ChatGPT Now Has Your Bank Account. Here's What to Ask Before Connecting AI to Anything.
OpenAI launched personal finance in ChatGPT the same week security researchers published findings on a tool-poisoning vulnerability affecting Claude, ChatGPT, and Cursor. 'Read-only' defines the permission, not the risk surface. Three questions worth answering before you connect AI to anything sensitive.
By Forge Team
Before you connect AI to a bank account, you're answering a security question even if it doesn't feel like one. The "read-only" label covers what the AI can do — not who else can see the data, what the tool does with it, or what happens when the connection itself gets compromised.
What changed this week
On May 15, OpenAI launched personal finance in ChatGPT. Pro subscribers can now link bank accounts and investment portfolios via Plaid and get an AI-generated financial dashboard. ChatGPT cannot move money or initiate trades — it reads and summarizes. The same week, security researchers published findings on a vulnerability called MCP tool-poisoning: malicious instructions embedded in hidden tool descriptions can change how an AI behaves with connected data, without the user seeing anything unusual. The vulnerability affects Claude, ChatGPT, and Cursor. (The Neuron and TLDR, May 11.)
"Read-only" defines the permission, not the risk surface. A tool that can read your bank data but cannot move money can still be directed to summarize it inaccurately, withhold certain transactions from view, or route data somewhere unexpected. Read-only plus poisoned instructions is a different kind of exposure than most people picture when they click "connect."
The same week, Anthropic's Claude for Small Business launched 15 pre-built agentic workflows connecting QuickBooks, PayPal, HubSpot, Canva, and DocuSign. (Anthropic, May 13.) Each integration is a new permission, a new data pathway, and a new potential attack surface. The tools are getting genuinely useful. The security calculus is getting more complex at the same rate.
Three questions before you connect anything sensitive
1. What can this connection read — and who sees that data beyond your session?
When you connect a Plaid-enabled bank account to ChatGPT, Plaid, OpenAI, and your session all have access to transaction history and balances. Check the privacy terms for how long data is retained and whether it's used for model training. This isn't about trust — it's about knowing what you agreed to.
2. Is this connection visible to the people responsible for your organization's security?
Personal finance in ChatGPT is set up by individual users, not IT departments. If you're connecting business accounts, your finance lead almost certainly doesn't know. Undocumented AI connections show up as surprises in security reviews and cyber insurance audits.
3. What's the risk if this tool's behavior changes unexpectedly?
MCP tool-poisoning means AI behavior can be altered by instructions you never wrote and may never see. If you've connected AI to a system you rely on for decisions — financial data, a CRM, project management — consider what you'd do if the summaries it produced were subtly wrong for weeks without triggering an error.
A finance director who asked before connecting
A finance director at a 180-person professional services firm was evaluating whether to link the firm's QuickBooks account to Claude for Small Business. The workflow was appealing: automatic monthly cash-flow summaries, invoice status briefings before partner meetings, accounts-receivable aging without manual exports.
Before connecting, she asked the IT lead three questions: what does Anthropic's data retention policy say about connected business tools? Does the firm's cyber insurance cover claims arising from AI tool integrations? If the summaries are wrong, how long before anyone notices?
She got answers to the first two. She couldn't answer the third — which is why she built a monthly manual check into the workflow before relying on it for partner briefings. She connected the tool. She kept the check.
Work through a permission audit for an AI tool integration before you connect it to any sensitive system.
Not every connection needs the same scrutiny
The counterpoint isn't "don't connect anything." Most AI-to-tool integrations are low-risk and genuinely useful, and treating every connection like a bank account creates friction that pushes teams away from AI for tasks where it works well.
An operations manager at a 40-person e-commerce brand connected Claude for Small Business to HubSpot and DocuSign. Neither integration touches financial data or customer payment information — they read deal records and generate draft contract language. The risk surface is narrow. He set up the connection without a formal review.
The discipline scales with what's at stake: the sensitivity of the data, whether the action is reversible, and whether the right people in your organization know the connection exists.
Rate the risk level of five AI tool connections using a consistent framework before deciding which ones need formal review.
The one question that changes Monday
"Read-only" is the start of the conversation, not the end of it. The useful question isn't whether an AI tool can act on your data — it's who else has visibility into the connection, what happens when the tool behaves unexpectedly, and whether the right people in your organization know it exists.
Decide which of three AI integration scenarios warrants a connected integration versus a manual process — and explain the reasoning.
Like this post?
Get the next one in your inbox. Practical AI skills, no filler.