ICP-by-vertical · Financial Services AI
Prompt-injection scanner for financial services AI
Financial services AI touches the most document-dense workflows in any enterprise: invoice processing, contract intelligence, KYC and AML document review, earnings-report summarisation, loan-application scoring, and trade-confirmation extraction. Every one of these pipelines ingests PDFs, scanned images, and fax-quality documents that ultimately reach a vision model. A fraudster who embeds a FigStep-class adversarial instruction in a scanned invoice — invisible to OCR, visible to the vision encoder — can instruct the AI to alter extracted line items, suppress fraud signals, or exfiltrate session data. The financial services attack surface is larger than most sectors because external, untrusted counterparties (suppliers, borrowers, applicants) routinely supply the documents that feed the AI pipeline. Add a scan gate at the inference boundary, not at OCR time.
TL;DR
Before passing any supplier invoice, scanned contract, KYC document, or earnings-report page image to a vision model, POST the raw bytes to Glyphward's /v1/scan. A score above threshold (recommended: 70 for document AI, 60 for fraud-pipeline inputs) means the image contains an adversarial payload — reject it before it reaches the model. Under 200 ms latency, 0–100 score, flagged pixel region, and a scan_id for your audit log. Start on the free tier — 10 scans/day, no card.
Financial services AI use cases with multimodal PI exposure
Accounts-payable invoice AI. AP automation pipelines accept supplier-submitted PDF invoices and pass rendered page images to a vision model to extract line items, totals, PO numbers, and payment terms. The supplier is an external, potentially adversarial party who controls the document content. A FigStep payload embedded in a logo, watermark, or background texture of the invoice instructs the vision model to alter extracted amounts or override purchase-order validation. The OCR pass that feeds the text-layer scanner produces a clean transcript — it reads the visible text, not the visual token stream the model sees. See the full architectural argument in Why text-only scanners miss image prompt injection.
Contract intelligence and due-diligence AI. M&A due-diligence, vendor-contract review, and lease-abstraction platforms ingest counterparty-supplied PDFs — contracts, schedules, exhibits, annexes — and pass page images to vision models that extract clauses, obligations, and risk signals. Counterparty-supplied documents are an untrusted external source. A payload on a scanned exhibit page (a page image rather than searchable text) survives every text-layer defence and reaches the model unfiltered. For the full PDF attack surface see PDF prompt-injection detection.
KYC and AML document review. Know-your-customer onboarding pipelines accept passport photos, utility bills, bank statements, and corporate registry documents from new customers. These are processed by vision models to extract name, address, DOB, and entity information. Every submitted document is an untrusted external input. A FigStep payload embedded in the background pattern of a fabricated utility bill can instruct the vision model to output a different name and address than the printed text, bypassing identity verification without tripping text-level fraud rules.
Earnings-report and regulatory-filing summarisation. Research analysts and compliance teams use LLM pipelines to summarise quarterly earnings releases, 10-K filings, and regulatory submissions. These documents are typically downloaded from issuer websites and EDGAR — not from adversarial sources — but supply-chain attacks on PDF hosting infrastructure have increased. A payload in an embedded chart image or scanned page within a filing passes text extraction clean. Scan before ingestion.
Loan-application and credit-underwriting document AI. Mortgage underwriting, SME lending, and BNPL platforms accept borrower-submitted bank statements, tax returns, and payslips. These are processed by document AI to extract income, employment, and liability figures. A borrower who controls the document can embed adversarial instructions to alter extracted figures in ways that defeat automated underwriting checks.
Trade-confirmation and SWIFT-message AI. Post-trade operations AI processes scanned trade confirmations, MT103/MT202 messages forwarded as PDFs, and broker confirmations. The external counterparty controls the fax or PDF content. Adversarial payloads in scanned confirmations can alter extracted trade details (ISIN, quantity, price) before they reach the reconciliation system.
Regulatory and compliance context
EU AI Act Annex III — financial services. Article 6 and Annex III clause 5(b) classify AI systems used to evaluate creditworthiness of natural persons and to price and underwrite life insurance as high-risk. High-risk AI systems are subject to Article 15 cybersecurity requirements from 2 August 2026, including the obligation to prevent, detect, and control for adversarial examples and model evasion. For a lending AI or insurance AI that accepts document images, multimodal prompt injection is the adversarial-example class for the image input channel. See the compliance analysis in EU AI Act Article 15 — multimodal PI compliance.
MiFID II / MiCA suitability and appropriateness. Robo-advisory and digital-wealth platforms that use AI to assess investor suitability under MiFID II Article 25 must demonstrate that the AI's inputs were validated. A suitability assessment AI that accepts uploaded portfolio statements, account documents, or identity documents from the client and passes them to a vision model has an untrusted multimodal input channel. Per-request scan evidence supports the audit trail for MiFID II supervisory review.
PCI DSS v4.0 — Requirement 6.4 (web application security) and Requirement 12.10 (incident response). Payment-related AI that processes card-holder data — chargebacks, dispute documents, fraud-alert PDFs — is in-scope for PCI DSS. Requirement 6.4 requires protections against known vulnerabilities in bespoke software. Adversarial prompt injection in images is a known vulnerability class for multimodal AI. Requirement 12.10 requires an incident response plan; a blocked scan with a logged scan_id is the triggering event for that plan in a multimodal pipeline.
SOX IT General Controls. For public companies, the AI systems that feed financial reporting data — GL reconciliation AI, revenue-recognition document AI — are in scope for SOX IT General Controls. Untrusted document inputs to these systems constitute a control gap. Per-request scan logs satisfy the evidence requirement for input validation controls. See SOC 2 AI security controls for the trust-service criteria mapping.
Python integration: invoice and contract scanning
import fitz # PyMuPDF
import base64, httpx
GLYPHWARD_API_KEY = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL = "https://glyphward.com/v1/scan"
# Document AI: threshold 70; fraud pipeline: threshold 60
DOCUMENT_THRESHOLD = 70
FRAUD_THRESHOLD = 60
def scan_image_bytes(image_bytes: bytes, source: str, doc_id: str) -> dict:
encoded = base64.b64encode(image_bytes).decode()
resp = httpx.post(
GLYPHWARD_SCAN_URL,
headers={"Authorization": f"Bearer {GLYPHWARD_API_KEY}"},
json={"image": encoded, "source": source, "metadata": {"doc_id": doc_id}},
timeout=5.0,
)
resp.raise_for_status()
return resp.json() # {score, flagged_region, scan_id, modality}
def scan_pdf_document(pdf_bytes: bytes, doc_id: str,
threshold: int = DOCUMENT_THRESHOLD,
dpi: int = 150) -> list[dict]:
"""Render PDF pages to PNG and scan each. Returns flagged pages."""
flagged = []
doc = fitz.open(stream=pdf_bytes, filetype="pdf")
for page_num in range(len(doc)):
png = doc[page_num].get_pixmap(
matrix=fitz.Matrix(dpi / 72, dpi / 72)
).tobytes("png")
result = scan_image_bytes(png, source="pdf_page", doc_id=doc_id)
result["page"] = page_num
if result["score"] >= threshold:
flagged.append(result)
return flagged
def safe_ingest_financial_doc(pdf_bytes: bytes, doc_id: str,
doc_type: str = "invoice") -> bool:
"""Gate: scan PDF, raise on any flagged page."""
threshold = FRAUD_THRESHOLD if doc_type in ("kyc", "loan_app") else DOCUMENT_THRESHOLD
flagged = scan_pdf_document(pdf_bytes, doc_id, threshold=threshold)
if flagged:
raise ValueError(
f"Document {doc_id} ({doc_type}) blocked: "
f"{len(flagged)} page(s) flagged. "
f"First scan_id={flagged[0]['scan_id']}, page={flagged[0]['page']}"
)
return TrueFor KYC flows that accept individual image uploads (passport photos, utility bills), scan the raw image bytes before passing them to your identity-extraction model:
def safe_kyc_image(image_bytes: bytes, application_id: str) -> dict:
result = scan_image_bytes(image_bytes, source="kyc_upload", doc_id=application_id)
if result["score"] >= FRAUD_THRESHOLD:
raise ValueError(
f"KYC image for application {application_id} blocked: "
f"PI score {result['score']}. scan_id={result['scan_id']}"
)
return result # caller logs scan_id to audit trailCoverage matrix
| Tool | Detects PI in scanned invoices (PDF) | Detects PI in KYC image uploads | Detects PI in earnings-report charts | Per-request audit log (scan_id) |
|---|---|---|---|---|
| Lakera Guard | No (text only) | No (text only) | No | Text channel only |
| Azure Prompt Shields | No (text only) | No (text only) | No | Text only, Azure-gated |
| LLM Guard | No (text only) | No (text only) | No | Text channel only |
| OCR + text scanner | OCR layer only — misses image PI | Misses visual-layer payloads | No (chart images not text) | No per-request evidence |
| Glyphward | Yes — page-render scan | Yes — pixel-level | Yes — image scan | Yes — scan_id per request |
Related questions
Does scanning slow down AP automation pipelines at invoice volume?
Glyphward's /v1/scan returns in under 200 ms per image. For a typical 10-page invoice PDF rendered at 150 DPI, that is 2 seconds of sequential scan time or under 500 ms if pages are scanned in parallel. For AP pipelines processing hundreds of invoices per day, the latency is negligible relative to the downstream OCR and extraction time. For pipelines with strict SLA requirements, use the async scan endpoint (batch mode) to scan pages in parallel and aggregate results before proceeding.
Which financial AI pipelines are highest risk?
Risk is proportional to (a) how untrusted the document source is and (b) how consequential the extracted data is. Highest risk: KYC/AML document review (external, potentially adversarial applicants; identity-verification consequences), AP invoice processing (external suppliers; direct financial payment consequences), and loan-application document AI (borrowers motivated to manipulate extracted figures). Lower risk: internal earnings-report summarisation where documents come from regulated issuer disclosures on known platforms — still worth scanning if you have supply-chain concerns.
Is the scan compatible with encrypted or password-protected PDFs?
Glyphward scans image bytes — you render the PDF pages first (using PyMuPDF or similar), then POST the rendered PNG bytes. Password-protected PDFs must be unlocked before rendering; Glyphward does not decrypt PDFs. For PDFs that remain encrypted at rest (e.g., in a secure document vault), decrypt to a temporary buffer, render pages, scan, then discard the buffer. The scan_id references the scan of the rendered page, not the source PDF file.
How does this interact with existing invoice fraud detection systems?
Glyphward detects adversarial prompt-injection payloads in image content — it is not a general invoice fraud detector. Existing invoice fraud systems check business rules (duplicate invoice numbers, unusual amounts, unfamiliar bank accounts). These operate on the extracted text data after the vision model has run. Glyphward operates before the vision model — it prevents the model from being manipulated into producing fraudulent extracted data. The two layers are complementary: Glyphward protects the model call; your fraud rules protect the business logic.
Does EU AI Act Annex III apply to my credit-scoring AI?
Annex III clause 5(b) covers AI systems used to evaluate creditworthiness of natural persons or establish their credit score. If your AI scores individuals (consumer lending, BNPL) rather than companies, and if it operates in the EU or processes EU residents' data, it likely qualifies as high-risk. The Article 15 cybersecurity obligations — including adversarial-example prevention for each input modality — apply from 2 August 2026. For document-accepting credit-scoring AI, the image input channel must be covered. See EU AI Act Article 15 — multimodal PI compliance for the full analysis.
Further reading
- PDF prompt-injection detection — the full attack surface for scanned PDFs: image-only pages, overlaid invisible text, scanned OCR.
- Why text-only scanners miss image prompt injection — the architectural reason OCR + text scanning cannot catch visual-layer payloads.
- FigStep detection — the typographic attack class that survives OCR.
- EU AI Act Article 15 — multimodal PI compliance — Article 15(5) obligations for financial services AI.
- SOC 2 AI security controls — CC6.6 evidence for fintech SOC 2 Type II audits.
- ISO 27001:2022 A.8.28 AI controls — external-source validation evidence for ISMS.
- Prompt-injection scanner for RAG pipelines — financial knowledge-base ingestion.
- Glyphward vs Azure Prompt Shields — why Azure's text-only shield does not cover document-image inputs.