This study addresses the unique security threats faced by AI systems in financial automation, noting a critical gap in existing research: the lack of systematic analysis accounting for domain-specific constraints such as accounting plausibility, non-IID federated data, and continuous retraining. To bridge this gap, the work proposes the first lifecycle-centered unified framework, partitioning financial AI into three phases—training and updating, deployment and inference, and operational monitoring—and introduces a comprehensive taxonomy of AI security and robustness tailored to fintech, encompassing 17 attack types (e.g., data poisoning, adversarial decision boundary attacks, large model prompt injection, and deepfake-based KYC bypass). Through lifecycle modeling, attack vector classification, and impact assessment, the paper systematically uncovers phase-specific vulnerabilities and risk propagation mechanisms, identifies open challenges, and outlines a research agenda for domain-specific robustness benchmarks and stress testing.

Artificial intelligence is now embedded as a primary decision engine in continuously operated financial AI pipelines spanning training and updating, deployment and inference, and operation with monitoring and feedback. The automation and scale that make these pipelines effective also create novel attack surfaces, where small algorithmic perturbations can amplify into persistent, system-level financial harm. Existing surveys, however, either treat AI as a defensive tool or analyse adversarial machine learning in a domain-agnostic manner, abstracting away finance-specific constraints such as accounting plausibility, non-IID federated data, continuous retraining, and automation-amplified downstream effects. We address this gap with a unified, lifecycle-centric and mechanism-driven framework. We partition financial AI into three lifecycle stages: training and updating, deployment and inference, and operation, monitoring, and feedback. We further propose the Financial AI Security and Robustness Taxonomy, organising seventeen attack subtypes across data and model poisoning, adversarial attacks on decision boundaries, prompt injection in LLM-mediated workflows, and deepfake-driven subversion of KYC verification layers. For each subtype, we analyse algorithmic strategy, feasibility constraints, stealth and persistence, and downstream financial consequences. Finally, we identify open challenges and outline a research agenda toward lifecycle-aware stress testing and finance-relevant robustness benchmarks.