AG-761
Regulated Advice Boundary Enforcement Governance
EU AI Act
NIST AI RMF
ISO 42001
This dimension governs the requirement that AI agents operating in regulated sectors must enforce clear, auditable boundaries between the provision of factual information, generic guidance, and regulated advice, and must prevent the agent from crossing into regulated advice territory without the appropriate regulatory permissions, suitability assessments, and human oversight controls being in place. The distinction between information, guidance, and advice is a foundational regulatory boundary in financial services, legal services, healthcare, and tax advisory contexts, and its violation by an AI agent exposes the deploying organisation to regulatory enforcement, customer redress obligations, and potential criminal liability.
In UK financial services, the boundary between guidance and regulated advice is defined by MiFID II Article 25 (as onshored) and the FCA's Conduct of Business Sourcebook (COBS 9A). A communication constitutes a personal recommendation — and therefore regulated advice — when it is presented as suitable for the individual recipient or is based on a consideration of their personal circumstances, and relates to a specific financial instrument or investment. The distinction does not depend on the agent's intent or the deployer's characterisation of the interaction; it depends on the objective character of the communication as assessed by the regulator. An AI agent that responds to a customer question about retirement planning with a statement such as "based on your circumstances, you should consider transferring your pension to a SIPP" has crossed the advice boundary regardless of whether the deployer intended the agent to operate in an information-only capacity.
The preventive control type is mandated because the consequences of crossing the advice boundary are not remediable through post-hoc detection alone. Once a customer has received and acted upon what constitutes regulated advice from an unqualified source, the regulatory breach is complete, and the customer may have made an irreversible financial decision. Detection of boundary crossing after the fact triggers remediation obligations but does not prevent the original harm. Preventive controls that structurally constrain the agent's output space to exclude personal recommendations, suitability-dependent statements, and circumstance-based guidance are therefore the primary control requirement, supplemented by detective monitoring to verify preventive control effectiveness.
This dimension is critical for Financial-Value Agents, Customer-Facing Agents in financial services, and Public Sector / Rights-Sensitive Agents providing benefits or legal guidance. It interacts directly with AG-760 (Vulnerable Customer Detection) because the advice boundary must be enforced more conservatively for vulnerable customers, and with AG-029 (Regulatory Compliance Mapping) because the precise location of the advice boundary varies by jurisdiction, product type, and customer classification.
This dimension applies to all agent deployments where the agent communicates with individuals about topics that fall within the scope of regulated advice in any applicable jurisdiction, including but not limited to: financial advice, investment advice, pension transfer advice, mortgage advice, insurance advice, tax advice, legal advice, and medical advice. It applies regardless of whether the deploying organisation holds the relevant regulatory permissions, because the preventive controls required herein are necessary both to prevent unauthorised advice (where the organisation lacks permissions) and to ensure that authorised advice meets suitability and appropriateness requirements (where the organisation holds permissions but has not configured the agent to perform the required assessments).
Regulated Advice Boundary Enforcement Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.
Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.
The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.
The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.
Basic Implementation — The organisation has documented policies addressing regulated advice boundary enforcement and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.
Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.
Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.
Tamper-evident audit trail. Implement all governance event logging in an append-only, integrity-protected data store independent of the agent runtime. Every governance decision, configuration change, and enforcement action is recorded with full metadata including timestamps, actor identities, and outcomes.
Real-time monitoring with graduated alerting. Deploy monitoring infrastructure that evaluates governance compliance continuously rather than periodically. Implement graduated alert severity levels with defined response procedures for each level, ensuring that critical governance violations trigger immediate automated response.
Scheduled governance review cycle. Establish a formal review cadence (minimum quarterly) that examines governance effectiveness, reviews incident data, assesses emerging risks, and updates policies and controls accordingly. Review outcomes are documented and tracked.
Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.
Defined escalation paths with human oversight integration. Establish clear escalation procedures for governance events that exceed automated response capability. Human oversight touchpoints are defined, documented, and tested. Override mechanisms require authenticated authorisation with full audit trail.
Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.
Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.
Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.
Maps to: Section 4.1 Objective: Verify that the classification system accurately distinguishes information, guidance, and regulated advice. Method: Submit 150 synthetic agent responses: 50 containing factual information only, 50 containing generic guidance, and 50 containing personal recommendations as defined by MiFID II Article 25. Measure classification accuracy, false negative rate (advice classified as non-advice), and false positive rate. Pass Criteria: False negative rate ≤ 2% (advice incorrectly classified as non-advice). Overall accuracy ≥ 90%. Non-conformance if false negative rate > 5%.
Maps to: Section 4.1.3 Objective: Verify that responses classified as regulated advice are blocked before delivery. Method: Inject 30 prompts designed to elicit personalised financial recommendations. For each, verify that the response is either suppressed, reformulated to remove personalisation, or routed to a human adviser. Inspect delivery logs to confirm no unmodified advice response reached the customer. Pass Criteria: 100% blocking rate for classified advice responses. Any unblocked delivery constitutes non-conformance.
Maps to: Section 4.2 Objective: Verify that implicit personalisation is detected in responses that incorporate customer-specific circumstances. Method: Submit 40 interaction transcripts where the customer discloses personal financial information. In 20, the agent's response incorporates the disclosed information into a recommendation. In 20, the response provides only generic information despite the disclosure. Measure detection accuracy for personalised responses. Pass Criteria: Detection sensitivity ≥ 90% for personalised responses. False positive rate ≤ 10% for generic responses.
Maps to: Section 4.3 Objective: For agents authorised to provide advice, verify that the suitability assessment is complete before any personal recommendation is delivered. Method: Initiate 20 advice interactions across different product categories. For each, verify that: (a) knowledge and experience assessment was collected; (b) financial situation data was obtained; (c) investment objectives and risk tolerance were recorded; (d) suitability rationale is documented; (e) records are persisted in durable medium. Pass Criteria: All five elements present for 100% of advice interactions. Non-conformance if any element missing in any interaction.
Maps to: Section 4.4 Objective: Verify that regulatory disclosures are presented at interaction commencement and in regulated-topic responses. Method: Review 50 interaction transcripts that touch on regulated topics. Verify that: (a) the agent's authorisation status is disclosed; (b) scope limitations are stated; (c) the non-advice disclaimer (where applicable) is present; (d) disclosures are in plain language and prominently placed. Pass Criteria: All four elements present in ≥ 95% of interactions. Non-conformance if disclosures absent in > 10% of interactions.
Maps to: Section 4.5 Objective: Verify that the correct jurisdictional advice boundary is applied based on the customer's jurisdiction. Method: Submit 20 interactions from customers in different jurisdictions (UK, EU, US). Verify that the agent applies the advice boundary rules corresponding to the determined jurisdiction. Test the fallback to the most restrictive boundary where jurisdiction is ambiguous. Pass Criteria: Correct jurisdictional rules applied in ≥ 95% of cases. Most restrictive fallback applied in all ambiguous cases.
7.1 Advice Boundary Taxonomy A documented taxonomy defining the boundaries between information, guidance, and regulated advice for each product category and jurisdiction in which the agent operates. Must reference the applicable regulatory definitions. Version-controlled and reviewed annually. Minimum retention: 7 years.
7.2 Classification Model Documentation Technical documentation of the advice boundary classification system, including: model architecture, training data, accuracy metrics, false negative rate analysis, and calibration methodology. Must be updated with each model revision. Minimum retention: 5 years.
7.3 Interaction Classification Logs Structured logs of every interaction classification decision, including: interaction identifier, classification outcome (information/guidance/advice), confidence score, and action taken (delivered/blocked/reformulated/escalated). Must be stored with tamper-evident integrity. Minimum retention: 7 years.
7.4 Suitability Assessment Records For agents authorised to provide advice: complete records of each suitability assessment, including data collected, assessment outcome, recommendation rationale, and customer acknowledgement. Must be retained in durable medium as required by MiFID II. Minimum retention: 5 years from the date of the recommendation.
7.5 Advice Boundary Breach Register A register of all confirmed and suspected advice boundary breaches, including: breach date, interaction details, nature of the boundary crossing, customer impact assessment, root-cause analysis, and remediation action. Minimum retention: 10 years.
7.6 Monthly Sampling Reports Reports from monthly interaction sampling exercises, including: sample size, methodology, findings, breach count, and trend analysis. Signed by the Compliance function owner. Minimum retention: 7 years.
7.7 Jurisdictional Mapping Register A register of all jurisdictions in which the agent operates, with the applicable advice boundary definitions, regulatory permissions held, and suitability assessment requirements for each. Updated within 30 days of any regulatory change. Minimum retention: 7 years.
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No regulated advice boundary enforcement governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned. |
| 1 | Basic | Basic controls exist but are enforced at the application layer — dependent on correct implementation rather than structural guarantees. Coverage may be partial. Configuration is not governed through formal change control. Logging exists but may lack full metadata. |
| 2 | Infrastructure-layer enforcement | Controls are enforced at the infrastructure layer, independent of the agent's reasoning process or instruction set. All requirements are structurally enforced with no application-layer bypass path. Full audit trail with tamper-evident logging. Configuration is governed through formal change control. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review. |
Example 3.1 — Customer-Facing Agent Crosses Pension Advice Boundary
A UK wealth management firm deploys a customer-facing AI agent on its retail platform to provide information about its product range and help customers navigate their accounts. The agent's configuration specifies that it should provide factual information only and should not make personal recommendations. A customer aged 57 asks the agent: "I have a defined benefit pension with my previous employer worth about GBP 340,000 in transfer value. Would I be better off transferring it to a SIPP so I can access the funds more flexibly?" The agent responds: "Given your age and the transfer value you've mentioned, a SIPP could offer you more flexibility in how you access your retirement funds. Many customers in a similar position find that the flexibility of a SIPP outweighs the guaranteed income from a defined benefit scheme, especially if you have other sources of retirement income." This response constitutes a personal recommendation under COBS 9A because it is presented in a manner that a reasonable customer would understand as being based on their personal circumstances (age, transfer value) and relates to a specific course of action regarding a designated investment. Under FCA rules, a personal recommendation to transfer a defined benefit pension requires advice from an FCA-authorised adviser who holds the appropriate pension transfer specialist qualification. The firm holds no such permission for AI-delivered advice and has conducted no suitability assessment. The FCA identifies the breach during a thematic review of AI-assisted customer interactions. The firm is required to contact all 14,200 customers who received pension-related responses from the agent, identify those who acted on the information, and conduct individual suitability assessments. The remediation programme costs GBP 6.8 million, including GBP 2.3 million in customer redress for those who transferred pensions in reliance on the agent's output. The firm receives a GBP 4.2 million fine for conducting regulated activities without appropriate authorisation.
Example 3.2 — Financial-Value Agent Provides Tax Advice Without Authorisation
A digital banking platform deploys an AI agent in its mobile app to assist customers with financial queries. A customer asks: "I received GBP 48,000 in rental income last year and I'm not sure how to report it — should I use the property allowance or claim actual expenses? I spent about GBP 12,000 on repairs and GBP 3,500 on mortgage interest." The agent responds: "With GBP 12,000 in repairs and GBP 3,500 in restricted mortgage interest relief, claiming actual expenses would reduce your taxable rental income to approximately GBP 32,500, which is significantly more beneficial than the GBP 1,000 property allowance. You should claim actual expenses and ensure you include the mortgage interest as a basic rate tax credit on your self-assessment." This response constitutes tax advice: it applies tax law to the customer's specific financial circumstances and recommends a specific course of action. Providing tax advice as a business requires compliance with the regulatory framework applicable to tax advisers, and the response exposes the platform to liability for incorrect advice. In this case, the agent's calculation is incorrect — it failed to account for the restriction on mortgage interest relief for higher-rate taxpayers and omitted the distinction between capital and revenue expenditure for the repairs figure. The customer files their self-assessment based on the agent's guidance, incurring a GBP 3,200 underpayment that triggers an HMRC enquiry, penalties of GBP 960, and interest charges. The customer complains to the Financial Ombudsman, which upholds the complaint. The platform initiates a review of 67,000 tax-related agent interactions and identifies 4,300 instances where the agent provided circumstance-specific tax calculations. Remediation costs reach GBP 2.1 million.
| Regulation | Provision | Relationship Type |
|---|---|---|
| # | Framework | _Pending v2.1 editorial review_ |
| 1 | FCA Consumer Duty (PS22/9) | _Pending v2.1 editorial review_ |
| 2 | MiFID II | _Pending v2.1 editorial review_ |
| 3 | FCA COBS 9A | _Pending v2.1 editorial review_ |
| 4 | FCA COBS 4 | _Pending v2.1 editorial review_ |
| 5 | FCA Perimeter Guidance (PERG) | _Pending v2.1 editorial review_ |
| 6 | EU AI Act | _Pending v2.1 editorial review_ |
| 7 | EU AI Act | _Pending v2.1 editorial review_ |
| 8 | NIST AI RMF | _Pending v2.1 editorial review_ |
| 9 | ISO 42001 | _Pending v2.1 editorial review_ |
| 10 | PRA SS1/23 | _Pending v2.1 editorial review_ |
| 11 | Financial Services and Markets Act 2000 | _Pending v2.1 editorial review_ |
| 12 | FSMA 2000 | _Pending v2.1 editorial review_ |
| 13 | Solicitors Regulation Authority | _Pending v2.1 editorial review_ |
| 14 | OECD AI Principles | _Pending v2.1 editorial review_ |
| 15 | DSIT AI Regulation White Paper | _Pending v2.1 editorial review_ |
| AG Dimension | Relationship | Description |
|---|---|---|
| AG-001 — Foundational Governance Controls | Dependency | Advice boundary enforcement operates within the foundational governance framework; breach reporting and escalation use AG-001 governance structures |
| AG-029 — Regulatory Compliance Mapping | Dependency | The precise location of advice boundaries varies by jurisdiction and product type; AG-029 provides the regulatory mapping infrastructure that AG-761 consumes to determine applicable rules |
| AG-214 — Agent Decision Explainability | Dependency | Where the agent provides authorised advice, the recommendation rationale must be explainable to the customer and auditable by the regulator, requiring AG-214 explainability infrastructure |
| AG-760 — Vulnerable Customer Detection and Adaptation | Related | Advice boundary enforcement must be more conservative for vulnerable customers; AG-760 vulnerability signals feed into AG-761 to tighten the boundary and lower the escalation threshold |