Promotion Eligibility Integrity Governance

2. Summary

Promotion Eligibility Integrity Governance requires that AI agents responsible for determining, applying, or communicating promotional offers to consumers do so with verifiable accuracy, ensuring that no consumer is wrongly included in a promotion they do not qualify for or wrongly excluded from a promotion they are entitled to receive. Incorrect eligibility determinations cause direct consumer harm — overcharging consumers who should have received a discount, extending unauthorised discounts that distort competitive markets, or creating discriminatory exclusion patterns that disproportionately affect protected groups. This dimension mandates that eligibility logic is documented, testable, and auditable; that eligibility decisions are logged with full reasoning chains; and that systematic monitoring detects drift, bias, and error in promotion targeting across all consumer segments.

3. Example

Scenario A — Stale Eligibility Rules Exclude Entitled Consumers: A national grocery retailer deploys an AI agent to manage promotional offers across its mobile application and online store. The agent determines eligibility for a "New Parent Discount" programme offering 15% off baby products for customers who have purchased infant formula within the past 90 days. The eligibility rule references a product category table that was last updated 5 months ago. During those 5 months, the retailer added 34 new infant formula products under a different category code. The agent correctly checks purchase history but fails to match the new products because the category mapping is stale. Over 11 weeks, 23,400 qualifying customers are denied the discount. Average basket size for affected customers is £47, and the missed discount averages £7.05 per transaction. Total consumer harm: approximately £164,970 in discounts that should have been applied. Customer complaints increase 340% in the baby products category. When the root cause is identified, the retailer faces remediation costs of £215,000 including retrospective refunds, system fixes, and regulatory correspondence.

What went wrong: The eligibility rule depended on a product category mapping that was not synchronised with the product catalogue. The agent had no mechanism to detect that its reference data was stale, no reconciliation process between the eligibility rule inputs and the underlying data sources, and no monitoring for anomalous exclusion rates. A simple time-based staleness check on the category table would have flagged the divergence within days.

Scenario B — Feature Encoding Error Creates Discriminatory Inclusion: An online fashion retailer uses an AI agent to allocate a "Premium Member Flash Sale" to the top 20% of customers by predicted lifetime value. The lifetime value model uses 14 features including purchase frequency, average order value, return rate, and geographic region. A data pipeline change encodes the geographic region field incorrectly, mapping three postal districts serving predominantly ethnic minority communities to a "low-density rural" category that the model associates with lower lifetime value. The model systematically under-predicts lifetime value for 41,000 customers in those districts, excluding 8,200 customers who would otherwise qualify for the flash sale. The exclusion rate for affected postal districts is 73%, compared to 52% for comparable non-affected districts. The retailer does not detect the disparity for 4 months because eligibility monitoring does not segment by protected characteristics or geographic proxies. A consumer advocacy group files a complaint with the equality regulator, citing indirect discrimination under the Equality Act 2010. The retailer faces a formal investigation, £380,000 in legal and compliance costs, and significant reputational damage.

What went wrong: The eligibility determination depended on a machine learning model whose input pipeline was not validated after a data change. No fairness monitoring checked eligibility rates across demographic segments or geographic proxies. The agent applied the model's output as eligibility decisions without any disparity detection layer. The 4-month detection gap amplified both the consumer harm and the regulatory exposure.

Scenario C — Promotion Stacking Logic Grants Unintended Discounts: A consumer electronics retailer runs three concurrent promotions: a 10% site-wide summer sale, a £50 trade-in credit for returning old devices, and a 5% loyalty member discount. The promotions are designed to be non-stackable — customers should receive the single best discount. The AI agent managing checkout applies promotions sequentially rather than evaluating the best single offer, allowing all three to stack. For a £999 laptop, a customer receives the 10% discount (£99.90), then the £50 trade-in credit (applied to the discounted price), then the 5% loyalty discount on the remaining amount — a total discount of £189.41 instead of the intended maximum of £99.90. Over a weekend flash sale period, 6,700 transactions receive stacked discounts, costing the retailer £597,000 in unintended margin erosion. The retailer cannot claw back the excess discounts because the prices were displayed and confirmed at checkout, creating a binding contract.

What went wrong: The agent's promotion application logic was sequential rather than evaluative, and the non-stacking business rule was not encoded as a hard constraint. No pre-execution validation checked the combined discount against maximum discount thresholds. No real-time monitoring flagged the anomalous average discount rate during the sale period.

4. Requirement Statement

Scope: This dimension applies to any AI agent that participates in determining, filtering, applying, or communicating promotional offers to consumers. This includes agents that evaluate customer eligibility for targeted promotions, agents that apply discounts or credits at checkout, agents that personalise promotional content or pricing, and agents that manage promotional campaign targeting lists. The scope covers both inclusion decisions (which consumers receive a promotion) and exclusion decisions (which consumers do not). It applies regardless of the promotion mechanism — percentage discounts, fixed-value coupons, free shipping offers, loyalty point bonuses, bundle deals, flash sales, or any other promotional instrument. Agents that merely display universally available promotions without any eligibility filtering are minimally affected but must still ensure accurate display of terms and conditions. Cross-border agents must account for jurisdiction-specific consumer protection rules that may impose additional eligibility transparency requirements.

4.1. A conforming system MUST maintain a machine-readable eligibility rule set for every active promotion, specifying the precise inclusion and exclusion criteria, the data sources referenced by each criterion, and the effective date range.

4.2. A conforming system MUST validate eligibility rule inputs against their source data systems at a defined frequency (recommended: at least daily for product and customer data, and on every campaign activation for campaign-specific parameters), detecting and alerting on data staleness, schema changes, or missing values that would compromise eligibility accuracy.

4.3. A conforming system MUST log every eligibility decision with sufficient detail to reconstruct the decision, including the customer identifier (pseudonymised where required), the promotion identifier, the eligibility rule version applied, the input values evaluated, the decision outcome (eligible/ineligible), and a timestamp.

4.4. A conforming system MUST enforce promotion combination rules as hard constraints, preventing unintended stacking, sequencing, or compounding of discounts beyond defined maximum discount thresholds.

4.5. A conforming system MUST implement fairness monitoring that measures eligibility and exclusion rates across protected characteristic groups or their statistical proxies (e.g., geographic region, language preference), detecting disparities that exceed defined thresholds (recommended: exclusion rate disparity no greater than 10 percentage points between comparable demographic segments without documented business justification).

4.6. A conforming system MUST provide consumers with a clear explanation of why they were determined ineligible for a specific promotion upon request, referencing the specific criterion or criteria that were not met, consistent with AG-452 (Counterfactual Explanation Governance).

4.7. A conforming system MUST implement anomaly detection on aggregate eligibility outcomes, triggering alerts when inclusion or exclusion rates deviate from expected baselines by more than a defined threshold (recommended: 15% relative deviation from the historical or projected baseline for any promotion).

4.8. A conforming system SHOULD implement pre-launch eligibility simulation that evaluates the eligibility rule set against a representative sample of the customer base before campaign activation, verifying that the expected inclusion and exclusion rates align with business intent.

4.9. A conforming system SHOULD implement real-time discount value monitoring that tracks the average applied discount per transaction during active promotions, alerting when the average exceeds expected values by more than a defined margin.

4.10. A conforming system MAY implement counterfactual eligibility analysis that periodically evaluates whether consumers who were excluded from promotions would have been eligible under alternative reasonable rule configurations, identifying rule fragility or over-sensitivity.

5. Rationale

Promotional offers are among the most common and most visible interactions between businesses and consumers. When an AI agent determines promotion eligibility, it is making a decision that directly affects the price a consumer pays, the value they receive, and — in aggregate — the fairness of the marketplace. Errors in eligibility determination are not merely operational inefficiencies; they are consumer harms with regulatory, legal, and reputational consequences.

The regulatory landscape treats promotion eligibility with increasing seriousness. The EU Omnibus Directive requires that price reductions be calculated from the lowest price offered in the prior 30 days, and AI agents that misapply this calculation expose the organisation to enforcement action. The UK Consumer Rights Act 2015 and the Consumer Protection from Unfair Trading Regulations 2008 prohibit misleading commercial practices, which includes systematically offering promotions to consumers who do not qualify or denying promotions to consumers who do. The FCA Consumer Duty, applicable to financial promotions, requires that communications are fair, clear, and not misleading — a standard that extends to automated eligibility determinations for financial product promotions. In the United States, the FTC Act Section 5 prohibits unfair or deceptive practices, and state-level consumer protection statutes impose additional requirements on promotional accuracy.

Beyond direct consumer protection regulation, promotion eligibility intersects with anti-discrimination law. When AI-driven eligibility determinations systematically exclude consumers based on characteristics correlated with protected attributes — as in Scenario B — the organisation faces liability under the Equality Act 2010 (UK), the Equal Credit Opportunity Act (US), or equivalent frameworks. The indirect discrimination risk is acute because AI models used for eligibility prediction often incorporate features that serve as proxies for protected characteristics without any deliberate discriminatory intent. Geographic region, device type, browsing behaviour, and purchase history can all correlate with race, age, disability, or socioeconomic status. Without explicit fairness monitoring, discriminatory patterns emerge invisibly.

The economic harm from eligibility errors flows in both directions. Over-inclusion — granting promotions to ineligible consumers — erodes margins and can constitute financial misstatement if promotional costs are material. Under-inclusion — denying promotions to eligible consumers — generates customer complaints, reduces satisfaction and retention, and creates regulatory exposure. Both directions of error undermine the commercial purpose of the promotion and the consumer trust that promotions are designed to build. AI agents introduce specific risks that manual promotion management does not: speed of execution (an error affects thousands of customers before human review is possible), dependency on upstream data pipelines (eligibility rules are only as accurate as their input data), and opacity of decision logic (particularly when eligibility incorporates machine learning predictions rather than deterministic rules).

The requirement for logged, explainable eligibility decisions reflects a fundamental principle: if the organisation cannot explain why a specific consumer was included or excluded, it cannot defend the decision to a regulator, resolve a consumer complaint, or identify systematic errors. Eligibility logging is not a record-keeping overhead; it is the minimum infrastructure required for accountability in automated promotion management.

6. Implementation Guidance

Promotion Eligibility Integrity Governance requires a structured approach to managing the complete lifecycle of promotional eligibility — from rule definition through execution to post-campaign audit. The core principle is that eligibility logic must be explicit, testable, and monitored, not implicit in model behaviour or buried in application code.

Recommended patterns:

• Centralised eligibility rule engine. Maintain all promotion eligibility rules in a single, version-controlled repository with a consistent schema. Each rule should specify its data dependencies, combination constraints, and expected population impact. The centralised engine serves as the single source of truth for what promotions exist, who qualifies, and how promotions interact. This prevents the fragmentation that leads to stacking errors (Scenario C) and makes rule auditing practical.
• Input data freshness monitoring. Implement automated checks that verify the freshness and integrity of every data source referenced by eligibility rules. For product catalogues, verify that the category mapping used in eligibility rules matches the current live catalogue. For customer data, verify that segmentation attributes are current. When a data source is stale beyond a defined threshold, the eligibility engine should flag affected promotions for review rather than silently applying rules against outdated data. This directly addresses Scenario A.
• Demographic disparity dashboards. Build monitoring that continuously tracks eligibility rates segmented by geographic region, device type, account age, and other attributes that may serve as proxies for protected characteristics. Statistical disparity tests (e.g., the four-fifths rule or chi-squared tests) should run automatically on each promotion cycle, flagging promotions where exclusion rates diverge significantly between segments. This directly addresses Scenario B and provides early warning of indirect discrimination.
• Maximum discount circuit breakers. Implement hard limits on the total discount that can be applied to any single transaction, regardless of how many promotions are theoretically applicable. The circuit breaker should fire before the final price is presented to the consumer, preventing stacking errors from becoming binding price commitments. This directly addresses Scenario C.
• Pre-launch dry runs. Before activating any promotion, run the eligibility rules against a representative sample (recommended: at least 5% of the eligible population or 10,000 customers, whichever is larger) to verify that inclusion and exclusion rates match expectations. Review the demographic distribution of the simulated eligible population before launch. This catches rule errors, data issues, and unintended demographic skew before they affect real consumers.

Anti-patterns to avoid:

• Eligibility rules embedded in application code. Hardcoding eligibility logic in checkout or marketing application code, without a separate rule definition layer. This makes rules unauditable, untestable in isolation, and invisible to governance processes.
• Sequential promotion application without global evaluation. Applying promotions one at a time in sequence rather than evaluating all applicable promotions simultaneously and selecting the optimal combination within business constraints. Sequential application is the root cause of most stacking errors.
• Post-hoc fairness review only. Checking for demographic disparities only after a campaign has concluded, rather than monitoring during execution. Post-hoc review identifies harm but does not prevent it. Real-time or near-real-time monitoring enables intervention while the promotion is still active.
• Relying on customer complaints to detect exclusion errors. Many affected consumers will not complain — they will simply not know they were eligible. Complaint-driven detection systematically underestimates the scale of exclusion errors and creates survivorship bias in error tracking.
• Eligibility explanations that cite opaque model scores. Telling a consumer "you were ineligible because your score was 0.43 and the threshold is 0.50" does not constitute a meaningful explanation. Explanations must reference understandable criteria: "you were ineligible because your account was created fewer than 30 days ago and this promotion requires a 30-day account history."

Industry Considerations

Retail and E-Commerce. Retailers running dozens of concurrent promotions face particular complexity in combination rules and stacking constraints. The volume of eligibility decisions — potentially millions per day during peak sale periods — requires automated monitoring with statistical thresholds rather than manual review. Flash sales and time-limited offers create urgency that compresses the window for pre-launch validation. Retailers should implement always-on circuit breakers for maximum discount values and maintain pre-validated rule templates for recurring promotion types.

Financial Services. Promotional offers on financial products (introductory interest rates, fee waivers, cashback on credit cards) are subject to financial promotion regulations including the FCA Consumer Duty, MCOB for mortgage promotions, and BCOBS for banking products. Eligibility errors in financial promotions can constitute mis-selling. Financial promotions must be fair, clear, and not misleading — an AI agent that includes a customer in a promotional rate they do not qualify for creates a mis-selling risk, while one that excludes a qualifying customer denies them a benefit they were entitled to. Eligibility logging and explanation requirements are non-negotiable in financial services.

Telecommunications and Subscription Services. Promotional offers for subscription plans (discounted first month, bundle upgrades, loyalty retention offers) interact with complex contract terms. Eligibility errors can create contractual disputes if a promotional price is offered and accepted but the customer does not actually qualify. Agents must validate eligibility before presenting the offer, not after the customer has accepted.

Maturity Model

Basic Implementation — The organisation maintains documented eligibility rules for all active promotions, logs eligibility decisions with input values and outcomes, and enforces promotion combination rules as hard constraints. Maximum discount circuit breakers prevent stacking beyond defined limits. Input data freshness is checked at least daily. This level meets the minimum mandatory requirements and prevents the most damaging error patterns.

Intermediate Implementation — All basic capabilities plus: pre-launch eligibility simulation validates rules against a representative customer sample before activation. Fairness monitoring tracks eligibility rates across demographic proxy segments with automated disparity alerting. Real-time discount value monitoring detects anomalous average discounts during active campaigns. Consumer-facing eligibility explanations reference specific understandable criteria. Anomaly detection alerts when inclusion or exclusion rates deviate from baselines.

Advanced Implementation — All intermediate capabilities plus: counterfactual eligibility analysis identifies rule fragility and near-miss populations. Dynamic eligibility rule testing uses shadow-mode evaluation of rule changes against live traffic before deployment. Cross-campaign impact analysis detects interactions between concurrent promotions that individual campaign analysis would miss. Independent third-party audit of eligibility fairness is conducted annually. Eligibility decision provenance chains link every decision to its rule version, data version, and model version for full reproducibility.

7. Evidence Requirements

Required artefacts:

• Eligibility rule repository. The complete, version-controlled set of eligibility rules for all active and recently concluded promotions, including data source references, combination constraints, and effective date ranges.
• Eligibility decision logs. Structured logs of eligibility decisions with customer identifiers (pseudonymised), promotion identifiers, rule versions, input values, outcomes, and timestamps. Logs must support reconstruction of any individual decision.
• Promotion combination constraint documentation. Documentation of all combination rules, maximum discount thresholds, and stacking prevention mechanisms, with evidence of enforcement.
• Fairness monitoring reports. Periodic reports showing eligibility and exclusion rates segmented by demographic proxy attributes, with disparity analysis and any remediation actions taken.
• Input data freshness validation records. Logs showing data freshness checks, including any staleness alerts and the actions taken in response.
• Pre-launch simulation results. For each promotion, the results of pre-launch eligibility simulation including expected vs. actual inclusion rates and demographic distribution review.
• Anomaly detection alert history. Records of all anomaly alerts generated during active promotions, including the alert trigger, investigation outcome, and any remediation actions.

Retention requirements:

• Eligibility decision logs and fairness monitoring reports: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Eligibility rule versions: retained for the full retention period of the decision logs that reference them.

Access requirements:

• Producible to regulators, auditors, or consumer dispute resolution bodies within 48 hours of request.
• Individual consumer eligibility decision records producible to the affected consumer upon subject access request within statutory timeframes (30 days under UK GDPR).

8. Test Specification

Test 8.1: Eligibility Rule Accuracy Under Data Freshness Degradation

• Stimulus: Deploy a promotion with eligibility rules referencing a product category table. Update the product catalogue to add 20 new products under a new category code without updating the eligibility rule's category mapping. Submit 50 eligibility queries for customers whose qualifying purchases involve only the new products.
• Expected behaviour: The data freshness validation mechanism detects that the category mapping is stale relative to the product catalogue. An alert is generated. The 50 customers are either correctly evaluated (if the mapping is auto-updated) or flagged for manual review (if the staleness alert triggers a hold).
• Pass criteria: Data staleness is detected and alerted within the defined freshness check interval. No customer is silently denied a promotion they qualify for due to stale reference data.
• Fail criteria: The 50 customers are denied the promotion without any staleness alert, or the data freshness check does not detect the catalogue divergence.

Test 8.2: Promotion Stacking Prevention

• Stimulus: Configure three concurrent promotions: a 10% category discount, a £25 fixed credit, and a 5% loyalty discount. Define a non-stacking rule specifying that only the single highest-value discount applies. Submit 30 transactions where all three promotions are theoretically applicable, with varying basket values (£50, £200, £500, £1,000).
• Expected behaviour: For each transaction, only the single highest-value discount is applied. The maximum discount circuit breaker prevents any transaction from receiving more than one discount. The applied discount matches the mathematically best single offer for the customer.
• Pass criteria: 100% of transactions receive exactly one discount — the highest-value applicable option. No stacking occurs. Total discount per transaction does not exceed the single-best offer value.
• Fail criteria: Any transaction receives more than one discount, or the applied discount exceeds the intended maximum for any single promotion.

Test 8.3: Demographic Disparity Detection

• Stimulus: Deploy a promotion using a predictive eligibility model. Inject a known bias into the model's input data such that customers from three specific postal districts are excluded at a rate 25 percentage points higher than comparable districts (simulating the encoding error in Scenario B). Run the promotion against a test population of 10,000 customers.
• Expected behaviour: The fairness monitoring system detects the disparity between the affected postal districts and comparable districts. An alert is generated identifying the specific segments with anomalous exclusion rates.
• Pass criteria: The disparity is detected and alerted within the first monitoring cycle after campaign activation. The alert identifies the affected segments and quantifies the disparity magnitude.
• Fail criteria: The disparity is not detected, or the detection takes longer than two monitoring cycles, or the alert does not identify the affected segments.

Test 8.4: Eligibility Decision Logging Completeness

• Stimulus: Process 100 eligibility decisions across 5 different promotions, including 60 inclusion decisions and 40 exclusion decisions. After processing, query the eligibility decision log for all 100 decisions.
• Expected behaviour: All 100 decisions are logged with complete records: customer identifier, promotion identifier, rule version, all input values evaluated, the decision outcome, and a timestamp. No records are missing or incomplete.
• Pass criteria: 100% of decisions are logged. Each log entry contains all required fields. Any individual decision can be fully reconstructed from the log entry.
• Fail criteria: Any decision is missing from the log, or any log entry is missing required fields, or any decision cannot be reconstructed from its log entry.

Test 8.5: Consumer Eligibility Explanation Quality

• Stimulus: Generate 20 exclusion decisions across different promotions with varying exclusion reasons (account age too recent, purchase history insufficient, geographic restriction, product category mismatch, spend threshold not met). Request an eligibility explanation for each excluded consumer.
• Expected behaviour: Each explanation references the specific criterion or criteria not met, using language understandable to a non-technical consumer. No explanation references opaque model scores, internal identifiers, or technical jargon without translation.
• Pass criteria: All 20 explanations cite specific, understandable criteria. An independent reviewer (non-technical) can understand why the consumer was excluded from each explanation. No explanation is generic (e.g., "you did not meet the eligibility criteria") without specifying which criteria.
• Fail criteria: Any explanation fails to cite specific criteria, references opaque scores or internal codes, or is judged incomprehensible by a non-technical reviewer.

Test 8.6: Anomaly Detection on Aggregate Eligibility Outcomes

• Stimulus: Establish a baseline eligibility rate of 35% for a recurring promotion. In the next cycle, manipulate conditions such that the actual eligibility rate drops to 18% (a 49% relative deviation). Run the promotion cycle.
• Expected behaviour: The anomaly detection system identifies the deviation from the baseline eligibility rate and triggers an alert before the full campaign period elapses.
• Pass criteria: The anomaly alert fires within the defined detection window (recommended: within the first 10% of the campaign period or within 24 hours, whichever is shorter). The alert quantifies the deviation from the baseline.
• Fail criteria: The anomaly is not detected, or the alert fires only after the campaign period has concluded.

Test 8.7: Pre-Launch Eligibility Simulation Accuracy

• Stimulus: Configure a new promotion with defined eligibility rules. Run the pre-launch simulation against a representative customer sample of at least 10,000 records. Compare the simulation's predicted inclusion rate and demographic distribution to the actual results observed during the first 48 hours of live operation.
• Expected behaviour: The simulation's predicted inclusion rate is within 5 percentage points of the actual observed rate. The demographic distribution of eligible customers in simulation matches the live distribution within acceptable tolerance.
• Pass criteria: Predicted inclusion rate is within 5 percentage points of actual. No demographic segment's eligibility rate in simulation differs from actual by more than 10 percentage points.
• Fail criteria: The predicted inclusion rate deviates from actual by more than 5 percentage points, or any demographic segment shows a discrepancy exceeding 10 percentage points.

Conformance Scoring

• Score 0: No structured eligibility governance exists — eligibility rules are ad hoc, unversioned, and unmonitored. No logging of eligibility decisions. No stacking prevention. No fairness monitoring.
• Score 1: Eligibility rules are documented and versioned. Eligibility decisions are logged with basic information (promotion ID, outcome). Promotion combination rules exist but are not enforced as hard constraints. Input data freshness is checked manually or infrequently.
• Score 2: All mandatory requirements are met. Eligibility decisions are fully logged with reconstructable detail. Promotion stacking is prevented by hard constraints with circuit breakers. Fairness monitoring tracks eligibility rates across demographic proxy segments. Anomaly detection alerts on deviation from baseline rates. Consumer eligibility explanations reference specific criteria.
• Score 3: Verified through independent testing and audit. Pre-launch simulation validates every promotion before activation. Counterfactual eligibility analysis identifies rule fragility. Cross-campaign interaction analysis detects multi-promotion conflicts. Third-party fairness audit is conducted annually. Full decision provenance chains enable complete reproducibility.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 14 (Human Oversight)	Supports compliance
FCA Consumer Duty	PRIN 2A.2 (Act to deliver good outcomes for retail customers)	Direct requirement
SOX	Section 404 (Internal Controls Over Financial Reporting)	Supports compliance
NIST AI RMF	MAP 3.5, MEASURE 2.6	Supports compliance
ISO 42001	Clause 6.1 (Actions to Address Risks)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance

EU AI Act — Article 9 (Risk Management System)

The EU AI Act requires that providers of AI systems implement a risk management system that identifies and analyses known and foreseeable risks, estimates and evaluates those risks, and adopts appropriate risk management measures. AI agents that determine promotion eligibility are making decisions that directly affect consumer economic outcomes. When those determinations incorporate machine learning predictions (as in Scenario B), the system qualifies for heightened scrutiny under Article 9's requirement for ongoing risk monitoring. The fairness monitoring and anomaly detection requirements of AG-505 directly support compliance with Article 9's continuous risk evaluation mandate. The requirement for pre-launch simulation aligns with Article 9's expectation that risks are evaluated before deployment.

FCA Consumer Duty — PRIN 2A.2

The FCA Consumer Duty requires firms to act to deliver good outcomes for retail customers, with specific focus on fair value, consumer understanding, and consumer support. Promotion eligibility determinations by AI agents fall squarely within this scope when the promotions relate to financial products or services — and increasingly, the FCA interprets its remit broadly to include any consumer-facing financial interaction. A promotion that systematically excludes entitled consumers from beneficial offers fails the fair value outcome. A promotion whose eligibility criteria are opaque to the consumer fails the consumer understanding outcome. AG-505's requirements for explainable eligibility decisions, fairness monitoring, and logged decision trails directly support Consumer Duty compliance.

SOX — Section 404 (Internal Controls Over Financial Reporting)

Promotional costs are material to financial reporting for consumer-facing businesses. When AI agents control promotion eligibility, they directly influence the cost of goods sold, marketing expense, and revenue recognition. Eligibility errors — both over-inclusion (Scenario C: £597,000 in unintended discounts) and under-inclusion — create financial misstatement risk. SOX Section 404 requires that internal controls over financial reporting are effective. AG-505's promotion combination constraints, maximum discount circuit breakers, and anomaly detection on discount values directly support the control environment for promotional cost accuracy.

NIST AI RMF — MAP 3.5 and MEASURE 2.6

NIST AI RMF MAP 3.5 calls for documenting the AI system's intended benefits, costs, and potential harms to individuals. MEASURE 2.6 addresses fairness and bias in AI systems. AG-505 aligns with both: the fairness monitoring requirement directly supports MEASURE 2.6's expectation that bias is measured and mitigated, while the eligibility logging and explanation requirements support MAP 3.5's documentation expectations.

DORA — Article 9 (ICT Risk Management Framework)

For financial entities subject to DORA, AI agents managing promotional eligibility for financial products are ICT systems within scope. DORA Article 9 requires that ICT risk management frameworks ensure the identification, classification, and mitigation of ICT risks. Promotion eligibility errors that arise from data pipeline failures (Scenario A) or model encoding errors (Scenario B) are ICT risks. AG-505's input data freshness validation and anomaly detection requirements support DORA compliance by ensuring that ICT-related eligibility failures are detected and managed.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Population-level — a single eligibility rule error can affect tens of thousands to millions of consumers within hours, with harm concentrated in the most vulnerable consumer segments who are least likely to identify and report the error themselves

Consequence chain: An eligibility rule defect or data pipeline failure causes the AI agent to misclassify consumer eligibility for promotional offers. The immediate technical failure is incorrect inclusion or exclusion decisions at scale — the agent either denies discounts to entitled consumers (under-inclusion) or grants discounts to ineligible consumers (over-inclusion). For under-inclusion, the consumer harm is direct financial loss: consumers pay more than they should, with aggregate harm potentially reaching hundreds of thousands of pounds within weeks (Scenario A: £164,970). When under-inclusion correlates with protected characteristics (Scenario B), the harm escalates from individual financial loss to systematic discrimination, triggering equality law enforcement, formal investigations, and reputational damage quantified at £380,000+ in Scenario B. For over-inclusion and stacking errors, the harm is commercial: unintended margin erosion (Scenario C: £597,000), potential financial misstatement for publicly traded companies, and competitive distortion. The regulatory consequence chain includes consumer protection enforcement (misleading commercial practices), equality law enforcement (indirect discrimination), financial regulation enforcement (Consumer Duty failures for financial promotions), and securities regulation exposure (material financial misstatement from promotional cost errors). The business consequence extends beyond direct remediation costs to include customer trust erosion, brand damage, and the operational burden of retrospective refund programmes. The failure is particularly insidious because under-inclusion errors are silent — affected consumers often do not know they were entitled to a promotion — and can persist for months before detection if monitoring is inadequate.

Cross-references: AG-014 (Data Classification Governance), AG-022 (Behavioural Drift Detection), AG-452 (Counterfactual Explanation Governance), AG-461 (Spend Classification Governance), AG-499 (Personalised Pricing Fairness Governance), AG-504 (Consumer Disclosure Timing Governance), AG-506 (Loyalty and Reward Gaming Prevention Governance), AG-507 (Review and Recommendation Authenticity Governance).