Ghost Watch

FINRA's AI Agent Guidance Creates No New Rules. Your Examiner Will Use It Anyway.

Seven agent-specific risks, four considerations, and no new obligations. The 2026 oversight report has been widely misread, including here, and supervisory accountability still routes to a registered principal.

FINRA put AI agents on the supervisory map in its 2026 Annual Regulatory Oversight Report, published December 9, 2025, and it did so without creating a new rule. The report carries a generative-AI section that is new for 2026, and inside it, for the first time, a dedicated treatment of AI agents: systems capable of autonomously performing and completing tasks on behalf of a user. FINRA did not classify those agents under a fresh rulebook entry. It folded them into the supervision obligations that already exist and signalled that examiners will be looking. For broker-dealers and for the vendors selling agentic software into them, the consequence is immediate. The supervisory question has moved off the model's accuracy and onto a harder one: when an agent takes a consequential action, which registered principal was supervising it.

What FINRA actually did

The agent material sits inside the report's GenAI topic, and its framing matters more than the headlines around it suggest. FINRA's rules are, in its own words, technologically neutral, and the report restates that the securities laws and FINRA rules apply to agentic systems the same way they apply to any other tool. Rule 3110 still requires every member firm to maintain a reasonably designed supervisory system tailored to its business. Nothing in the report changes that text. Law-firm readers of the report were direct on the point: it establishes no new legal or regulatory obligations, and its weight comes from signalling how FINRA will examine firms through 2026.

What is new is the attention. The report names the agent-specific risks FINRA sees, and the common summary that there are four of them undercounts the list. FINRA identifies seven: agents acting autonomously without human validation; agents exceeding their actual or intended scope and authority; auditability gaps where multi-step reasoning is hard to trace; sensitive-data exposure where an agent stores, explores, or discloses information it should not; insufficient domain knowledge in general-purpose agents; misaligned reward design that optimises for the wrong outcome; and the familiar GenAI failure modes of bias, hallucination, and privacy, which do not disappear when a model is wrapped in an agent.

The mitigations carry a softer grammar than the risk list, and the distinction is the most consequential thing in the section. FINRA does not mandate specific controls. It offers considerations a firm may weigh: monitoring how an agent accesses systems and handles data, deciding where to place human-in-the-loop oversight, tracking the actions and decisions an agent takes, and setting guardrails that limit what an agent is permitted to do. The framing throughout is conditional. Autonomous agents may require novel oversight. That is a prompt for a supervisory design exercise, and it does not carry the force of a rule.

The conditional has not survived contact with the commentary, and this publication's own earlier writing is part of the problem. Pieces published here in May described FINRA's considerations as novel oversight requirements. The report says agents may require novel oversight. The distance between may require and requirements is the entire question of whether a firm is reading guidance or reading a rule, and it is a distance that closes without anyone deciding to close it. A firm that treats the considerations as a mandate will over-comply against a standard FINRA did not set. A firm that treats them as optional will misjudge how an examiner uses guidance. Both errors start with the same misreading of one modal verb.

Why it lands on the supervising principal

Most broker-dealer AI governance was written for model-based decision support, where the system informs a human who then acts. An agent collapses that sequence by acting on its own. The written supervisory procedures most firms operate assume a human initiates every consequential action, and they attach review, approval, and escalation to that human's decision. An autonomous agent removes the initiating human from the loop while leaving the consequence intact. A supervisory system that cannot show how it reaches an action the agent took on its own is exposed to the question of whether it remains reasonably designed under Rule 3110 for that activity.

That is the accountability point the 2026 report drives toward, and it is why the report reads as a genuine shift in supervisory posture even without a rule behind it. Responsibility does not transfer to the software. When an agent acts, a registered principal still owns the outcome, and the firm still has to be able to name that principal and produce the trail. For SaaS product leaders building agentic features for this market, the requirement becomes a procurement fact before it becomes a regulatory one. Your buyers will be asked to demonstrate scoped authority, action-level logging, human checkpoints, and data-access monitoring for any agent that touches a regulated workflow, which maps directly onto FINRA's four considerations. Shipping those as configurable controls is the difference between clearing a compliance review and stalling in one.

For compliance officers, the procedural work is concrete, because each of FINRA's four considerations has a written-procedure counterpart. Monitoring agent access and data handling becomes an entitlements and data-scope provision tied to the firm's existing information-security controls. Human-in-the-loop oversight becomes a defined checkpoint that names the reviewing principal and lists the actions that cannot execute without sign-off. Action tracking becomes a logging standard that captures the agent's inputs, decision path, and output at a granularity an examiner can follow. Guardrails become written limits on the transactions, accounts, and dollar thresholds an agent may touch before it must escalate. A supervisory file holding those four provisions, with a named principal for each agentic workflow, is the artifact that answers the examiner's question before it is asked.

Each of those provisions presumes something the report leaves unstated. Naming the supervising principal for an agentic workflow requires the institution to first name the agent, and most cannot. An action log assumes you know which agent acted. An entitlements provision assumes you know what access the agent holds. The supervisory design FINRA prompts is downstream of an identity the firm has usually never established.

The continuum we flagged

This is the arrival mechanism described in Agent Provocateur. The argument there was that agent supervision would take hold without a formal rulemaking cycle, through examination priorities, supervisory letters, and the reinterpretation of instruments that already cover AI tools, and it named FINRA's supervision obligations specifically as one of those instruments. The 2026 report is that prediction in motion: an existing obligation stretched over a new technology, carried by an examination cycle that gives the stretch teeth.

FINRA has kept building on that section since the report landed. In January 2026 it published a companion blog on AI agents and a short resource cataloguing the types of agents firms are deploying, and in March 2026 it added guidance on generative-AI and prompt-injection fundamentals, the mechanism by which an agent is most often pushed past its intended scope. FINRA's AI hub restates the posture plainly: the material creates no new legal requirements and signals no change to existing regulatory obligations. The attention is expanding while the rulebook holds still, which is the shape of soft law doing its work. It is also why the drift in the secondary commentary matters. Vendor content now describes FINRA as having classified agents as a formal risk category, or as having changed the rules retroactively, and the text supports neither reading.

The control surface lines up almost exactly with the Know Your Agent principles that piece tracked from the IMF's April note and the payment networks' agent-authentication work. FINRA's scope-and-authority risk is bounded authority by another name. Its auditability and action-tracking considerations are the observable-traces control. Its data-handling and human-in-the-loop prompts are containment and oversight. One control is conspicuously absent. FINRA reaches authority, oversight, auditability, and data sensitivity, but it does not reach agent identity, the verifiable link between an autonomous agent and the legal entity standing behind it, which is the load-bearing element of Know Your Agent. The domestic examination expectation is converging on most of the same controls, with identity the lagging piece and the one every other control quietly depends on.

What's next

The top-down US posture remains hands-off. The federal AI framework treats oversight as a competitiveness question, and banking supervisors left agentic systems outside the SR 26-2 model-risk guidance, as Agent Provocateur detailed. None of that prevents supervisory expectations from arriving, because the channel that carries them is the examination, not the rulebook. FINRA has now demonstrated the channel works for agents.

Expect the same mechanism elsewhere. The SEC has already taken the same route: its fiscal-2026 examination priorities direct staff to assess whether advisers and broker-dealers supervise their use of AI and whether their public claims about AI capabilities match what the systems actually do, reaching agentic workflows through Regulation Best Interest, books-and-records obligations, and the exam agenda without a labelled agentic-AI rule. Across the Atlantic, the FCA's senior managers regime and Consumer Duty already attach individual accountability to services as they reach retail customers, and the EU AI Act and DORA bind any firm with EU operations regardless of where its agents run. Most large firms harmonise foundational controls to the strictest applicable standard instead of running a different posture in each market, so a US broker-dealer with EU or UK operations will build to those expectations regardless of FINRA's pace. Those four controls answer to more than one regulator.

A broker-dealer or a vendor that waits for a rule with agentic AI in its title will be reading the expectation late. The firms that fare best will build the four control capabilities now, name the agents those controls apply to, and document which registered principal supervises each agentic workflow. The considerations in the 2026 report carry no force of their own. They acquire it in the examination, which is where a firm finds out whether its supervisory system was reasonably designed for an entity that acts without being asked.