Now Available: Agentic AI in Law and Finance Learn more

Governing AI Agents: Risk, Compliance, and Accountability in Law and Finance

By Jillian Bommarito, Daniel Martin Katz, Michael James Bommarito

Read on SSRN
agents governance compliance risk law finance chapter-release

We are pleased to announce the release of Chapter 3: Governing AI Agents from our forthcoming book Agentic AI in Law and Finance.

The Governance Challenge

Agentic AI systems—capable of autonomous goal pursuit, environmental perception, and iterative action—are rapidly entering legal and financial services. Yet existing governance frameworks were not designed for software that acts rather than merely responds.

Unlike passive AI tools, agentic systems can:

  • Stray from their intended objectives
  • Take consequential actions without human approval
  • Create risks that traditional compliance models fail to address

A Risk-Based Framework

This chapter proposes a governance framework that scales oversight requirements to match each system’s risk profile, based on factors like:

  • Degree of autonomy — How independently does the system operate?
  • Operating duration — How long does it run between human checkpoints?
  • Interest alignment — Whose interests does it serve, and how are conflicts resolved?
  • Objective modification — How are its goals set and changed over time?

The Five-Layer Regulatory Stack

The framework situates agentic AI within a five-layer regulatory stack:

  1. Foundational law — Contract, tort, agency, fiduciary duty
  2. Professional ethics — Bar rules, CFA standards, compliance obligations
  3. Sector-specific regulation — SEC, FINRA, state bar requirements
  4. AI-specific rules — EU AI Act, emerging US frameworks
  5. Voluntary assurance — NIST AI RMF, SOC 2, ISO standards

Human Oversight Architectures

In law and finance—industries built on trust and non-delegable professional duties—human-in-the-loop and human-in-command architectures are not merely best practices but critical designs for satisfying fiduciary and regulatory obligations.

The chapter examines when each level of human oversight is required and how to implement it without sacrificing the benefits of automation.

Organizational Models

To operationalize accountability without fragmenting ownership, the chapter evaluates three organizational models:

  • Centralized — A single AI governance function owns all oversight
  • Federated — Business units own their agents with central standards
  • Embedded — Governance expertise distributed throughout the organization

We demonstrate how responsibility-assignment tools such as RACI matrices can allocate oversight duties with precision across these models.

A Maturity-Based Adoption Path

The chapter concludes by outlining a maturity-based adoption path that enables legal and financial institutions to adopt agentic AI while managing:

  • Liability exposure
  • Reputational risk
  • Regulatory compliance
  • Professional obligations

Read the Full Chapter

The complete 69-page chapter is available on SSRN. This chapter completes the trilogy, providing the governance framework that builds on the definitions (Chapter 1) and architectures (Chapter 2) explored earlier.

Together, these three chapters offer a comprehensive guide for any organization deploying agentic AI in regulated industries.