AI, Vendor Risk, and Payments Disruption: The Questions Community Bank Leaders Should Be Asking in 2026

By: Anne Benigsen – President, CivITas Bank Solutions LLC.

We’ve been doing cybersecurity seriously now for over a decade. Ups and downs, figuring out risk assessments, the right tools, the right vendors, and what auditors and examiners want – it’s been a wild ride. And now we have new and old domains coming to the forefront: AI, third-party management and payments disruption. Taken alone, we have considered the risk. Compounded together, our governance structures may not look as clean. We know how to ask about cybersecurity and its many facets; we need to learn about how to ask about these three topics at the same time.

AI

This is unsurprising. A survey stated that 27% of community bankers rank AI as their top concern for 2026². AI displaced cybersecurity in this survey at the #1 slot. 85% of community bankers also agree that AI adoption equals competitive advantage, making it a concern as well as a need to help our banks grow. 15% of employees in early 2025 were already accessing GenAI tools on corporate devices and 72% of employees said that they were using personal email accounts³ to sign up for the services. That’s referred to as a shadow AI that our banks cannot see or govern.

The question isn’t “Do we have an AI policy?”

The question is: “Where is AI already running in our banks by our employees, vendors and customers.”

We should ask:

• Who owns AI risk?
• What’s our appetite?
• Can we name all the systems where AI touches our customer data? (Employees, software, vendors, customers.)

Third Parties

Third-party involvement in breaches doubled in 2025 to 30% from 15%³. With the attacks succeeding that dramatically, we need to focus on it before it doubles again. Marquis Software, one vendor serving 700+ banks, was breached through their firewall. 800k+ individuals were exposed, and 80+ institutions were affected, and there was a two-month notification delay. Customers were calling their banks, and the banks had not been notified. Marquis was a traditional vendor risk, but our third parties are embedding AI into their products, often without disclosure, as they are not contractually obligated to do so. That means your vendor’s AI could be making decisions about your customer and payment data, and you have no visibility into what or where it is going.

We should ask:

• What’s our vendor concentration level when it comes to critical functions?
• Have we tested a multi-vendor outage?
• Are we patching our perimeter (i.e., firewalls) devices regularly?
• Which of our vendors are using AI in our products of services, and have we documented it?

Payment Disruptions

41% of bankers say real-time payments fraud will have the biggest negative impact in 2026⁴. Financial services have now become the most breached industry since 2018, beating out healthcare. 74% of breaches trace to system intrusion, social engineering, or basic web app attacks³. On the other hand, we now have customers, small businesses, and vendors doing agentic payments. That causes a liability question: who owns the loss when an AI agent hallucinates a transaction? And now we have digital assets and stablecoins. 58% of the bankers say that they will reshape payments. But on the other side, we have AI where 57% of community bankers say that AI’s most valuable application is to detect fraud, but AI-enhanced social engineering like voice cloning, deepfake authorization calls, and AI-generated phishing jumped 16 points from the previous year².

We should ask:

• What is the RTP fraud loss rate in our peers vs. legacy rails by percentage?
• Are our controls built for real-time speed
• What happens when a commercial customer asks us to receive a stablecoin?
• Have we tested our AI fraud controls against AI-generated attacks?

None of these requires a new framework. These require conversation. Choose one from each section and bring it to the next management meeting, and see if anyone can answer it cleanly. If they can’t, you know where to start.

¹ https://www.proofpoint.com/us/resources/white-papers/voice-of-the-ciso-report
² https://www.csiweb.com/what-to-know/content-hub/blog/2026s-industry-outlook-community-banks
³ https://www.verizon.com/business/resources/reports/dbir/
 ⁴ https://www.americanbanker.com/payments/news/exclusive-research-is-ai-an-effective-tool-to-fight-fraud