How BPCE secured its customer-facing banking chatbot

BPCE, one of France's largest banking groups, was launching a customer-facing GenAI assistant. Giskard's red teaming probed the chatbot before launch, detecting security vulnerabilities like prompt injections during the build phase, while hundreds of automated functional tests validated answer quality with business experts. BPCE now runs three AI assistants through Giskard's continuous testing and red teaming.
How BPCE secured its customer-facing banking chatbot with Giskard

BPCE was about to put a GenAI assistant in front of its banking customers. The team knew attackers would probe it in ways they hadn't imagined. And with hundreds of test scenarios to validate, doing it by hand was impossible. Here's how they got to production.

First step: mapping risks for BPCE's customer chatbot

The Customer Assistant is an AI chatbot embedded across BPCE's digital channels. Any customer can ask a question in natural language about anything related to banking and get an answer.

For a banking group, the stakes are high on both sides of that promise. Every answer engages BPCE's responsibility toward its customers, accuracy is key and a reputational obligation. But opening a chatbot exposed on the internet is an attack surface.

"The chatbot was going to be exposed on the internet," says Mikael Le Bars of BPCE's Data & AI division. "We were potentially going to face attacks and security breaches we wouldn't have thought of, this was all new to us."

The platform the assistant ran on was still under development when the project started. There was no established playbook for testing it. That's when BPCE brought in Giskard.

"Giskard really helped us get a handle on our risks and identify them. That was a key point both for product development and for the legal side." mentions Léa Poirier, Product Owner, Chat AI at BPCE.

The challenge: quality, security, and organization, all at once

Shipping the assistant meant clearing three bars simultaneously:

  • Product quality. Customers needed answers that were reliable, relevant, and genuinely useful day to day.
  • Security. An internet-facing chatbot at a major bank invites prompt injections, denial-of-service attempts, and attack patterns the team had never dealt with before.
  • Organization. The assistant's knowledge base changes constantly. The team had to reorganize around testing: initial test runs, non-regression testing, bug fixes, and the documentation work each release required.

Expert red teaming, so vulnerabilities never reached production

Giskard assigned two security researchers to BPCE's assistant. For several weeks, they attacked it: prompt injections, denial-of-service scenarios, and more.

"We were able to detect vulnerabilities at build time. That allowed us to properly secure the chatbot and put it into production safely." Mikael Le Bars, Data & AI Division, BPCE

Security wasn't the only gate. Before launch, BPCE validated hundreds of functional tests, pulling in business experts to define what a correct answer looks like in their domain.

"We're talking about hundreds of tests. Given the volume, it's impossible to do everything by hand." Léa Poirier, Product Owner, Chat AI — BPCE

The result: continuous confidence in production

BPCE's team can now demonstrate that their assistant performs as expected.

  • Security: the team is more confident about the absence of vulnerabilities, backed by testing rather than hope.
  • Performance: the chatbot's quality is measured regularly against a concrete performance baseline.
  • Continuous red teaming: newly discovered attack techniques are pushed by Giskard directly into the Hub, so BPCE stays current without running its own threat research.
"Giskard really helped secure our product launch by validating all the upstream tests, both for the product and for legal." Léa Poirier, Product Owner, Chat AI — BPCE

From one chatbot to an AI testing practice

The Customer Assistant is no longer the only project. BPCE now runs three AI assistants through Giskard — Customer Assistant, HR Assistant, and Network Assistant — with testing built in as a continuous practice.

BPCE's knowledge base evolves constantly, and every documentation update can break answers that worked yesterday. So testing runs continuously while continuous red teaming keeps the security side current, pushing newly discovered attack techniques into the Hub as they emerge.

Ready to ship your AI agent with a green light?

If you want to secure your agents like BPCE, start with an AI assessment: our red teaming platform probe your agent for security and quality failures, rank them by severity, and deliver a clear go/no-go recommendation.

Get your AI assessment →

Continuously secure LLM agents, preventing hallucinations and security issues.
Book a Demo

You will also like

LLM Security: 50+ adversarial attacks for AI Red Teaming

LLM Security: 50+ adversarial attacks for AI Red Teaming

Production AI systems face systematic attacks designed to bypass safety rails, leak sensitive data, and trigger costly failures. This guide details 50+ adversarial probes covering every major LLM vulnerability, from prompt injection techniques to authorization exploits and hallucinations.

View post
LLM Security in Finance: Top 10 adversarial attacks for AI in Banking

LLM Security in Finance: Top 10 adversarial attacks for AI in Banking

Production AI systems in the financial sector face highly targeted, systematic attacks designed to bypass compliance guardrails, execute unauthorized transactions, and leak sensitive customer data. This guide details the top 10 adversarial probes specific to AI in banking and finance, from complex CoT Forgeries to multi-turn Crescendo attacks.

View post
Who judges the LLM-as-a-Judge? Meta-Evaluation of an LLM vulnerability scanner

Who judges the LLM-as-a-Judge? Meta-Evaluation of an LLM vulnerability scanner

When your LLM vulnerability scanner detects a threat, it relies on an LLM judge to decide whether the attack succeeded. Using one LLM to evaluate another can bring some failures into your evaluation pipeline (false positives, model drift, or context blindness). This article walks through how we meta-evaluated our own LLM-as-a-judge using giskard-checks to freeze expected verdicts, replay attack traces, and detect evaluator regressions in CI.

View post
Get AI security insights in your inbox