As artificial intelligence rapidly reshapes cybersecurity operations, banks and financial services firms are confronting a growing question for their quality assurance and security testing teams: if AI systems can autonomously probe systems, simulate attacks and uncover vulnerabilities, what role remains for human penetration testers?
The debate is intensifying as financial institutions expand digital infrastructure, cloud environments and API ecosystems, dramatically increasing the number of systems that must be continuously tested for weaknesses.
Seemant Sehgal, founder & CEO of BreachLock, said the conversation is increasingly surfacing among security leaders trying to balance automation with human expertise.
“Lately, I’ve been hearing the same question repeated in conversations with security leaders: ‘If agentic AI can run reconnaissance, simulate attacks and identify vulnerabilities on its own, do we still need human penetration testers?’,” Sehgal wrote in a recent Forbes Council analysis.
“It’s a fair question,” he continued, pointing out that “94% of security leaders in the World Economic Forum’s recent 2026 Global Cybersecurity Outlook said AI will be the most significant driver of change in cybersecurity this year.”
For banks and financial services firms, the issue carries particular weight. The sector’s rapidly expanding attack surfaces, spanning mobile banking, payment infrastructure, third-party APIs and cloud platforms, have made traditional point-in-time security testing increasingly difficult to sustain.
Security teams are under pressure to test more systems more frequently, while also dealing with a persistent shortage of skilled practitioners.
Sehgal argued that the core issue is not whether AI tools can perform penetration testing tasks, but whether organisations are prepared to manage autonomous security systems responsibly.
“But I think the million-dollar question isn’t whether AI can replace humans, but whether organisations are ready to govern autonomous security systems with the same expectations they apply to people,” he explained. “That’s where things start to get complicated.”
Security testing
Automation is already becoming an essential component of offensive security programmes, particularly in large, distributed environments such as those operated by banks and insurers.
“There’s no doubt AI is becoming an essential force multiplier in offensive security,” Sehgal said. “Most teams just simply cannot test all of their systems manually anymore, especially at the frequency needed.”
Automation allows security and testing teams to scale their coverage as systems evolve, helping organisations keep pace with rapid development cycles and continuously changing infrastructure.
“Automation helps teams scale and broaden coverage to keep up with changes in a way humans alone never could,” Sehgal stressed.
However, he warned that treating AI-driven testing tools as a full replacement for human expertise introduces new risks, particularly when it comes to governance, accountability and business context.
“Security hasn’t ever been strictly a matter of technical execution,” Sehgal stated. “It also requires thoughtful intent, judgment and accountability.”
Governance questions around autonomous testing
One of the central challenges posed by agentic AI in penetration testing is responsibility. Traditional pentesting engagements have clear ownership structures: a team defines the scope, conducts testing and reports findings under defined oversight.
Autonomous testing systems, however, can blur those lines.
“When a human pentester runs an engagement, ownership is straightforward,” Sehgal continued. “Someone defines the scope, understands the business context and is held accountable for the impact of decisions made during testing.”
“With agentic systems, that clarity can turn into a gray area if these questions aren’t answered before implementation,” he was quick to add.
“If organisations get the balance right, autonomous testing can become a force multiplier.”
– Seemant Sehgal
For financial institutions operating under increasingly strict regulatory scrutiny, including operational resilience frameworks and cyber resilience programmes, those governance gaps could create new compliance risks.
Questions quickly emerge once testing becomes continuous and automated: who determines the scope of AI-driven attacks, who validates whether vulnerabilities represent genuine business risk, and who takes responsibility if automated testing disrupts production systems.
“There’s a somewhat common belief among senior business leaders, especially at the board level, that AI is a silver bullet,” Sehgal shared. “The expectation is for it to solve the skills gap on its own.”
“The reality is, neither approach works by itself.”
Human judgment
Autonomous penetration testing platforms can execute testing tasks at scale, scanning environments continuously, validating exposures and simulating attack paths across complex architectures.
But Sehgal argued that execution alone does not define the value of human pentesters.
“Technology like autonomous penetration testing can scale speed and coverage and handle repetition far better than any human team, but it cannot take responsibility,” he said.
“It can’t weigh tradeoffs. It also can’t decide when risk is acceptable or when business impact outweighs technical severity.”
People, by contrast, bring business understanding and accountability into the testing process. “People bring context, expert judgment and, most importantly, ownership to the table, something that technology alone can’t offer,” Sehgal said.
At the same time, he acknowledged that human teams alone cannot keep up with rapidly evolving environments.
“But humans also cannot manually keep pace with environments that evolve daily,” he stressed. “The only sustainable model this leaves us with is one where the two work together intentionally.”
Role of pentesters
Rather than replacing human testers, AI is likely to reshape their responsibilities.
In many organisations, automation is already taking over repetitive tasks such as discovery, scanning and validation.
“That usually means letting automation handle the parts of testing that don’t require constant human input, such as routine discovery, continuous validation and coverage across environments that change every week or even daily,” Sehgal said.
“When done well, this doesn’t reduce the role of the pentester, but it absolutely changes it.”
Instead of spending time on routine tasks, security professionals can focus more on interpreting findings, assessing business risk and working with engineering teams to remediate vulnerabilities.
“Instead of spending most of their time running repetitive tasks, like reconnaissance and reporting, skilled practitioners can focus on understanding and, more importantly, mitigating real risk,” Sehgal remarked.
“They can interpret results, think adversarially and work with engineering to decide what actually matters instead of chasing long lists of findings.”
One of the dangers of over-relying on automated security testing, Sehgal argues, is that teams may gain more data but less clarity.
Automation excels at execution, but lacks the contextual judgement required to prioritise risk effectively.
“Automation is very good at execution,” Sehgal said. “It can run continuously, scale instantly and cover far more ground than any human team. But execution alone is not what makes a penetration tester valuable.”
“What gets lost when humans are removed from the testing process is judgment.”
– Seemant Sehgal
Human testers understand how vulnerabilities fit into complex environments and can quickly determine when technical severity does not reflect real-world impact.
“Human pentesters don’t only find issues,” Sehgal pointed out, as he added that “they decide which ones matter, understand how a vulnerability fits into the broader environment, instantly recognize when technical severity doesn’t reflect real-world impact.”
Without that layer of interpretation, organisations may see more activity and more findings but lose confidence in what truly matters.
“When automation is treated as a total replacement for human expertise, teams often gain volume but lose clarity,” he said.
“They see more findings, more activity and more data, but less confidence in what actually deserves attention.”
Human-led, technology-enabled testing
For financial institutions seeking to strengthen cyber resilience, Sehgal argues the future of penetration testing lies in a hybrid model.
“The future of penetration testing is not human or AI alone, but rather human-led and technology-enabled,” he summarised.
Autonomous testing systems will continue to evolve and take on more of the operational workload, particularly as organisations require continuous testing across increasingly complex environments.
But human practitioners will remain responsible for oversight, direction and accountability.
“People will remain responsible for direction, judgment and accountability, the things AI cannot replace, at least in the world as we know it,” Sehgal siad.
For banks and financial services firms facing relentless cyber threats, the challenge will be finding the right balance, combining the scale of autonomous testing with the expertise and judgement of human security professionals.
“If organisations get that balance right, autonomous testing can become a force multiplier,” Sehgal concluded. “If not, they may end up with more automation and less understanding of their actual risk.”
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
WATCH NOW
QA FINANCIAL PODCASTS
Click Here For The Original Source.
