Ghost in the Org Chart · If you can't name it, you can't govern it.

A FINRA examiner asks for a complete list of every AI agent in your production environment. What document do you produce?

Most US banks cannot produce this document.

By the time a human reviews the agent's final output, dozens of autonomous decisions have already executed. Your controls are reviewing ancient history.

Read the Article →
Or jump to the Diagnostic Quiz
Take the Quiz
Diagnostic Snapshot
EXPOSURE: CRITICAL

Agentic deployment velocity now outpaces visibility gaps in autonomous events that cannot be tracked.
600%
YoY Agentic AI Growth Rate
80%
of firms
Lack of inventory visibility
0
Comprehensive supervisory frameworks currently deployed

Diagnostic Indicator

Answer five quick yes/no indicators

Do agents in production use unique, non-human credentials?
Can you enumerate every autonomous process that executes trades, approvals, or customer-facing actions?
Are agent requests to production systems enforced by infrastructure-level boundaries rather than prompt instructions?
Does your audit trail clearly link actions to named agents (not just service accounts)?
Has any team deployed an AI agent without an architectural onboarding ticket?
Diagnostic Outcome

Low Elevated Critical

Regulatory Horizon

Signals from the supervisory horizon

FINRA· Jan 2026

"Autonomous AI agents may require novel oversight."

Translation: Ghosts have been confirmed.

Read the Guidance ↗
OCC / FED / FDIC· Apr 2026

"Generative and agentic AI are not within the scope of this guidance."

Translation: Ghosts are now your problem.

Read the Bulletin ↗
IMF· Apr 2026

"Know Your Agent requirements proposed for financial bots."

Translation: International authorities are also reporting ghost sightings.

Read the IMF Note ↗
FCA / Bank of England / HMT· May 2026

"First joint statement on frontier AI risks and supervisory expectations."

Translation: The UK has confirmed ghosts crossed the Atlantic.

Read the Statement ↗

Organizational Archetypes

Identifying internal exposure sectors

The Optimist
"We don't have ghosts. We have AI productivity gains."
Ghost DensityHigh
The Deflector
"Our agents are just tools. They don't need special oversight."
Ghost DensityHigh
The Procrastinator
"We'll deal with this after the next deployment."
Ghost DensityMedium
The Pilot Hoarder
"We have dozens of isolated pilot agents. They're not in production."
Ghost DensityMedium
The Inventor
"We're building agent identity and authority scoping into the product spec from day one."
Ghost DensityLow

The Three Primitives

Foundational controls for agentic deployments

An Identity
Unique agent credentials and cryptographic provenance.

Every agent in production requires a verifiable, non-human identity — not a shared service account, not a developer's personal token.

Establish non-human identity registry
A Boundary
API-governed enforcement and strictly size-limited orchestration.

Agents operate within defined boundaries. Every external call, every approval chain, every data access is mediated by policy — not trust.

Deploy execution firewalls
A Visible Signal
Full immutable audit trail and agent-attributable logs.

When something happens, you know which agent did it, when, and under what authority. Ambiguity in the audit trail is a regulatory liability.

Enforce action-logging contracts
Further Reading · A Dispatch Log
View All Articles →