Why FluxAI

Three things regulated finance needs from agent governance.

Bank model risk management has a specific vocabulary for agentic AI. Three properties separate tools that pass a procurement checkbox from tools that survive regulator-level scrutiny. We map to all three.

The three properties

What regulator-grade agent governance has to demonstrate, and what most general-purpose toolkits do not.

01

Distinguishable terminal outcomes

Anchor: Szpruch, Sudjianto, Bhatti, Ang (2026), §2.2 Step 6.

A run that halted normally, a run that was escalated to human review, and a run that abstained from producing a result are three different things. Each one has different remediation, different monitoring, and different consequence admissibility for a regulator. Collapsing them into a binary allow / deny erases the distinction the paper requires and bank CMROs are paid to validate.

Human in Control: HALT / ESCALATE / ABSTAIN as a first-class terminal state on every governed action.

02

Per-agent, per-capability parameterised governance

Anchor: Szpruch et al. (2026), §3 capability framework and risk tiering.

Agentic systems differ by the capability they exercise (long-context extraction, retrieval with attribution, deterministic numeric, policy-constrained drafting). They differ by the authority each capability holds and by the consequence each composition exposes. A single global trust score for the agent cannot capture this. Capability catalogues, use-case specifications, and a risk-tiering rubric across the paper's five dimensions can.

Model Risk Oversight: capability catalogue, use-case specs, risk tiering, 7-step programme pack with 1LoD / 2LoD / SecOps responsibility matrix.

03

Article-level regulatory binding

Anchor: GDPR Art. 33, NIS2 incident reporting, DORA major-incident articles, OWASP Agentic Top 10.

Mapping to a framework name (GDPR, NIS2, DORA) is what procurement asks for. Mapping to a specific article with the deadline, the recipient authority, the field template, and a provenance trail is what a supervisor asks for. The gap between the two is where most governance products sit. Ours does not.

Proof of Human Oversight: each decision binds to an article-level template with a verifiable evidence trail.

Tools that map to framework checkboxes do not satisfy regulator-level scrutiny. We map to the article.

These three properties are not differentiators we invented. They are the properties Szpruch, Sudjianto, Bhatti and Ang argue regulated finance MRM should demand, validated against the operational practice of CMROs at multiple banks. We built to match the paper.

Sources

  • Szpruch, L., Sudjianto, A., Bhatti, A., & Ang, A. Scalable Runtime Governance for Agentic AI in Financial Services. Acknowledgements include CMRO-level reviewers at FifthThird, US Bank, Truist, Commerzbank, HSBC and UOB Group Risk.
  • OWASP. OWASP Top 10 for Agentic Applications. Industry-recognised attack surface taxonomy for agentic AI systems.
  • EU. GDPR Art. 33. NIS2 sector reporting. DORA Art. 19 major incident reporting. The article-level texts that supervisors actually open.