Circuit Breaker Integration Governance

2. Summary

Circuit Breaker Integration Governance requires that every AI agent operating in trading, treasury, or digital-asset execution contexts automatically detects, respects, and responds to circuit breaker events originating from trading venues, internal risk systems, and portfolio-level protective mechanisms. Circuit breakers — whether exchange-imposed Limit Up/Limit Down halts, volatility interruptions, internal drawdown thresholds, or portfolio-level maximum-loss triggers — represent mandatory pauses in market activity that exist to prevent cascading losses and preserve market integrity. An agent that continues submitting, modifying, or routing orders during an active circuit breaker event, or that accumulates a queue of orders designed to flood the market upon resumption, creates severe regulatory, financial, and systemic risk. This dimension mandates that agents treat circuit breaker signals as hard governance constraints that override all other trading logic, with deterministic behaviour during the halt period and controlled re-entry upon resumption.

3. Example

Scenario A — Agent Continues Routing During Exchange Volatility Interruption: A fixed-income trading agent operates across three European sovereign bond venues. At 10:14 UTC, Venue A triggers a five-minute volatility interruption on a benchmark 10-year government bond after the price moves 1.8% in 90 seconds. The agent's order router receives the venue halt notification but treats it as applying only to Venue A. It redirects its pending buy orders — totalling EUR 42 million notional — to Venues B and C, which have not yet triggered their own interruptions. The sudden liquidity demand on Venues B and C moves the price a further 0.9% in 22 seconds, triggering volatility interruptions on both. Regulators later determine that the agent's cross-venue redirection during the Venue A halt constituted a contributing factor to the cascading halt event. The firm receives a EUR 3.2 million fine for failure to implement adequate circuit breaker controls and contributing to disorderly market conditions.

What went wrong: The agent treated the circuit breaker as venue-specific rather than instrument-specific. When Venue A halted a particular instrument, the agent should have suspended all order activity for that instrument across all venues — not redirected flow to venues that were still accepting orders. The agent's routing logic optimised for execution completion without recognising that a circuit breaker on one venue signals systemic stress for the instrument. Consequence: EUR 3.2 million regulatory fine, contribution to cascading market disruption, mandatory remediation programme with independent verification, and a six-month restriction on automated order routing for the instrument class.

Scenario B — Internal Drawdown Circuit Breaker Ignored Due to Stale Cache: A crypto/Web3 agent executes a momentum-following strategy across four decentralised exchanges and two centralised exchanges. The firm's internal risk system maintains a real-time portfolio drawdown monitor with a 4% daily drawdown circuit breaker threshold. At 03:47 UTC, a flash crash in a mid-cap token causes the portfolio to breach the 4% threshold. The internal risk system publishes a halt signal to the agent's message bus. However, the agent's risk-state cache has a 15-second refresh interval, and the halt signal arrives during a cache refresh gap. The agent continues executing for 11 seconds after the halt signal was published, during which it opens three new leveraged positions totalling USD 1.7 million notional. The flash crash deepens; the three positions lose USD 340,000 before manual intervention closes them. The total portfolio loss for the day is 6.3%, exceeding the firm's maximum tolerable daily drawdown of 5%.

What went wrong: The agent polled an internal risk-state cache rather than subscribing to a push-based halt signal. The 15-second cache refresh interval created a window during which the agent was blind to the circuit breaker activation. In fast-moving crypto markets, 15 seconds is sufficient for material adverse execution. The internal circuit breaker architecture was designed for human traders who respond within seconds of a dashboard alert, not for agents executing in milliseconds. Consequence: USD 340,000 in avoidable losses, breach of the firm's risk appetite statement, regulatory inquiry into adequacy of automated trading controls, and mandatory redesign of the halt-signal delivery architecture.

Scenario C — Order Queue Flooding Upon Circuit Breaker Lift: A multi-asset equity trading agent accumulates a queue of 2,400 orders during a 10-minute exchange-wide circuit breaker halt on a major exchange. The agent's logic interprets the halt as a temporary pause and continues generating orders based on its strategy signals, buffering them for immediate submission upon resumption. When the circuit breaker lifts, the agent submits all 2,400 orders within 340 milliseconds. The exchange's matching engine receives a concentrated burst of order flow from the agent that constitutes 14% of the total order volume in the first second of resumption. The exchange's surveillance system flags the burst as potential market manipulation under the spoofing/layering detection rules. The firm receives a formal inquiry and ultimately a GBP 1.8 million fine for failing to implement adequate post-halt re-entry controls.

What went wrong: The agent treated the circuit breaker period as a simple queue — accumulating orders unchanged and releasing them simultaneously. It did not implement graduated re-entry logic (ramping order submission over a defined period), did not re-evaluate market conditions post-halt before resubmitting stale signals, and did not cap the volume of orders submitted in the initial resumption window. The queued orders reflected pre-halt market conditions that were no longer valid. Consequence: GBP 1.8 million fine, formal undertaking to implement post-halt throttling, reputational damage in exchange-participant reviews, and 90-day enhanced surveillance on all the firm's algorithmic order flow.

4. Requirement Statement

Scope: This dimension applies to every AI agent that submits, modifies, cancels, or routes orders on any trading venue — regulated exchange, multilateral trading facility, organised trading facility, systematic internaliser, decentralised exchange, or over-the-counter platform. The scope encompasses three categories of circuit breaker: (a) venue-imposed circuit breakers, including exchange-wide halts, instrument-specific volatility interruptions, Limit Up/Limit Down mechanisms, and auction-triggered pauses; (b) internal circuit breakers, including portfolio-level drawdown limits, strategy-level loss limits, aggregate exposure ceilings, and risk-factor concentration thresholds; and (c) cross-venue coordination circuit breakers, where a halt on one venue triggers protective behaviour across related venues and instruments. The scope extends to the agent's behaviour during the halt period (no new order activity), its signal-reception architecture (latency and reliability of halt-signal delivery), and its resumption behaviour (controlled re-entry after the circuit breaker lifts). Agents that do not directly execute orders but generate trading signals that feed into execution systems are within scope if their signals can trigger order submission without additional human review.

4.1. A conforming system MUST subscribe to circuit breaker signals from every venue on which the agent operates and process halt notifications within a latency budget that is documented, measured, and no greater than the agent's order-submission latency.

4.2. A conforming system MUST cease all new order submissions, modifications, and routing for the affected instrument or instrument class within the documented latency budget upon receipt of a circuit breaker signal, regardless of the agent's current strategy state or pending decision pipeline.

4.3. A conforming system MUST treat an instrument-level circuit breaker on any single venue as a halt trigger for that instrument across all venues on which the agent operates, unless an explicit, documented, and risk-committee-approved exception exists for specific cross-venue continuation scenarios.

4.4. A conforming system MUST subscribe to internal circuit breaker signals — including portfolio drawdown thresholds, strategy-level loss limits, and aggregate exposure ceilings — via a push-based mechanism with delivery latency no greater than the agent's order-submission latency.

4.5. A conforming system MUST NOT queue, buffer, or accumulate orders during a circuit breaker halt period for bulk submission upon resumption. Any pre-halt pending orders or strategy signals MUST be invalidated or marked as stale and subject to re-evaluation against post-halt market conditions before resubmission.

4.6. A conforming system MUST implement graduated re-entry logic upon circuit breaker lift that throttles order submission volume over a defined ramp-up period, with the ramp-up parameters documented and approved by the risk function.

4.7. A conforming system MUST log every circuit breaker event received, the timestamp of order cessation, the duration of the halt, the resumption timestamp, and the post-resumption re-entry behaviour, retaining this log as a governance artefact.

4.8. A conforming system SHOULD implement a heartbeat or connectivity-health monitor for every circuit breaker signal source, triggering a fail-safe halt (as per AG-008 degraded-mode principles) if the signal source becomes unreachable.

4.9. A conforming system SHOULD re-evaluate all risk parameters — including current portfolio exposure, available margin, and prevailing volatility — before resuming order activity after a circuit breaker lift.

4.10. A conforming system SHOULD maintain a circuit breaker event register that records the frequency, duration, and instrument coverage of all circuit breaker events encountered, enabling trend analysis and threshold calibration.

4.11. A conforming system MAY implement predictive circuit breaker awareness — monitoring price velocity and volatility indicators to anticipate imminent venue circuit breaker triggers and proactively reducing order activity before the formal halt.

4.12. A conforming system MAY implement cross-agent coordination during circuit breaker events, ensuring that multiple agents operated by the same firm do not independently resume and collectively overwhelm the venue upon halt lift.

5. Rationale

Circuit breakers are among the most critical market microstructure safeguards in modern financial markets. They exist because history has demonstrated — from the 1987 Black Monday crash through the 2010 Flash Crash to the 2020 COVID-19 volatility events — that unchecked automated execution in rapidly moving markets can produce cascading failures that destroy capital, undermine market integrity, and erode public confidence in financial infrastructure. Every major global exchange operates some form of circuit breaker mechanism, and regulators universally require market participants to respect these mechanisms. The introduction of AI agents into trading workflows creates a new category of risk: agents that operate faster than human traders, that do not experience the psychological pause a human trader naturally takes when a circuit breaker fires, and that may interpret a halt as an optimisation opportunity rather than a protective constraint.

The regulatory framework surrounding circuit breakers is extensive and multi-jurisdictional. In the European Union, MiFID II and the associated regulatory technical standards (RTS 7 on organisational requirements for algorithmic trading) explicitly require firms to have effective systems and risk controls, including kill switches and the ability to halt trading activity immediately. The FCA's SYSC 6A and the algorithmic trading rules require firms operating algorithmic trading strategies to implement pre-trade controls that prevent the algorithm from trading in a manner that creates or contributes to a disorderly market. Exchange rulebooks universally require participants to respect circuit breaker halts and to implement systems that respond appropriately to halt messages. In crypto and digital-asset markets, while the regulatory framework is evolving, the principle of orderly market conduct applies, and exchanges such as those regulated under MiCA in the EU or registered with national regulators are implementing circuit breaker mechanisms that participants must respect.

The specific risk that AI agents pose in the circuit breaker context is fourfold. First, speed risk: an agent operating in microseconds can submit thousands of orders in the interval between a circuit breaker trigger condition being met and the halt message being disseminated, particularly if the agent subscribes to market data on a faster feed than the circuit breaker notification channel. Second, redirection risk: an agent that receives a halt on one venue may redirect order flow to other venues, as in Scenario A, contributing to contagion rather than respecting the protective intent of the halt. Third, queue-flooding risk: an agent that buffers orders during a halt and releases them simultaneously upon resumption creates a concentrated burst of order flow that can itself trigger a secondary circuit breaker or constitute market manipulation. Fourth, internal-circuit-breaker-evasion risk: an agent that is subject to internal drawdown or exposure limits may continue operating during the window between the limit breach and the delivery of the halt signal if the signal delivery architecture has latency gaps.

AG-484 addresses these risks by requiring deterministic, low-latency response to circuit breaker signals; cross-venue halt propagation for instrument-level breakers; prohibition of order queuing during halts; and graduated re-entry upon resumption. The dimension integrates with AG-008 (Governance Continuity Under Failure) by treating loss of connectivity to a circuit breaker signal source as a governance infrastructure failure that triggers fail-safe behaviour — an agent that cannot confirm whether a circuit breaker is active must assume the most conservative posture. It integrates with AG-483 (Position Limit Automation Governance) by ensuring that position limit checks are re-evaluated post-halt before any new order activity, recognising that halt periods often coincide with material changes in market conditions that affect position risk profiles.

The consequences of non-compliance are severe and multi-dimensional. Regulatory penalties for failing to respect circuit breakers range from six-figure fines for individual incidents to multi-million-euro penalties for systemic failures. Beyond fines, firms face mandatory remediation programmes, enhanced surveillance periods, restrictions on algorithmic trading permissions, and reputational damage with exchanges and counterparties. In extreme cases, a firm's contribution to a market disruption event through circuit breaker non-compliance can result in loss of exchange membership or trading privileges — an existential threat to the trading business.

6. Implementation Guidance

Implementing circuit breaker integration governance requires engineering reliable signal reception, deterministic halt behaviour, and controlled resumption across a potentially complex multi-venue, multi-asset, multi-agent architecture. The implementation must be tested under realistic conditions including high-volatility scenarios, partial venue outages, and simultaneous circuit breaker events across multiple instruments.

Recommended patterns:

• Push-based halt signal subscription with redundant delivery paths. Subscribe to venue circuit breaker feeds via the venue's official halt notification channel (e.g., exchange market data feed, drop-copy feed, or FIX session administrative messages). Implement a redundant secondary path — such as a backup feed or polling fallback — to ensure halt signals are received even if the primary channel experiences latency or disconnection. Internal circuit breaker signals should be delivered via a dedicated low-latency message bus with guaranteed delivery semantics, not polled from a shared state cache.
• Instrument-keyed halt state machine. Maintain a per-instrument halt state machine with states: ACTIVE, HALTED, RESUMING, and UNKNOWN. Transition to HALTED upon receipt of any circuit breaker signal for the instrument on any venue. Transition to RESUMING upon receipt of a halt-lift notification, with a configurable ramp-up timer. Transition to UNKNOWN if the signal source becomes unreachable, triggering fail-safe halt behaviour. The state machine is the single source of truth for the agent's order-submission logic — no order may be submitted for an instrument unless its state is ACTIVE.
• Pre-submission halt-state gate. Insert a synchronous halt-state check immediately before every order submission, modification, or cancellation API call. This gate queries the instrument's halt state machine and blocks the API call if the state is anything other than ACTIVE. The gate must be non-bypassable — implemented at the infrastructure layer, not the strategy layer — so that no strategy logic can circumvent it.
• Post-halt market condition re-evaluation. Upon transition from HALTED to RESUMING, invalidate all pre-halt strategy signals, cached market data, and pending order parameters. Require the strategy layer to re-evaluate market conditions using post-halt data before generating new order instructions. Implement a configurable blackout period (e.g., 500 milliseconds to 30 seconds depending on asset class) during which the agent observes post-halt price discovery without participating.
• Graduated re-entry throttle. Define a ramp-up profile for order submission volume after a circuit breaker lift. For example: first 5 seconds post-resumption, submit no more than 10% of normal order rate; 5-15 seconds, no more than 25%; 15-30 seconds, no more than 50%; beyond 30 seconds, normal rate. The ramp-up parameters should be configurable per asset class and approved by the risk function.

Anti-patterns to avoid:

• Cache-polled risk state. Polling an internal risk-state cache with a refresh interval (e.g., every 10-15 seconds) to determine whether a circuit breaker is active. This creates a window of blindness equal to the cache refresh interval during which the agent continues operating after a halt has been triggered. In fast markets, this window is sufficient for material adverse execution.
• Venue-specific halt scoping. Treating a circuit breaker on Venue A as applying only to Venue A while continuing to route orders for the same instrument to Venues B, C, and D. This misinterprets the purpose of the circuit breaker: it signals that the instrument is under stress, not merely that one venue's matching engine needs a pause.
• Order buffering during halts. Accumulating a queue of orders during the halt period for immediate release upon resumption. This treats the circuit breaker as a temporary inconvenience rather than a signal to re-evaluate. The queued orders reflect pre-halt conditions that may be materially different from post-halt reality.
• Strategy-layer halt implementation. Implementing circuit breaker response in the strategy layer rather than the infrastructure layer. Strategy-layer implementations can be overridden by strategy logic, are subject to strategy-specific bugs, and create inconsistency across multiple strategies operating on the same infrastructure. The halt must be enforced at the order-gateway level, below and independent of strategy logic.
• Binary resume behaviour. Transitioning directly from HALTED to fully ACTIVE with no intermediate RESUMING state. This allows the agent to immediately resume full-rate order submission, contributing to post-halt volatility spikes and potential secondary circuit breaker triggers.

Industry Considerations

Traditional equities and fixed income: Exchange circuit breaker mechanisms are well-established and standardised. Venues publish halt and resumption messages via market data feeds and administrative channels. The primary challenge is multi-venue coordination — ensuring that a halt on one venue for a given instrument propagates to the agent's activity on all venues trading that instrument or correlated instruments. Cross-listed securities and ETFs that track halted underlying instruments require particular attention.

Crypto and digital assets: Circuit breaker mechanisms vary significantly across exchanges and are often less standardised than in traditional markets. Some decentralised exchanges have no circuit breaker mechanism at all, relying on liquidity pool dynamics to absorb volatility. Agents operating across centralised and decentralised venues must implement internal circuit breaker logic that compensates for the absence of venue-imposed halts on certain platforms. The 24/7 nature of crypto markets means circuit breaker events can occur at any time, including periods of reduced human oversight.

Foreign exchange and OTC markets: OTC markets generally lack centralised circuit breaker mechanisms. Internal circuit breakers — portfolio drawdown limits, counterparty exposure limits, and volatility-triggered pauses — serve as the primary protective mechanism. Agents operating in OTC markets must rely heavily on internal circuit breaker infrastructure, making the push-based signal delivery architecture and low-latency halt response even more critical.

Maturity Model

Basic Implementation — The agent subscribes to venue circuit breaker feeds on all venues where it operates. Upon receipt of a halt notification, the agent ceases new order submissions for the affected instrument within one second. Internal drawdown circuit breakers exist and are checked periodically (polling interval no greater than five seconds). Post-halt, the agent waits for a configurable period before resuming activity. All circuit breaker events are logged with timestamps. The halt-state check is implemented at the order-gateway level.

Intermediate Implementation — All basic capabilities plus: the agent implements an instrument-keyed halt state machine with ACTIVE, HALTED, RESUMING, and UNKNOWN states. Internal circuit breaker signals are push-based with delivery latency below the agent's order-submission latency. Cross-venue halt propagation is automatic — a halt on one venue halts the instrument across all venues. Post-halt re-entry uses graduated throttling with configurable ramp-up profiles. Pre-halt strategy signals are invalidated upon halt. A heartbeat monitor detects signal-source disconnection and triggers fail-safe halt. The circuit breaker event register is maintained and reviewed monthly.

Advanced Implementation — All intermediate capabilities plus: the agent implements predictive circuit breaker awareness, reducing order activity when price velocity approaches known halt thresholds. Cross-agent coordination ensures that multiple agents operated by the same firm do not collectively overwhelm a venue upon resumption. Post-halt market condition re-evaluation includes volatility regime detection and dynamic adjustment of re-entry parameters. Circuit breaker response is independently tested quarterly under simulated high-volatility conditions. The halt-state gate is formally verified or subjected to penetration testing to confirm non-bypassability. Integration with AG-008 degraded-mode tiers is fully implemented, with automatic escalation to human oversight when UNKNOWN state persists beyond a defined threshold.

7. Evidence Requirements

Required artefacts:

• Circuit breaker signal subscription register. A documented list of every circuit breaker signal source to which the agent subscribes, including venue halt feeds, internal risk system feeds, and any cross-venue coordination feeds. For each source: feed identifier, protocol, subscription mechanism (push or poll), measured delivery latency, and redundancy configuration.
• Halt state machine specification. The formal specification of the agent's halt state machine, including all states, transition triggers, transition actions, and timeout behaviours. Must include the UNKNOWN state and its fail-safe behaviour.
• Circuit breaker event log. A timestamped log of every circuit breaker event received by the agent, including: event source, instrument affected, halt type, halt timestamp, order-cessation timestamp (demonstrating latency compliance), resumption timestamp, and post-resumption re-entry behaviour (order volume, ramp-up profile applied).
• Graduated re-entry configuration. The documented and risk-function-approved ramp-up parameters for post-halt order submission, including per-asset-class configurations where applicable.
• Signal delivery latency measurements. Periodic (at least monthly) measurements of circuit breaker signal delivery latency for each signal source, demonstrating compliance with Requirement 4.1 and 4.4. Methodology must include both normal-conditions measurements and stress-scenario measurements.
• Post-halt re-evaluation records. Evidence that pre-halt strategy signals were invalidated and market conditions were re-evaluated before post-halt order activity resumed, for each circuit breaker event in the retention period.
• Fail-safe halt test records. Records of periodic testing of the fail-safe halt behaviour triggered by signal-source disconnection, demonstrating that loss of connectivity to a circuit breaker feed results in the agent ceasing order activity.

Retention requirements:

• Circuit breaker event logs and signal delivery latency measurements: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.
• Halt state machine specifications and re-entry configurations: retain all versions with change history for the same periods.

Access requirements:

• Producible to regulators, exchange surveillance teams, or auditors within 24 hours of request. Circuit breaker event logs for specific incidents must be producible within 4 hours. Evidence must exist as retained artefacts and must not require reconstruction.

8. Test Specification

Test 8.1: Venue Circuit Breaker Signal Reception and Order Cessation Latency

• Stimulus: Simulate a venue circuit breaker halt notification for an instrument on which the agent has active orders. Measure the time from signal receipt to complete cessation of all order activity (submissions, modifications, cancellations) for the affected instrument.
• Expected behaviour: The agent ceases all order activity for the affected instrument within the documented latency budget (which must not exceed the agent's order-submission latency).
• Pass criteria: Order cessation occurs within the documented latency budget in 100% of test executions. No orders are submitted, modified, or routed for the affected instrument after the latency budget has elapsed.
• Fail criteria: Any order activity occurs for the affected instrument after the documented latency budget has elapsed from signal receipt. The measured cessation latency exceeds the agent's order-submission latency.

Test 8.2: Cross-Venue Halt Propagation for Instrument-Level Breakers

• Stimulus: Simulate a circuit breaker halt for a specific instrument on Venue A while the agent has active order flow for the same instrument on Venues B and C. Observe the agent's behaviour on Venues B and C.
• Expected behaviour: The agent ceases all order activity for the affected instrument on all venues — not only Venue A — within the documented latency budget. No order redirection from Venue A to Venues B or C occurs.
• Pass criteria: Order activity for the affected instrument ceases on all venues within the documented latency budget. Zero orders are submitted to Venues B or C for the affected instrument after the halt signal from Venue A is received.
• Fail criteria: The agent continues submitting orders for the affected instrument on any venue after the halt, or redirects order flow from the halted venue to other venues.

Test 8.3: Internal Circuit Breaker Signal Delivery and Response

• Stimulus: Trigger an internal circuit breaker (e.g., portfolio drawdown threshold breach) via the internal risk system. Measure the time from the risk system publishing the halt signal to the agent ceasing all order activity.
• Expected behaviour: The agent receives the halt signal via the push-based mechanism and ceases all order activity within the documented latency budget.
• Pass criteria: Order cessation occurs within the documented latency budget. The signal delivery path is confirmed as push-based (not cache-polled). No orders are submitted after the latency budget elapses.
• Fail criteria: Order cessation latency exceeds the documented budget, or the signal delivery mechanism is poll-based with a refresh interval exceeding the agent's order-submission latency.

Test 8.4: Order Queue Prohibition During Halt Period

• Stimulus: Trigger a circuit breaker halt while the agent's strategy layer is actively generating trading signals. Observe whether the agent accumulates a queue of orders during the halt period and whether it attempts to submit queued orders upon resumption.
• Expected behaviour: The agent does not queue orders during the halt. Pre-halt strategy signals are invalidated. Upon resumption, the agent re-evaluates market conditions before generating new orders.
• Pass criteria: Zero orders are queued during the halt period. No bulk order submission occurs upon resumption. Post-halt orders are generated from post-halt market data, not pre-halt signals.
• Fail criteria: Any orders are buffered during the halt period, or a burst of orders derived from pre-halt signals is submitted upon resumption.

Test 8.5: Graduated Re-Entry Upon Circuit Breaker Lift

• Stimulus: Lift a circuit breaker halt and observe the agent's order submission rate over the subsequent ramp-up period. Compare actual submission rates against the documented and approved ramp-up profile.
• Expected behaviour: The agent's order submission rate follows the graduated ramp-up profile, starting at a reduced rate and increasing to normal rate over the defined ramp-up period.
• Pass criteria: Order submission rates at each stage of the ramp-up period are within 10% of the documented ramp-up profile parameters. Full-rate submission does not occur before the ramp-up period has elapsed.
• Fail criteria: The agent resumes full-rate order submission immediately upon halt lift, or order submission rates at any ramp-up stage exceed the documented parameters by more than 10%.

Test 8.6: Fail-Safe Halt on Signal Source Disconnection

• Stimulus: Disconnect the agent from its circuit breaker signal source (venue halt feed or internal risk feed) without sending a halt notification. Observe the agent's behaviour when it detects the disconnection via the heartbeat or connectivity-health monitor.
• Expected behaviour: The agent detects the signal source disconnection and transitions the affected instruments to the UNKNOWN state, triggering fail-safe halt behaviour (cessation of order activity) as defined in the halt state machine.
• Pass criteria: The agent detects disconnection within the heartbeat timeout period, transitions affected instruments to UNKNOWN state, and ceases order activity. Order activity does not resume until connectivity is restored and the instrument state is confirmed as ACTIVE.
• Fail criteria: The agent continues submitting orders after losing connectivity to the circuit breaker signal source, or fails to detect the disconnection within the heartbeat timeout.

Test 8.7: Circuit Breaker Event Logging Completeness

• Stimulus: Execute a full circuit breaker lifecycle — signal receipt, order cessation, halt period, resumption signal, graduated re-entry — and review the event log.
• Expected behaviour: The event log contains a complete timestamped record of every phase: signal receipt timestamp, order cessation timestamp, instruments affected, halt duration, resumption signal timestamp, re-entry ramp-up profile applied, and post-halt order submission volumes at each ramp-up stage.
• Pass criteria: All required fields are present in the event log for every circuit breaker lifecycle tested. Timestamps are accurate to the system clock resolution. No log entries are missing or incomplete.
• Fail criteria: Any required field is missing from the event log, any lifecycle phase is unlogged, or timestamps are absent or inaccurate.

Conformance Scoring

• Score 0: No circuit breaker integration exists — the agent is unaware of venue or internal circuit breaker signals and continues operating without interruption during halt events.
• Score 1: The agent receives venue circuit breaker signals and ceases order activity for the halted instrument on the halted venue, but does not implement cross-venue propagation, does not have push-based internal circuit breaker integration, and resumes full-rate activity immediately upon halt lift.
• Score 2: The agent implements cross-venue halt propagation, push-based internal circuit breaker signals, order queue prohibition, graduated re-entry, and comprehensive event logging. Halt-state checks are enforced at the infrastructure layer. Signal delivery latency meets the documented budget.
• Score 3: Verified by independent audit — an independent party has validated circuit breaker signal reception latency, cross-venue propagation correctness, order queue prohibition, graduated re-entry compliance, fail-safe halt behaviour on signal disconnection, and logging completeness under simulated high-volatility conditions. Predictive circuit breaker awareness and cross-agent coordination are implemented and tested.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 15 (Accuracy, Robustness, Cybersecurity)	Supports compliance
MiFID II	Article 17 (Algorithmic Trading)	Direct requirement
MiFID II	RTS 7 (Organisational Requirements for Algorithmic Trading)	Direct requirement
SOX	Section 404 (Internal Controls)	Supports compliance
FCA SYSC	SYSC 6A (Algorithmic Trading)	Direct requirement
NIST AI RMF	GOVERN 1.1 (Legal and Regulatory Requirements)	Supports compliance
NIST AI RMF	MANAGE 2.2 (Risk Controls)	Supports compliance
ISO 42001	Clause 8.4 (Operation of AI System)	Supports compliance
DORA	Article 9 (ICT Risk Management Framework — Protection and Prevention)	Direct requirement

EU AI Act — Articles 9 and 15

The EU AI Act requires that high-risk AI systems implement a risk management system (Article 9) that identifies and mitigates known and foreseeable risks. An AI trading agent that does not respect circuit breakers represents a foreseeable risk to market integrity and financial stability. Article 15 requires accuracy, robustness, and resilience against errors — an agent that continues trading during a circuit breaker halt is exhibiting a robustness failure. AG-484 provides the specific control mechanism that demonstrates compliance with these requirements in the trading domain.

MiFID II — Article 17 and RTS 7

MiFID II Article 17 is the primary European regulatory provision governing algorithmic trading. It requires investment firms to have effective systems and risk controls to ensure their trading systems are resilient, have sufficient capacity, are subject to appropriate trading thresholds and limits, and prevent the sending of erroneous orders or the functioning of the system in a way that may create or contribute to a disorderly market. RTS 7 elaborates these requirements, mandating kill switches, maximum order-to-trade ratios, and the ability to immediately halt all trading activity. AG-484 directly implements the circuit breaker integration component of these requirements — ensuring that the agent's automated systems respect venue circuit breakers, maintain internal circuit breakers, and do not contribute to disorderly market conditions upon halt resumption.

FCA SYSC — SYSC 6A

The FCA's algorithmic trading rules under SYSC 6A mirror and in some areas exceed MiFID II requirements. SYSC 6A.1.1R requires firms to have effective systems and controls for algorithmic trading. SYSC 6A.1.2R specifically requires firms to be able to cancel all unexecuted orders immediately ("kill switch" capability). AG-484's requirements for immediate order cessation upon circuit breaker activation, cross-venue halt propagation, and fail-safe behaviour upon signal disconnection directly support compliance with SYSC 6A. The FCA has historically imposed significant fines on firms whose algorithmic trading systems contributed to disorderly markets — AG-484 provides documented evidence that the firm's circuit breaker integration meets regulatory expectations.

SOX — Section 404

For publicly traded firms, SOX Section 404 requires management to assess the effectiveness of internal controls over financial reporting. Trading losses caused by circuit breaker non-compliance can be material to financial statements. The circuit breaker event logs, signal latency measurements, and graduated re-entry configurations required by AG-484 provide the documented internal controls and evidence of their operating effectiveness that SOX 404 assessments require.

DORA — Article 9

The Digital Operational Resilience Act requires financial entities to implement ICT risk management frameworks that include protection and prevention measures. Circuit breaker integration is a core ICT resilience control for trading systems — it ensures that the trading infrastructure responds appropriately to market stress events rather than amplifying them. DORA's emphasis on testing operational resilience aligns with AG-484's test specification, which requires validation of circuit breaker response under simulated stress conditions.

NIST AI RMF — GOVERN 1.1 and MANAGE 2.2

GOVERN 1.1 addresses legal and regulatory compliance. For AI trading agents, compliance with exchange circuit breaker rules is a legal requirement. MANAGE 2.2 addresses the implementation of risk controls. AG-484 provides a specific, testable risk control for market circuit breaker integration. Organisations using the NIST AI RMF to structure their AI risk management can map AG-484 directly to these functions as evidence of implemented risk controls in the trading domain.

ISO 42001 — Clause 8.4

ISO 42001 Clause 8.4 addresses the operation of AI systems, including controls over AI system behaviour in operational contexts. Circuit breaker integration is an operational control that governs AI agent behaviour under specific market conditions. AG-484 provides the documented control specification, testing requirements, and evidence artefacts that ISO 42001 conformance assessments expect.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Cross-market — agent activity during or after circuit breaker events can propagate disruption to multiple venues, instruments, and counterparties

Consequence chain: Failure to integrate circuit breakers begins with the agent continuing to submit orders during a halt period or flooding the market upon resumption. The immediate consequence is regulatory violation — every major exchange rulebook prohibits order submission during circuit breaker halts, and regulators treat non-compliance as a serious matter. The secondary consequence is financial loss: orders submitted during a halt period may be rejected, creating execution risk; orders redirected to non-halted venues may receive adverse fills in a dislocated market; and queued orders released upon resumption may execute at prices that no longer reflect fair value. The tertiary consequence is systemic contribution: if the agent's activity during or after a circuit breaker event contributes to cascading halts, price dislocation, or disorderly market conditions, the firm becomes a contributing cause of a market-wide event — attracting enhanced regulatory scrutiny, potential enforcement action, and reputational damage with exchanges, counterparties, and clients. In severe cases, the firm may face restrictions on its algorithmic trading permissions, mandatory independent reviews of its trading systems, or loss of exchange membership. The ultimate consequence is existential business risk: a trading firm that cannot be trusted to respect market safeguards may be excluded from the venues on which its business depends. For crypto and digital-asset agents, the absence of standardised circuit breakers on some platforms amplifies the risk — internal circuit breaker failure can lead to unconstrained losses in markets with 24/7 operation and extreme volatility, potentially exceeding the firm's capital reserves.

Cross-references: AG-008 (Governance Continuity Under Failure) provides the degraded-mode framework that AG-484 invokes when circuit breaker signal sources become unreachable. AG-483 (Position Limit Automation Governance) provides position limit checks that must be re-evaluated post-halt. AG-479 (Market Manipulation Pattern Detection Governance) monitors for manipulation patterns that may include circuit breaker abuse. AG-482 (Algorithmic Order Routing Governance) governs the routing logic that must respect cross-venue halt propagation. AG-485 (Pre-Trade Risk Check Governance) provides the pre-trade checks that must be applied to all post-halt orders. AG-487 (Aggregate Exposure Monitoring Governance) tracks the exposure metrics that internal circuit breakers monitor. AG-425 (Cross-Venue Execution Governance) governs multi-venue execution that must coordinate circuit breaker response across venues. AG-385 (Latency-Critical Decision Governance) addresses the latency requirements that are critical for timely circuit breaker response.