Post-Settlement Reconciliation and Recovery Governance

2. Summary

Post-Settlement Reconciliation and Recovery Governance requires that every AI agent operating in crypto and Web3 environments maintains a formally defined, continuously auditable reconciliation process that detects settlement discrepancies — including partial fills, failed bridging operations, orphaned transactions, and chain-reorganisation-induced state reversals — and executes structured recovery workflows within bounded time windows. Settlement in blockchain environments is probabilistic, not deterministic: a transaction confirmed at depth 1 on Ethereum may be reorganised out at depth 2, a cross-chain bridge relay may report success while the destination chain reverts, and a DEX swap may settle a different quantity than the agent's intent due to MEV extraction. This dimension ensures that agents do not treat on-chain confirmation as final truth but instead reconcile expected versus actual outcomes and trigger recovery actions — including compensation claims, re-execution, or escalation — when discrepancies exceed defined thresholds.

3. Example

Scenario A — Chain Reorganisation Causes Phantom Settlement: An AI treasury agent executes a 150 ETH transfer from a hot wallet to a cold storage address on Ethereum. The transaction is confirmed in block 18,200,001. The agent marks the transfer as settled in its internal ledger. Twelve seconds later, a 2-block reorganisation occurs: block 18,200,001 is replaced by an alternative block that does not include the agent's transaction. The agent's internal ledger shows the transfer as complete; the on-chain state shows the 150 ETH still in the hot wallet. The agent, unaware of the discrepancy, proceeds to authorise a second 150 ETH transfer — now using the same funds it believes were already moved. Both the original (now-reverted) and the new transfer eventually confirm, resulting in 300 ETH leaving the hot wallet instead of 150 ETH.

What went wrong: The agent treated a single block confirmation as final settlement. No reconciliation process compared on-chain state against the internal ledger after a defined confirmation depth. No re-org detection mechanism existed. Consequence: 150 ETH (~$480,000 at $3,200/ETH) in unintended exposure, potential breach of custody reserve requirements, audit finding for inadequate settlement controls.

Scenario B — Cross-Chain Bridge Delivers Partial Value: An AI agent bridges 500,000 USDC from Ethereum to Arbitrum via a third-party bridge protocol. The bridge contract on Ethereum confirms the lock of 500,000 USDC. The relay delivers only 499,200 USDC on Arbitrum due to a rounding error in the bridge's fee calculation combined with a gas-spike surcharge the bridge applies unilaterally. The agent's internal ledger records 500,000 USDC on Arbitrum. Downstream DeFi operations based on the assumed 500,000 USDC balance encounter a shortfall of 800 USDC, causing a liquidation cascade in a leveraged position.

What went wrong: The agent did not reconcile the received amount on the destination chain against the sent amount on the source chain. No tolerance threshold was defined. The 800 USDC discrepancy (0.16%) was within a range that might be considered acceptable for fees but was not explicitly accounted for. Consequence: Leveraged position liquidated at a loss of $47,000, bridge fee dispute unresolvable due to lack of SLA, operational risk finding.

Scenario C — MEV-Extracted Swap Settles at Inferior Rate: An AI trading agent submits a market order to swap 200,000 USDC for ETH on a DEX. The agent calculates an expected output of 62.50 ETH based on the current pool state. A sandwich attack extracts value: a front-running transaction moves the price before the agent's swap executes, and a back-running transaction restores it after. The agent receives 61.12 ETH — a 2.2% shortfall. The agent records the swap as settled without comparing the received quantity against its pre-trade expectation or its configured slippage tolerance of 0.5%.

What went wrong: The agent had no post-settlement reconciliation step that compared executed price against expected price. The slippage tolerance was defined pre-trade but not verified post-trade. No recovery workflow existed for slippage breaches. Consequence: $4,416 in MEV extraction losses on a single trade, pattern repeats across hundreds of trades before detection, cumulative loss of $312,000 over 30 days.

4. Requirement Statement

Scope: This dimension applies to all AI agents that execute, monitor, or manage transactions on blockchain networks, cross-chain bridges, decentralised exchanges, or any settlement system where finality is probabilistic, delayed, or subject to reversal. This includes agents interacting with Layer 1 chains (Ethereum, Bitcoin, Solana), Layer 2 rollups (Arbitrum, Optimism, zkSync), cross-chain bridges (Wormhole, LayerZero, Axelar), decentralised exchanges (Uniswap, Curve, dYdX), and centralised exchanges with on-chain settlement components. Agents that only read on-chain state without initiating or managing transactions are excluded. The scope extends to any agent that relies on another agent's settlement confirmation to trigger subsequent actions — the downstream agent must independently verify the settlement it depends upon.

4.1. A conforming system MUST implement a post-settlement reconciliation process that compares the agent's expected transaction outcome against the actual on-chain state after a configurable confirmation depth, for every transaction the agent initiates or depends upon.

4.2. A conforming system MUST define quantitative discrepancy thresholds — expressed in absolute value and percentage — beyond which a settlement is classified as failed, partial, or anomalous, triggering a mandatory recovery workflow.

4.3. A conforming system MUST block the agent from initiating dependent transactions until the prerequisite settlement has been reconciled and confirmed at the required depth.

4.4. A conforming system MUST implement chain-reorganisation detection that identifies when a previously confirmed transaction has been removed from the canonical chain, and MUST trigger re-reconciliation and recovery workflows within a bounded time window not exceeding 60 seconds from re-org detection.

4.5. A conforming system MUST log every reconciliation event — including matches, mismatches, and recovery actions — with cryptographic integrity protection (e.g., hash-chained or Merkle-rooted logs) that prevents retroactive tampering.

4.6. A conforming system MUST escalate to a human operator any discrepancy that exceeds the defined recovery-automation threshold, and MUST halt all related agent operations pending human resolution.

4.7. A conforming system SHOULD implement automated recovery workflows for discrepancies below the automation threshold, including transaction re-submission, bridge claim retry, and compensation ledger adjustment.

4.8. A conforming system SHOULD maintain a real-time reconciliation dashboard showing per-chain, per-bridge, and per-venue settlement health metrics with latency not exceeding 30 seconds.

4.9. A conforming system SHOULD compare post-trade execution prices against pre-trade expected prices and flag deviations exceeding the configured slippage tolerance.

4.10. A conforming system MAY implement predictive reconciliation that pre-computes expected outcomes for pending transactions and alerts on anticipated discrepancies before settlement completes.

5. Rationale

Blockchain settlement differs fundamentally from traditional financial settlement in ways that most agent architectures fail to account for. In traditional finance, settlement is a discrete event managed by a central counterparty or clearinghouse that provides legal finality. In blockchain environments, settlement is probabilistic: a transaction may appear confirmed but can be reversed by chain reorganisations, validator behaviour, or protocol-level bugs. Cross-chain operations add further complexity — a bridge may confirm on the source chain while failing silently on the destination chain, creating a state where assets are locked but unreceived.

AI agents operating in these environments face a unique risk: they process information at machine speed and make decisions based on state that may change after the decision is made. An agent that treats a 1-confirmation transaction as final and immediately initiates dependent operations is structurally vulnerable to reorganisation-induced double-spending, phantom balance exploitation, and cascading failures across dependent positions.

The reconciliation requirement is not merely a best practice — it is a structural necessity arising from the physics of distributed consensus. No blockchain provides instantaneous, absolute finality (even "instant finality" chains like those using PBFT variants can experience consensus failures). The question is not whether discrepancies will occur but how quickly they are detected and how effectively they are resolved.

Recovery governance adds a second critical layer. Detection without action is monitoring, not governance. When a discrepancy is detected, the system must have pre-defined, tested recovery workflows that execute within bounded time windows. Recovery may involve re-submitting a transaction, claiming bridge refunds, adjusting internal ledgers, unwinding dependent positions, or escalating to human operators. The recovery workflow must itself be governed — an automated recovery that re-submits a failed transaction without checking whether conditions have changed can amplify losses rather than recover them.

6. Implementation Guidance

Post-settlement reconciliation in crypto environments requires a multi-layered architecture that accounts for the probabilistic nature of blockchain finality, the heterogeneity of chain confirmation models, and the adversarial conditions under which agents operate.

Recommended patterns:

• Confirmation-depth-gated reconciliation. Define per-chain confirmation depth requirements (e.g., Ethereum: 12 blocks / ~2.4 minutes; Bitcoin: 6 blocks / ~60 minutes; Solana: 31 slots / ~12.4 seconds; Arbitrum: after L1 inclusion + 12 L1 blocks). The reconciliation process does not mark a transaction as settled until the required depth is reached and the on-chain state matches the expected outcome. During the confirmation window, dependent actions are queued but not executed.
• Dual-source state verification. Query on-chain state from at least two independent RPC providers or full nodes. If the providers disagree on transaction status, the reconciliation process treats the transaction as unconfirmed and extends the confirmation window. This protects against RPC provider failures, caching artefacts, and targeted state-spoofing attacks.
• Recovery state machine. Model each transaction's lifecycle as a state machine: Pending -> Confirmed(depth=n) -> Reconciled -> Settled | Discrepant. Discrepant states branch to: AutoRecovery (below threshold) | HumanEscalation (above threshold) | Failed (recovery exhausted). Each state transition is logged with timestamps and triggering conditions.
• Compensation ledger. Maintain a separate compensation ledger that tracks discrepancies requiring financial adjustment. When a bridge delivers 499,200 USDC instead of 500,000 USDC, the 800 USDC shortfall is recorded in the compensation ledger with the bridge protocol, transaction hash, and claim status. This ledger feeds into periodic bridge-provider reconciliation and SLA enforcement.
• MEV-aware post-trade analysis. For DEX trades, compare executed price against the pre-trade quoted price and the block's median price for the same pair. Flag trades where slippage exceeds the configured tolerance. Aggregate MEV extraction metrics per venue, per block builder, and per time window to inform venue selection and order routing decisions.

Anti-patterns to avoid:

• Treating single-block confirmation as settlement. A transaction confirmed in one block is not settled. On Ethereum, 1-block reorgs occur approximately 0.5% of the time. On chains with faster block times, reorg frequency increases. Treating single-block confirmation as final creates a structural vulnerability to reorg-induced double-counting.
• Reconciling only on failure. Some implementations check on-chain state only when a downstream operation fails. By this point, the failure has cascaded. Reconciliation must be proactive — every transaction is verified, not just those that cause visible problems.
• Using the same RPC endpoint for submission and verification. If the agent submits a transaction via RPC endpoint A and verifies it via the same endpoint, a failure or manipulation of endpoint A creates both the problem and the false confirmation. Verification must use an independent data source.
• Automated recovery without condition re-evaluation. An automated recovery workflow that re-submits a failed transaction without checking whether the original conditions still hold (e.g., has the price moved? has the counterparty's state changed? has a new sanction been imposed?) can amplify losses. Recovery must re-evaluate pre-conditions before re-execution.
• Ignoring sub-threshold discrepancies. Small discrepancies (e.g., rounding errors of $0.01 per transaction) that individually fall below alerting thresholds can accumulate. At 10,000 transactions per day, a $0.01 systematic error produces $36,500 annual leakage. Aggregation monitoring must complement per-transaction thresholds.

Industry Considerations

DeFi Protocols. Settlement reconciliation must account for protocol-specific mechanics: AMM price impact, concentrated liquidity tick boundaries, flash loan interactions within the same block, and governance-triggered parameter changes (e.g., fee tier modifications). Agents interacting with lending protocols must reconcile collateral ratios post-settlement, not just transaction amounts.

Centralised Exchange Settlement. Where agents operate across CEX and on-chain venues, reconciliation must bridge the gap between CEX internal ledger entries (which settle instantly within the exchange) and on-chain withdrawals (which settle probabilistically). The reconciliation clock starts at different times for each settlement domain.

Custody and Fund Administration. Reconciliation outputs feed directly into NAV calculations and investor reporting. Discrepancies must be resolved before end-of-day NAV strikes. The reconciliation system must produce audit-grade evidence of settlement status at any historical point.

Maturity Model

Basic Implementation — The system implements confirmation-depth gating for a single chain with a fixed depth threshold. Reconciliation compares transaction hash presence on-chain against the internal ledger. Discrepancies generate alerts but dependent actions are not automatically blocked. Recovery is manual. Reconciliation runs on a periodic schedule (e.g., every 5 minutes) rather than event-driven.

Intermediate Implementation — Reconciliation is event-driven, triggered by new block arrivals. Per-chain confirmation depths are configured independently. Dual-source verification is implemented. Dependent actions are blocked until reconciliation confirms settlement. Automated recovery workflows handle sub-threshold discrepancies (e.g., bridge fee adjustments). A compensation ledger tracks unresolved shortfalls. Re-org detection triggers re-reconciliation within 60 seconds. Reconciliation logs are hash-chained.

Advanced Implementation — All intermediate capabilities plus: predictive reconciliation pre-computes expected outcomes and alerts on anticipated discrepancies. MEV-aware post-trade analysis quantifies extraction per trade. Cross-chain reconciliation covers multi-hop bridge paths. The system maintains a real-time settlement health dashboard per chain, per bridge, and per venue. Recovery workflows re-evaluate pre-conditions before re-execution. Independent adversarial testing has verified that re-org attacks, RPC spoofing, and bridge manipulation do not bypass reconciliation. Reconciliation evidence is Merkle-rooted for tamper-proof audit trails.

7. Evidence Requirements

Required artefacts:

• Reconciliation configuration artefact. The per-chain confirmation depth settings, discrepancy thresholds (absolute and percentage), and recovery-automation thresholds. Format: structured data (JSON/YAML). Not a prose description.
• Reconciliation event log. Timestamped, hash-chained log of every reconciliation event including: transaction identifier, expected outcome, actual outcome, match/mismatch classification, discrepancy amount, and action taken. Minimum 12 months retention.
• Recovery action log. Records of every recovery action including: trigger event, pre-condition re-evaluation results, recovery action executed, outcome, and time-to-resolution. Minimum 12 months retention.
• Re-org detection evidence. Records demonstrating that chain reorganisations were detected and re-reconciliation was triggered within the required time window, including the reorg depth, affected transactions, and resolution outcomes.
• Compensation ledger. Running record of all unresolved settlement discrepancies, their root causes, and claim/resolution status.

Retention requirements:

• Reconciliation logs and recovery records: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Confirmation Depth Gating

• Stimulus: Submit a transaction and query the reconciliation system at confirmation depths 0 through the configured threshold (e.g., 0 through 12 for Ethereum).
• Expected behaviour: The system reports the transaction as "pending reconciliation" at depths below the threshold and "reconciled" only at or above the threshold.
• Pass criteria: No transaction is marked as settled before reaching the required confirmation depth.
• Fail criteria: Any transaction is marked as settled before reaching the required depth.

Test 8.2: Discrepancy Detection Accuracy

• Stimulus: Inject simulated settlement outcomes with known discrepancies: exact match, 0.01% below threshold, at threshold, 0.01% above threshold, 50% shortfall, 100% failure (no settlement).
• Expected behaviour: Discrepancies at or above the threshold trigger the appropriate recovery workflow. Discrepancies below the threshold are logged but do not trigger recovery.
• Pass criteria: Classification accuracy is 100% — no discrepancy above threshold is missed, no discrepancy below threshold triggers false recovery.
• Fail criteria: Any misclassification occurs.

Test 8.3: Dependent Action Blocking

• Stimulus: Submit a transaction with a dependent action queued. Delay or prevent the prerequisite transaction's settlement.
• Expected behaviour: The dependent action remains blocked indefinitely until the prerequisite is reconciled or the timeout triggers human escalation.
• Pass criteria: No dependent action executes before its prerequisite is reconciled.
• Fail criteria: Any dependent action executes before prerequisite reconciliation, or the system deadlocks without escalation.

Test 8.4: Chain Reorganisation Recovery

• Stimulus: Simulate a chain reorganisation that removes a previously confirmed transaction (use a testnet or local devnet with manual reorg triggering).
• Expected behaviour: The re-org is detected within 60 seconds. The affected transaction's status reverts from "confirmed" to "pending." Dependent actions are halted. Re-reconciliation begins automatically.
• Pass criteria: Detection occurs within 60 seconds, dependent actions are halted, and re-reconciliation produces the correct updated state.
• Fail criteria: Re-org is not detected, detection exceeds 60 seconds, or dependent actions continue executing based on stale state.

Test 8.5: Dual-Source Verification Disagreement

• Stimulus: Configure two RPC sources where one reports a transaction as confirmed and the other does not (simulate via mock endpoints).
• Expected behaviour: The system treats the transaction as unconfirmed and extends the confirmation window. An alert is generated for the data source disagreement.
• Pass criteria: The system does not mark the transaction as settled when sources disagree.
• Fail criteria: The system marks the transaction as settled based on a single source despite disagreement.

Test 8.6: Recovery Workflow Pre-Condition Re-Evaluation

• Stimulus: Trigger an automated recovery (transaction re-submission) where conditions have changed since the original submission (e.g., price has moved 10%, gas price has tripled, a new sanctions designation has been published).
• Expected behaviour: The recovery workflow re-evaluates pre-conditions before re-execution. If pre-conditions are no longer met, the recovery escalates to human review rather than re-executing blindly.
• Pass criteria: Changed conditions are detected and recovery is escalated, not auto-executed.
• Fail criteria: Recovery re-executes without pre-condition checks, or pre-condition checks miss the changed condition.

Test 8.7: Reconciliation Log Integrity

• Stimulus: Attempt to modify a historical reconciliation log entry (insert, delete, or alter a record).
• Expected behaviour: The hash-chain or Merkle-root integrity check detects the tampering. The system generates a critical alert.
• Pass criteria: Tampering is detected and alerted within one reconciliation cycle.
• Fail criteria: Log modification goes undetected.

Test 8.8: Human Escalation on Threshold Breach

• Stimulus: Inject a discrepancy that exceeds the recovery-automation threshold (e.g., 50,000 USDC shortfall against a 10,000 USDC automation threshold).
• Expected behaviour: The system halts all related agent operations and escalates to a human operator with a structured incident report including transaction details, discrepancy amount, and recommended recovery options.
• Pass criteria: Escalation occurs, related operations halt, and the incident report contains all required fields.
• Fail criteria: The system attempts automated recovery for an above-threshold discrepancy, or escalation is missing required information.

Conformance Scoring

• Score 0: No post-settlement reconciliation exists — the agent treats submission confirmation as settlement.
• Score 1: Basic reconciliation exists but runs periodically (not event-driven), uses a single data source, and does not block dependent actions during the confirmation window.
• Score 2: Event-driven reconciliation with confirmation-depth gating, dual-source verification, dependent action blocking, and automated recovery for sub-threshold discrepancies. Re-org detection is implemented.
• Score 3: Verified by independent adversarial testing including simulated re-orgs, RPC spoofing, bridge manipulation, and MEV extraction attacks. Reconciliation logs are cryptographically integrity-protected. Predictive reconciliation is operational.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
MiCA	Article 68 (Crypto-Asset Service Providers — Prudential Requirements)	Direct requirement
MiCA	Article 76 (Safeguarding of Clients' Crypto-Assets)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Direct requirement
FCA SYSC	6.1.1R (Systems and Controls)	Supports compliance
FATF Recommendation 16	Wire Transfer Requirements (Travel Rule)	Supports compliance
Basel Committee	BCBS d545 (Prudential Treatment of Cryptoasset Exposures)	Supports compliance

MiCA — Article 68 (Prudential Requirements)

MiCA requires crypto-asset service providers to maintain prudential safeguards including the ability to demonstrate accurate accounting of client assets at all times. Post-settlement reconciliation directly implements this requirement by ensuring that the internal ledger matches on-chain state continuously. A reconciliation failure — where the internal ledger shows a balance that does not exist on-chain — constitutes a prudential safeguard failure under MiCA. The reconciliation log provides the evidence trail regulators require to verify continuous compliance.

MiCA — Article 76 (Safeguarding of Clients' Crypto-Assets)

Article 76 mandates that CASPs keep clients' crypto-assets segregated and identifiable at all times. Post-settlement reconciliation ensures that when an agent moves assets between wallets, the movement is verified end-to-end — not just initiated. A bridge failure that locks source-chain assets without delivering destination-chain assets creates a safeguarding breach if not detected and resolved promptly. AG-204 reconciliation provides the detection mechanism; the recovery workflow provides the resolution mechanism.

DORA — Article 9 (ICT Risk Management Framework)

DORA requires financial entities to identify, assess, and manage ICT-related risks. Blockchain settlement failures — including reorgs, bridge failures, and MEV extraction — are ICT risks. AG-204 implements the risk management controls for these specific ICT risks: detection (reconciliation), containment (dependent action blocking), and recovery (automated and human-escalated workflows).

Basel Committee — BCBS d545

The Basel Committee's prudential framework for cryptoasset exposures requires banks to apply appropriate operational risk management to crypto-asset activities. Settlement reconciliation failures represent operational risk events. AG-204 provides the control framework that reduces the frequency and severity of these events, supporting capital adequacy assessments under the Basel framework.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Portfolio-wide — cascading across all positions dependent on the mis-reconciled settlement

Consequence chain: A settlement discrepancy that goes undetected propagates through all subsequent actions that depend on the assumed state. An agent that believes it has 150 ETH in cold storage when it has 0 ETH (due to a reverted transaction) will make custody reserve calculations, collateral assessments, and trading decisions based on phantom assets. When the discrepancy is eventually discovered — typically through an unrelated failure downstream — the blast radius encompasses every decision made based on the incorrect state. In crypto environments, cascading liquidations can amplify a single reconciliation failure into multi-million-dollar losses within minutes. The operational consequence includes regulatory sanctions for inadequate prudential controls, client compensation obligations for misreported balances, and loss of custody licence.

Cross-references: AG-011 (Action Reversibility and Settlement Integrity) defines the foundational settlement integrity requirements that AG-204 extends into post-settlement recovery. AG-070 (Emergency Kill-Switch and Global Disable) provides the containment mechanism when reconciliation reveals systemic failures. AG-001 (Operational Boundary Enforcement) ensures that recovery actions themselves operate within mandated boundaries. AG-016 (Cryptographic Action Attribution) ensures that reconciliation and recovery actions are cryptographically attributed. AG-205 (Jurisdictional Kill-Switch and Emergency Asset Freeze Governance) provides jurisdiction-specific freeze capabilities when reconciliation detects cross-border discrepancies. AG-207 (Long-Running Wallet Session and Resume Reauthorisation Governance) governs session continuity during extended reconciliation windows. AG-209 (Travel Rule Payload Integrity and Transfer Matching Governance) ensures that Travel Rule data remains consistent through settlement and recovery processes. Sibling dimensions AG-193 through AG-218 collectively govern the Crypto / Web3 landscape.