Liquibase has published an executive guide on governed database change for financial institutions, drawing on research from hundreds of engagements across the financial services sector.
The document focuses on what it describes as a persistent technology delivery gap: application code and infrastructure have become automated and auditable, while database changes often remain manual. It is aimed at Chief Information Officers, Chief Technology Officers, platform engineering leaders, database architects, and compliance teams.
The findings suggest that manual execution of database changes remains common across enterprise banks, regional institutions, credit unions, global insurers, payment processors, fintechs, and capital markets firms. The research argues this is not limited to less advanced organisations, but reflects a structural pattern across the sector.
That pattern often leaves database administrators handling routine changes through ticket-based workflows and direct execution in production environments. According to the guide, those processes can create gaps in policy checks, rollback planning, and audit records.
Compliance pressure is a major factor behind spending decisions in this area. Frameworks such as SOX, PCI DSS, SOC 2, and DORA were identified as key drivers as institutions move to address weaknesses in database governance.
The report also points to a broader operational issue inside large financial groups. Database administrator bottlenecks are becoming a focus of executive mandates aimed at removing routine change activity from manual handling.
Liquibase sets out a phased approach that starts with a small group of applications, then extends through a platform engineering model before wider deployment across the organisation. It also argues that governance strategies must account for the multi-database environments common in financial services, including Oracle, SQL Server, PostgreSQL, Snowflake, DynamoDB, and Databricks.
The company links the issue to a growing debate over artificial intelligence in software delivery, noting that institutions are adding AI tools while still relying on database processes built around human review and manual intervention.
Chris Steffen, Research VP, Enterprise Management Associates, commented on that risk in the guide.
"Financial institutions are entering a phase of AI adoption under a perilous assumption: that governance frameworks built for human-driven systems can simply be extended to autonomous agents," said Chris Steffen, Research VP, Enterprise Management Associates.
"That assumption is now clearly outdated. Governance that ends too early is a crucial misstep, one that leaves databases exposed to a kill chain that's now moving with unprecedented speed and lethality," said Steffen.
Operational gap
The guide describes a software delivery environment in which version control, automated testing, policy enforcement, and governed deployment are widely used for application code, while database changes continue to move through slower, less standardised controls. In that setting, organisations may need to reconstruct evidence for auditors after the event rather than produce it directly from a managed delivery process.
It also highlights concerns around schema drift, fragmented deployment tooling, and separation-of-duties requirements. Those issues have taken on greater weight as regulators and auditors place more emphasis on operational resilience, control evidence, and governance.
Ryan McCurdy, Vice President at Liquibase, said the mismatch between application and database delivery has become harder for financial institutions to defend against.
"Every other layer of the software delivery pipeline has been automated, policy-driven, and made auditable," said Ryan McCurdy, Vice President at Liquibase.
"But at many financial institutions, database changes are still routed through tickets, manually reviewed, and directly executed in production. In today's regulatory environment, that is no longer simply inefficient. It is an operational and compliance exposure," said McCurdy.
Sector pressure
The document comes as banks, insurers, and payments groups face tighter scrutiny over resilience and change management. Database systems sit at the centre of customer records, transactions, and reporting, making them a sensitive point for both operational incidents and audit failures.
The guide includes an eight-principle target operating model for governed database change, a phased rollout plan, and a framework for assessing whether organisations should build governance controls internally or buy them from a supplier. It also sets out metrics financial leaders can use when making the investment case.
The research concludes that manual database changes remain the industry baseline, even where institutions have adopted modern software practices elsewhere in the delivery pipeline.