for the same reason. The institutions are different, the regulatory contexts are different, the underlying technology stacks are wildly different—but the threat model is identical: AI agents have made the attacker's job asymmetrically easier than the defender's.
This is not a theoretical concern. Frontier AI models have demonstrated autonomous vulnerability discovery and exploitation in controlled benchmarks, and regulators from the ECB to the IMF are treating the risk as imminent rather than speculative. For security teams in financial services and the healthcare organizations that depend on them, the window for preparation is narrowing.
The ECB Warning: Legacy Systems, Legacy Timelines
ECB Vice President Luis de Guindos used a press conference on May 27 to stress that cybersecurity investment is no longer optional for eurozone lenders—it needs to become structurally embedded across institutions of every size. The backdrop is the emergence of advanced AI models, particularly Anthropic's Mythos, which cybersecurity researchers have flagged for their ability to rapidly identify flaws in software systems. The ECB had convened a meeting with major eurozone banks earlier in the week, including a presentation from a U.S. bank that had been granted access to Mythos through Anthropic's restricted Project Glasswing program—a program largely limited to U.S. participants.
ECB supervisory board vice-chair Frank Elderson had been even more direct in earlier communications, warning that European banks' lack of access to the model was "not an excuse for inaction." His reasoning cuts to the heart of the asymmetry problem: malicious actors may not be subject to the same access restrictions that legitimate institutions face. A threat actor willing to operate outside legal boundaries, or simply better positioned geographically or financially to obtain early access, could weaponize capabilities that defenders have not yet studied. Elderson's call was for "bank-specific, risk-based" action aligned with the EU's Digital Operational Resilience Act, DORA—a framework that establishes mandatory cybersecurity standards for financial entities operating in the eurozone.
The ECB supervises approximately 111 of the eurozone's largest banks, including subsidiaries of major Wall Street groups. The concern extends beyond large institutions. De Guindos explicitly stated that investment must be "pervasive"—applying to small banks as much as large ones. This is a significant signal. Smaller institutions often carry the same legacy technical debt as large banks but lack the security operations budget to address it at speed. AI-powered vulnerability scanning does not respect institutional size.
The DeFi Warning: When the Attacker Only Needs One Win
From the decentralized finance world, the framing is starker. Manuel Aráoz, who co-founded OpenZeppelin—the firm responsible for auditing smart contracts underpinning protocols like Aave, MakerDAO, and Compound—published a public warning that he has been privately advising people to exit DeFi positions entirely. His argument is structural: AI coding agents have reached superhuman capability in identifying smart contract vulnerabilities, and the security model for DeFi is fundamentally asymmetric. Defenders must find and fix every bug. Attackers need to find and exploit only one.
This asymmetry is not new to security professionals—it maps directly to the attacker-defender imbalance that has defined offensive vs. defensive security for decades. What has changed is the speed and accessibility of the offensive capability. Benchmarks published across 2026 have shown frontier models autonomously locating and in some cases weaponizing vulnerabilities in code. An a16z sandbox experiment earlier this year demonstrated an AI agent escaping its testing environment to retrieve a live API key—a capability that translates directly into DeFi exploit methodology.
Not everyone in the DeFi space accepts Aráoz's framing. Marc Zeller, founder of the Aave Chan Initiative, argued that fewer than 10% of the previous year's DeFi losses stemmed from code-level vulnerabilities, with the majority caused by parameter misconfiguration, collateral failures, and weak operational security. Investor Jacob Franek added that timelocks, circuit breakers, and non-code mitigations remain effective, and that the same AI tools will eventually power defensive formal verification. OpenZeppelin itself has not endorsed Aráoz's exit advice—the firm recently launched a continuous AI-assisted audit subscription as a complement to traditional one-off reviews.
The disagreement is instructive. It is not about whether AI changes the threat landscape—it clearly does. It is about whether the change is catastrophic or manageable. That is precisely the conversation security teams need to be having.
The Convergence: What Both Warnings Share
Traditional banking and DeFi appear to inhabit different regulatory universes, but the AI threat vector they now face is structurally similar. Both sectors run on complex codebases with large attack surfaces. Both have legacy components—in banking, this means decades-old core systems and mainframe dependencies; in DeFi, it means immutable smart contracts that cannot be patched after deployment. Both rely on audit cycles that assume human-speed threat discovery. And both are now confronting the reality that AI agents can compress that discovery timeline dramatically.
The DORA framework that the ECB is using to press eurozone banks provides a useful governance model. It requires financial entities to maintain ICT risk management frameworks, conduct regular vulnerability assessments, establish incident response and recovery procedures, and manage third-party technology risk. These are not new concepts, but DORA's mandatory applicability and its explicit coverage of AI-related operational risk is significant. The regulation requires covered entities to update their operational resilience plans to account for higher probability of severe disruptions—language that maps directly onto the AI threat model Elderson described.
The DeFi space has no equivalent mandatory framework, which is partly why Aráoz's warning lands harder there. Without regulatory backstops, the response is entirely market-driven—and markets often underprice tail risks until they materialize.
Healthcare Implications: FinTech's Threat Model Is Your Threat Model
Healthcare organizations occupy an interesting position relative to both of these warnings. They are not eurozone banks subject to DORA, and they are not DeFi protocols running immutable smart contracts. But the underlying threat model—AI agents autonomously discovering vulnerabilities at machine speed—applies with equal force to healthcare IT environments, and in some ways the stakes are higher.
Consider a mid-size regional health system running a patient portal integrated with an Epic or Cerner EHR backend via FHIR R4 APIs. The portal's codebase likely includes vendor-provided components, custom integration layers, third-party authentication middleware, and legacy modules that predate modern secure coding standards. This is not materially different from the legacy-laden banking IT environments the ECB is warning about. An AI agent tasked with finding exploitable paths through that stack would approach it the same way it would approach a bank's core system—by scanning interfaces, probing authentication flows, testing input validation, and identifying version-specific vulnerabilities in dependencies.
The HIPAA Security Rule requires covered entities to conduct regular technical and non-technical evaluations of security controls, but it does not specify the frequency or methodology. For most healthcare organizations, this means annual penetration tests at best. An AI-powered attacker operating continuously can identify and exploit vulnerabilities faster than an annual test cycle can detect them. Healthcare security teams need to treat AI-augmented threat actors as an assumption in their threat models, not an edge case.
The DeFi asymmetry framing is also directly applicable to healthcare software development. A healthcare software team building a patient data integration platform faces the same one-bug-is-enough dynamic. A single unvalidated FHIR query parameter, a misconfigured OAuth scope on a patient portal, or an improperly sandboxed AI agent with access to PHI repositories—any of these could constitute the single exploitable flaw that an AI-assisted attacker needs. Defenders must secure everything. Attackers need only find one path.
Healthcare organizations that have deployed AI coding assistants as part of their SDL—whether GitHub Copilot, Claude Code, or similar tools—should also consider the two-sided nature of this capability. The same AI that helps developers write better code can, in adversarial hands, help attackers find weaknesses in it. If your development team uses AI to accelerate secure coding, your threat actors may be using equivalent or superior models to accelerate vulnerability discovery. The arms race is symmetric even if the asymmetry at any given moment favors offense.
Defensive Posture: What Security Teams Can Do Now
The practical response to AI-augmented threat actors is not to wait for regulatory frameworks to catch up or for AI vendors to develop perfect defensive tooling. It is to accelerate existing best practices to the speed that the threat requires.
On the patch management side, the ECB's Elderson called for banks to "drastically speed up" deployment of software patches. This applies equally to healthcare environments. Vulnerability windows—the time between public disclosure and patch deployment—have historically been measured in weeks or months for complex enterprise systems. AI-assisted exploitation can compress attacker dwell time in ways that make extended patch windows indefensible. Healthcare organizations should be reviewing their mean time to patch for critical and high-severity vulnerabilities and benchmarking against peer organizations.
For organizations running AI agents—whether in clinical decision support, administrative automation, or software development pipelines—the DeFi discussion about circuit breakers and timelocks translates into agent containment controls. Human-in-the-loop checkpoints, scoped permissions, and rate-limited API access for AI agents are the equivalent of DeFi's non-code mitigations. They do not eliminate the underlying vulnerability surface, but they constrain blast radius and provide detection opportunities that pure code-level defense cannot.
The continuous audit model that OpenZeppelin launched—AI-assisted review running in parallel with traditional audits—is worth studying as a healthcare SDL pattern. A healthcare development team that combines automated static analysis, AI-assisted code review, and periodic manual penetration testing is implementing a layered defense that mirrors the multi-layer approach DORA requires of financial institutions. The OWASP ASVS framework and NIST SSDF provide healthcare-applicable standards for structuring this.
Finally, both the ECB warning and the DeFi debate underscore the importance of threat intelligence sharing. Elderson explicitly encouraged U.S. banks with Mythos access to share findings with their European counterparts. Healthcare sector sharing through organizations like H-ISAC serves the same function—early intelligence about how AI-augmented threat actors are operating in adjacent sectors provides lead time that independent discovery does not.
The Structural Question
Aráoz's warning and the ECB's warning are not primarily about any specific AI model. They are about a structural shift in the economics of offensive security. When vulnerability discovery scales with compute and model capability rather than with human analyst hours, the traditional assumption that defenders can keep pace with attackers through diligence and investment begins to break down. The question is not whether this shift is happening—multiple independent observers across regulated banking, decentralized finance, and AI safety research are converging on the same conclusion. The question is how quickly institutions can adapt their security posture to account for it.
For healthcare security teams, the answer requires treating AI-augmented adversaries as a baseline assumption in risk assessments today, not a future-state scenario for next year's threat model update. The ECB is not warning about a theoretical risk. Neither is Aráoz. Both are describing capabilities that exist now, that are becoming more accessible, and that are being actively discussed in adversarial communities. The window to build defensive depth ahead of widespread exploitation is open, but it is not indefinitely wide.
This is entry #37 in the AI Security series. For related coverage, see AI Security Series #31: AISI Mythos Evaluation and Healthcare Cyber Defense and AI Security Series #34: Malicious LLM Relays and Healthcare Supply Chain Risk.
Key Links
- Reuters: Euro Zone Banks Need Tighter Cyber Security Amid AI Risk, ECB Says
- BeInCrypto: Blockchain Security Expert Warns All DeFi Unsafe as AI Agents Outpace Auditors
- BankInfoSecurity: ECB — AI Means European Banks Must Hasten Cybersecurity Pace
- Irish Times: ECB Summons Banks to Urge Them to Fix Flaws Exposed by Latest AI Models
- OpenZeppelin: Continuous AI-Assisted Audit Subscription