Agent Provocateur: The Case for Know Your Agent

Financial institutions deploying autonomous AI agents should plan now for supervisory expectations that track Know Your Agent principles, on the working assumption that those expectations arrive by the end of 2028 and quite possibly sooner. The common reading inside many firms, that the lack of a US federal mandate leaves room to wait, mistakes the absence of a rule for the absence of an obligation. The obligation is already taking shape, and for any institution with operations abroad it will not originate in Washington.

The convergence is well underway. The International Monetary Fund's April note on agentic AI in payments elevated Know Your Agent, the principle that an autonomous financial agent should carry a verifiable identity tied to a legal entity, from industry shorthand to a supervisory consideration, crediting the framing to the World Economic Forum. Visa and Mastercard have built agent-authentication protocols on the same principle, and MetaComp, a licensed Singapore institution, published the StableX Know Your Agent framework, the first written for regulated finance, and opened it to regulators, institutions, and network partners. When a control principle surfaces across public bodies and private infrastructure at the same time, it tends to become a supervisory baseline before it becomes a written rule.

Cross-border financial risks follow a familiar sequence. International bodies frame the problem, and national regulators adapt the frame to their own statutes. Crypto moved through that sequence in roughly four years, from early IMF analysis to national implementation under the EU's MiCA and the UK's expanded financial-services regime. Two factors make the agentic timeline shorter. Adoption is outpacing supervision rather than tracking it, with consumer-facing agents reaching retail markets this year and platform vendors shipping institutional agent infrastructure into banks. And agent supervision can take hold without a formal rulemaking cycle, through examination priorities, supervisory letters, and the reinterpretation of instruments that already cover AI tools, among them FINRA's supervision obligations and standing model-risk frameworks. For a planning team, the binding expectation can land well before the binding rule.

The variable that could delay a formal US baseline is the posture of the largest market. The March 2026 national AI framework positioned oversight as a competitiveness question, and US banking supervisors carved agentic systems out of the SR 26-2 model-risk guidance, leaving institutions to set their own controls for the moment. For a global institution, that decision changes the source of the requirement rather than its existence. The instruments that reach across borders are already in force. The EU AI Act applies to deployers outside the Union when their systems' outputs are used inside it. DORA binds any firm with EU operations to ICT risk management that covers AI systems. The GDPR's automated-decision provisions follow EU customers wherever the servicing firm sits. The United Kingdom is applying its senior managers regime and Consumer Duty to agentic services as those services reach retail customers. A US institution operating in those markets will be supervised there regardless of what its home regulator decides, and most large firms harmonize foundational controls to the strictest applicable standard instead of running a different posture in every jurisdiction.

The exposure during the interval sits with the institution, and it is clearest in what a firm cannot do when the three controls at the center of agent governance are missing from its own systems.

Without agent identity, the firm cannot establish which agent took an action, on whose authority, or within what mandate. The IMF note is direct about the consequence: fraud models built on human behavioral patterns lose their footing when transactions originate from autonomous software, and the institution loses the ability to assign accountability at the moment a supervisor asks for it.

Without bounded authority and a means to halt an agent in motion, the firm allows errors to reach legal finality before a human reviews them. The same note treats containment and interruption mechanisms as core risk controls precisely because a settled transaction may be impossible to unwind.

Without observable, auditable traces, the firm cannot detect correlated behavior across its agents until it has already propagated at machine speed. High correlation among agent decisions is itself a systemic risk, and an institution without that visibility forfeits the warning it would need to act in time.

None of these exposures is hypothetical. Each is a property of systems entering production now, measured against frameworks built for slower, human-paced decisions.

The crypto sequence carries one planning lesson beyond its four-year headline. The interval between a risk becoming visible and the expectation becoming binding has historically closed faster than firms anticipated, and often through channels that never announced themselves as rulemaking. An institution that builds agent identity, bounded authority, and observable oversight into its systems now will meet the expectation when it arrives. An institution that waits for a formal US mandate will be retrofitting under two clocks at once, its home regulator's and those of every other market in which it operates.

The practical horizon for agentic AI governance is therefore shorter than the US legislative calendar suggests, and it is set as much abroad as at home. A companion piece will map the jurisdictions most likely to lead if Washington holds back, and the specific routes by which each already reaches firms headquartered far outside its borders.