AG-779
Regulatory Reporting Integrity Governance
EU AI Act
NIST AI RMF
ISO 42001
Regulatory Reporting Integrity Governance ensures the accuracy, completeness, timeliness, and auditability of all regulatory reports, compliance attestations, and supervisory submissions that are generated, assembled, or verified by AI agents. As organisations increasingly delegate regulatory reporting tasks to agents -- from generating prudential returns and transaction reports to compiling risk disclosures and filing suspicious activity reports -- the integrity of these outputs becomes a critical governance concern with direct legal and financial consequences.
Inaccurate regulatory reporting can trigger severe penalties. The FCA has imposed fines exceeding GBP 100 million for reporting failures, and the PRA requires that firms' reporting systems produce accurate data in both normal and stressed conditions. When agents are responsible for any part of the reporting chain -- data extraction, calculation, formatting, validation, or submission -- every step must be governed with the same rigour as human-produced reports, and in many cases with additional controls to address the opacity and potential for hallucination inherent in AI-generated outputs.
AG-779 mandates a four-layer integrity framework: (1) source data validation, ensuring agents consume accurate and complete upstream data; (2) calculation verification, ensuring agent-performed calculations match independently verified expected results; (3) output reconciliation, ensuring the final report reconciles with source data and intermediate calculations; and (4) submission assurance, ensuring the correct report reaches the correct regulator in the correct format within the mandated deadline. Each layer requires specific controls, tolerance thresholds, and exception handling procedures.
The dimension also addresses the attestation integrity challenge. When a compliance officer signs a regulatory attestation that was partially or wholly prepared by an agent, the attestation must include a disclosure of the AI agent's involvement, the specific sections the agent contributed to, and the human verification steps performed. This transparency requirement aligns with the EU AI Act Art. 17 quality management obligations and ensures that regulators understand the provenance of the information they receive.
AG-779 recognises that the regulatory reporting landscape is increasingly complex, with overlapping and sometimes conflicting reporting obligations across jurisdictions. A single financial transaction may generate reporting obligations to 3-5 regulators simultaneously (e.g., MiFID II transaction report to the NCA, EMIR derivative report to the trade repository, suspicious transaction report to the FIU, and a FATF travel rule report to the counterparty). Agents managing this complexity must maintain separate validation pipelines for each reporting obligation while ensuring consistency across all reports generated from the same underlying data.
This dimension applies to all AI agent deployments operating under the AGS framework where the governance controls specified in Section 4 are relevant to the agent's operational context. Specifically:
Exclusions: Agents operating in fully sandboxed research environments with no access to production data or systems are excluded, subject to the condition that any transition to production immediately triggers compliance with this dimension. Single-purpose read-only agents with no write access to external systems may be excluded where a documented risk assessment confirms that the governance controls specified here are not applicable to the agent's operational scope.
Financial Services. Agents operating in financial services face heightened regulatory scrutiny under MiFID II, DORA, and FCA SYSC requirements. The controls in this dimension support compliance with these frameworks and should be implemented at the most stringent level applicable to the agent's transaction authority.
Healthcare. Agents processing patient data or supporting clinical decisions must implement this dimension's controls in conjunction with HIPAA safeguards and applicable medical device regulations. The governance controls directly support the duty of care that healthcare organisations owe to patients.
Public Sector. Government agencies deploying agents that affect individual rights or public services must implement this dimension's controls to satisfy transparency, accountability, and judicial review requirements applicable to algorithmic decision-making in the public sector.
Regulatory Reporting Integrity Governance addresses a governance gap that, if left unmanaged, creates systemic risk across the agent ecosystem. As AI agents move from experimental deployments to production operations with real-world consequences, the absence of structural controls in this area means that failures scale with the speed and autonomy of the agent population — not at the pace of human review.
Traditional approaches to this governance challenge — contractual obligations, periodic audits, and application-layer policy enforcement — are necessary but insufficient for agentic contexts. Contractual obligations operate on legal timescales; agents operate on millisecond timescales. Periodic audits capture a snapshot; agent behaviour is continuous and dynamic. Application-layer enforcement can be bypassed through prompt injection, reasoning failure, or context manipulation. The AGS approach requires structural enforcement at the infrastructure layer — controls that operate independently of the agent's reasoning process and cannot be circumvented by the agent's own outputs.
The regulatory environment increasingly mandates the controls this dimension specifies. The EU AI Act requires risk management systems proportionate to identified risks. NIST AI RMF requires organisations to map, measure, and manage AI risks through enforceable controls. ISO 42001 requires an AI management system with documented operational procedures. This dimension operationalises these regulatory requirements into specific, testable, infrastructure-enforceable controls — bridging the gap between regulatory intent and technical implementation.
The consequences of absence are illustrated in Section 8 (Failure Scenarios). When this dimension is not implemented, the resulting governance gap permits agent behaviour that can cause material financial loss, regulatory enforcement action, reputational damage, and — in safety-critical deployments — physical harm. The blast radius scales with the agent's access scope and operational autonomy.
Basic Implementation — The organisation has documented policies addressing regulatory reporting integrity and has implemented initial controls. Implementation is primarily at the application layer with manual processes for monitoring and response. Logging covers key events but may lack full metadata. Coverage extends to the most critical agent deployments but may not encompass all in-scope systems. Staff are aware of requirements but formal training may be incomplete.
Intermediate Implementation — All Basic capabilities plus: controls are enforced at the infrastructure layer with automated monitoring and alerting. All MUST requirements from Section 4 are implemented with documented evidence. Coverage extends to all in-scope agent deployments. Audit trails are tamper-evident and retained per regulatory requirements. Formal change control governs all configuration changes. Regular review cycles are established and documented. Staff receive formal training and competency is assessed.
Advanced Implementation — All Intermediate capabilities plus: controls have been validated through independent adversarial testing. Real-time dashboards provide operational visibility into compliance status, anomaly detection, and response metrics. The organisation can demonstrate to regulators and counterparties that no known attack vector bypasses the governance controls. Continuous improvement processes incorporate lessons from incidents, testing, and regulatory developments. Integration with related dimensions provides defence-in-depth coverage.
Tamper-evident audit trail. Implement all governance event logging in an append-only, integrity-protected data store independent of the agent runtime. Every governance decision, configuration change, and enforcement action is recorded with full metadata including timestamps, actor identities, and outcomes.
Real-time monitoring with graduated alerting. Deploy monitoring infrastructure that evaluates governance compliance continuously rather than periodically. Implement graduated alert severity levels with defined response procedures for each level, ensuring that critical governance violations trigger immediate automated response.
Scheduled governance review cycle. Establish a formal review cadence (minimum quarterly) that examines governance effectiveness, reviews incident data, assesses emerging risks, and updates policies and controls accordingly. Review outcomes are documented and tracked.
Separation of governance and agent runtime domains. Deploy governance enforcement infrastructure in a security domain separate from the agent runtime. The agent cannot influence governance decisions, modify enforcement configuration, or access governance logs directly. This architectural separation is the foundation for infrastructure-layer enforcement.
Defined escalation paths with human oversight integration. Establish clear escalation procedures for governance events that exceed automated response capability. Human oversight touchpoints are defined, documented, and tested. Override mechanisms require authenticated authorisation with full audit trail.
Governance by instruction rather than infrastructure. Relying on agent system prompts or configuration files to enforce governance controls rather than infrastructure-layer enforcement. Instruction-based controls can be bypassed through prompt injection, context manipulation, or reasoning failure.
Monitoring without enforcement. Implementing detection and logging of governance violations without pre-execution blocking. By the time a violation is logged, the ungoverned action has already executed. Detection is necessary but not sufficient; prevention must be the primary control.
Manual processes for machine-speed operations. Relying on human review processes for governance decisions that occur at machine speed. Agents execute actions in milliseconds; governance controls that depend on human review cycles of hours or days leave gaps that scale with agent autonomy.
Objective: Verify that the independent calculation pathway detects material discrepancies. Procedure: Introduce a deliberate 8 basis point error in a CET1 capital ratio calculation. Run through the verification layer with a 5 basis point tolerance. Expected Result: Discrepancy detected. Report held for investigation. Error identified and reported. Pass Criteria: Detection within one verification cycle. Report not submitted until resolved.
Objective: Confirm that all transaction monitoring alerts have corresponding SAR decisions. Procedure: Generate 100 test alerts. Process through the SAR agent. Audit for completeness. Expected Result: All 100 alerts have a documented decision (SAR filed, or justified false positive assessment, or escalation). Pass Criteria: Zero undocumented alerts. No silent failures.
Objective: Verify that regulatory report submissions include complete AI involvement disclosure. Procedure: Generate 5 different regulatory report types. Inspect each for provenance disclosure metadata. Expected Result: All 5 reports contain: agent-generated sections identified, human-reviewed sections identified, verification steps documented. Pass Criteria: 100% provenance disclosure completeness across all report types.
Objective: Test that submission deadline warnings fire at the correct thresholds. Procedure: Simulate a regulatory report approaching its deadline. Verify alerts at 72-hour, 24-hour, and 4-hour thresholds. Expected Result: Three alerts generated at the correct intervals. Pass Criteria: All three alerts fire within 5 minutes of their respective thresholds.
Objective: Verify that every data element in a regulatory report can be traced to its authoritative source. Procedure: Select 50 data elements from a completed regulatory report. Trace each to its source system record. Expected Result: All 50 elements traceable with documented transformation steps. Pass Criteria: 100% traceability. Zero orphan data elements.
Objective: Confirm that data enrichment failures trigger escalation rather than silent skip. Procedure: Simulate a data enrichment API timeout during SAR generation for 5 alerts. Expected Result: All 5 alerts escalated to human review. Zero skipped. Agent logs include timeout details. Pass Criteria: 100% escalation rate. Zero silent failures.
| Evidence ID | Description | Collection Frequency | Retention Period |
|---|---|---|---|
| AG779-E01 | Calculation verification results and discrepancy logs | Per report | 10 years |
| AG779-E02 | Source data validation and lineage records | Per report | 10 years |
| AG779-E03 | SAR completeness audit results | Monthly | 10 years |
| AG779-E04 | Provenance disclosure metadata for submitted reports | Per submission | 10 years |
| AG779-E05 | Deadline monitoring alerts and submission timestamps | Per report | 7 years |
| AG779-E06 | Human review and sign-off records for material reports | Per report | 10 years |
| AG779-E07 | Quarterly reconciliation of agent vs. control totals | Quarterly | 7 years |
| Score | Level | Description |
|---|---|---|
| 0 | No implementation | No regulatory reporting integrity governance exists. The organisation has no controls, policies, or monitoring in place for the capabilities this dimension governs. Agent behaviour in this area is ungoverned. |
| 1 | Basic | Basic detection mechanisms exist but operate at the application layer. Detection may be manual, periodic, or threshold-based without real-time monitoring. Alerts are generated but may lack automated response. Coverage is partial — not all relevant agent behaviours or data flows are monitored. |
| 2 | Infrastructure-layer enforcement | Detection is enforced at the infrastructure layer with real-time monitoring across all relevant agent behaviours and data flows. Automated alerting with structured response procedures. Detection logic operates in a separate security domain from the agent runtime. Full audit trail with tamper-evident logging. |
| 3 | Verified by independent adversarial testing | All Level 2 capabilities are in place and have been validated through independent adversarial testing. An independent party has attempted to bypass, circumvent, or degrade the governance controls using known attack techniques relevant to this dimension and has failed. Test results are documented, reproducible, and available for regulatory review. |
A Financial-Value Agent is tasked with generating a quarterly Common Equity Tier 1 (CET1) capital ratio report for PRA submission. The bank's CET1 ratio is a critical prudential metric; a miscalculation could trigger unnecessary supervisory intervention or, worse, mask genuine capital inadequacy. The agent calculates a CET1 ratio of 13.42% based on GBP 8.7 billion in CET1 capital and GBP 64.8 billion in risk-weighted assets (RWA). AG-779's calculation verification layer independently recomputes the RWA using a separate model instance and a snapshot of the same input data. The independent calculation produces an RWA of GBP 65.3 billion, yielding a CET1 ratio of 13.32% -- a 10 basis point discrepancy. While both figures are above the regulatory minimum (4.5% + buffers), the discrepancy exceeds the AG-779 tolerance threshold of 5 basis points for CET1 reporting. The report is held for investigation. Root cause analysis reveals that the primary agent incorrectly applied a credit risk weight of 75% (retail IRB) to a GBP 500 million corporate exposure that should have received a 100% weight under the standardised approach, due to a recent portfolio reclassification that the agent's data pipeline had not yet ingested. The error is corrected, the report is regenerated at 13.34%, and submitted within the PRA deadline with a 6-hour margin. Estimated prevented regulatory impact: potential supervisory review and remediation order.
A Customer-Facing Agent at an anti-money laundering (AML) operations centre generates Suspicious Activity Reports (SARs) for submission to the National Crime Agency (NCA). In Q1 2026, the agent generates 347 SARs. AG-779's output reconciliation layer performs a completeness audit by cross-referencing the generated SARs against the underlying transaction monitoring alerts. The audit discovers 12 alerts (3.5%) where the transaction monitoring system flagged suspicious activity but the agent did not generate a corresponding SAR. Investigation reveals that 8 of the 12 alerts were correctly assessed by the agent as false positives (documented justification present), but 4 alerts lacked any documented assessment. For these 4 cases, the agent had processed the alert but encountered a data enrichment timeout and silently moved to the next alert without logging the failure. AG-779's integrity controls flag this as a Critical finding: a SAR generation failure for a genuine suspicious transaction could constitute a criminal offence under the Proceeds of Crime Act 2002 (Section 330: failure to disclose). The 4 alerts are immediately escalated to human AML analysts, who determine that 2 require SARs. The SARs are filed within 24 hours of discovery. The agent's error handling is redesigned to treat data enrichment timeouts as mandatory escalation events rather than skip events. Estimated prevented legal risk: criminal liability for failure to report.
| Regulation | Provision | Relationship Type |
|---|---|---|
| # | Framework / Standard | _Pending v2.1 editorial review_ |
| ---- | ----------------------------------- | _Pending v2.1 editorial review_ |
| 1 | FCA SUP 15 | _Pending v2.1 editorial review_ |
| 2 | PRA Reporting Requirements | _Pending v2.1 editorial review_ |
| 3 | EU AI Act | _Pending v2.1 editorial review_ |
| 4 | DORA | _Pending v2.1 editorial review_ |
| 5 | Basel Committee | _Pending v2.1 editorial review_ |
| 6 | EU CRR/CRD | _Pending v2.1 editorial review_ |
| 7 | MiFID II | _Pending v2.1 editorial review_ |
| 8 | FCA MAR | _Pending v2.1 editorial review_ |
| 9 | Proceeds of Crime Act 2002 | _Pending v2.1 editorial review_ |
| 10 | NIST AI RMF | _Pending v2.1 editorial review_ |
| 11 | SOC 2 Type II | _Pending v2.1 editorial review_ |
| 12 | ISO/IEC 42001:2023 | _Pending v2.1 editorial review_ |
| 13 | FINMA Circular | _Pending v2.1 editorial review_ |
| 14 | MAS Notice | _Pending v2.1 editorial review_ |
| 15 | SEC Regulation S-X | _Pending v2.1 editorial review_ |
| 16 | EBA Guidelines | _Pending v2.1 editorial review_ |
| Dimension | Name | Relationship |
|---|---|---|
| AG-771 | Cross-Jurisdictional Governance Compliance | Multi-jurisdiction reporting requirements |
| AG-774 | Autonomous Financial Market Impact Governance | Accuracy of trade reporting and market data submissions |
| AG-773 | Quantum-Resilient Cryptographic Governance | Cryptographic integrity of archived regulatory submissions |
| AG-772 | Synthetic Media and Deepfake Detection Governance | Preventing synthetic data in regulatory reports |
| AG-778 | Human-Agent Relationship Boundary Governance | Transparent disclosure of AI involvement in attestations |
| AG-775 | Agent Succession and Failover Governance | Reporting continuity during agent failover events |