Financial Services AI Governance — What do regulators actually expect vs what teams deliver? #31
Replies: 3 comments 1 reply
-
|
In financial services, "we have logs" is usually not enough if the logs cannot reconstruct the decision conditions. For an examiner or model-risk reviewer, I would expect evidence across three layers:
The lineage vs logic problem is exactly where deterministic governance helps. A governance receipt should not only say "action allowed". It should include the policy package hash, rule id, evaluated attributes, decision result, timestamp, subject, resource, action, and correlation id to the agent/tool trace. For a financial-services policy pack, I would keep it implementation-oriented rather than trying to encode every regulation directly. Suggested controls:
That gives risk teams a bridge from regulatory expectations to actual engineering artifacts. |
Beta Was this translation helpful? Give feedback.
-
|
This is a strong direction. The TealProof layer sounds most useful if verifiers can test both receipt integrity and decision sufficiency. A few negative cases would make the model easier to trust:
That separation matters for regulators: a receipt can be cryptographically valid and still not prove that the decision was appropriate for the operating context. |
Beta Was this translation helpful? Give feedback.
-
|
Spot on. The "integrity verified, context incomplete" distinction is critical — and it's one most governance tools gloss over. You're right that a receipt can be cryptographically valid and still not prove decision appropriateness. We're designing TealProof with that separation explicit. On your negative cases — here's how we're thinking about each:1. Policy hash in receipt doesn't match verification bundle Verifier returns 2. Evaluated attributes modified but decision unchanged Receipt includes attribute hash. If attributes are mutated post-decision, the attribute hash breaks. Verifier returns 3. Merkle leaf omitted from exported proof set Verifier detects gaps via leaf sequence numbering. Returns 4. Timestamp valid but outside policy freshness window Receipt includes both decision timestamp and policy bundle timestamp. Verifier flags 5. Subject/correlation ID doesn't match underlying trace This is the hardest one. Receipt binds to correlation ID, but verifying the trace itself requires access to the telemetry layer. Verifier returns 6. Verifier has receipt but not full trace We're introducing explicit verification levels:
Verifier declares which level it can attest to. Never over-claims. The key design principleTealProof should never over-claim. A verifier that can only confirm integrity should say exactly that — not imply decision appropriateness. This maps to what regulators actually need: they want to know what level of assurance a given evidence artifact provides, not just "pass/fail." Your negative cases are going directly into our TealProof acceptance criteria and test suite. Would you be interested in reviewing the verification SDK design as it takes shape? Having someone who thinks in failure modes from the start would be genuinely valuable. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Financial Services AI Governance — Bridging the Gap
Opening this discussion to explore a specific challenge in financial services:
the gap between what regulators expect from AI agent governance and what teams
actually have in place today.
The problem as we see it:
Most teams are stuck in "Post-hoc Governance" — collecting logs after an agent
has finished its task to satisfy an auditor's request for data lineage. But
regulators (SR 11-7, EU AI Act, MAS guidelines) increasingly expect:
at that moment, and the resulting action
Where TealTiger fits:
TealTiger's approach is deterministic governance — no LLM in the policy path.
Every decision produces a typed, versioned, auditable record. In v1.3, we're
adding TealProof (cryptographic governance receipts) to make these records
tamper-evident and independently verifiable.
Questions for the community:
model decisions? Does "we have logs" satisfy them, or do they want more?
just what data flowed, but what decision logic was active?
(pre-configured controls mapped to SR 11-7 / EU AI Act requirements)?
Looking for perspectives from risk managers, compliance teams, and anyone
building AI agents in regulated environments.
Beta Was this translation helpful? Give feedback.
All reactions