Financial services

Agents that move money,
under controls that hold

Payment operations teams use govern.sh to give payout and reconciliation agents real authority — bounded by spend caps, dual-control approvals, and a signed record of every transfer that regulators can verify independently.

The problem

Where autonomy breaks down today

01

Shared service accounts hide the actor

When six automations share one banking API credential, a mistaken transfer traces back to a service account — not to the process, prompt, or deploy that caused it.

02

Limits live in code review, not runtime

A wire cap enforced by an if-statement disappears the moment the model reasons around it. Nothing independent of the agent stands between a bad plan and the payment rail.

03

Audit season means log archaeology

Reconstructing who authorized which payout from application logs takes weeks each quarter, and the result is still a narrative — not evidence an examiner can check.

A day in the life

A payout, from request to receipt

Friday, 9:02 a.m. — treasury-agent begins the weekly vendor payout run. Here is how one $18,400 transfer moves through govern.sh.

treasury-agent
Executes scheduled vendor payouts from the operating account
01

treasury-agent presents its passport

Passport

The agent authenticates with its Ed25519 identity — not a shared banking credential. Every downstream decision is attributed to this specific agent and its current key.

agent: treasury-agent · key apt_92kd…e07 · verified
02

The transfer is checked against policy

Policy

treasury-guardrail evaluates the call in 6 ms: the counterparty is on the approved vendor list and the amount is inside the $25,000 weekly budget.

bank.transfer · $18,400.00 · policy: treasury-guardrail
03

Dual control kicks in above $10,000

Approval

The amount crosses the dual-control threshold, so the transfer is held — not failed — and routed to treasury operations for a second pair of eyes.

rule: amount > $10,000 → require_approval(treasury-ops)
04

Marcus approves from Slack

Approval

The on-duty treasury analyst sees the counterparty, amount, and remaining budget in one card and approves. The hold lasted 74 seconds; the transfer executes.

approved_by: marcus.t@meridian · hold: 74s
05

A signed receipt joins the chain

Receipt

The receipt captures the agent, the policy verdict, the approver, and the transfer reference — signed and chained to the receipt before it, exportable as SOX evidence.

rcp_3d81…a9f4 · signed ed25519 · chained → rcp_3d80…
What govern.sh adds

Controls your risk committee already understands

govern.sh expresses the controls finance teams have always run — limits, dual authorization, segregation of duties — as runtime enforcement on agents.

Dual-control approvals by amount

Route any transfer above a threshold to a named human queue. Approvals land in Slack or email and resolve in seconds, not ticket cycles.

Per-agent spend budgets

Daily, weekly, or monthly caps per agent and per counterparty. A compromised or confused agent hits its ceiling before it hits your account.

Sub-10 ms enforcement

Policy decisions run in single-digit milliseconds in your infrastructure, so governance never adds meaningful latency to a payment flow.

Examiner-ready exports

Receipts export as signed JSON with verification keys included, mapped to PCI DSS and SOX evidence requests out of the box.

refund-agent requestedstripe.refund · $412.00 · order #58201now
Policy evaluatedpayments-guardrail · approval requirednow
Approved by Dana K.Receipt rcp_8f2a…c41 signed & chainednow
−83%
Time to assemble quarterly audit evidence
100%
Over-limit transfers held before execution
74s
Median dual-control approval time

Representative outcomes reported by govern.sh customers in financial services.

PCI DSS · SOX

Built for examined environments

Receipts capture actor, action, verdict, approver, and signature for every payment operation — the individual accountability PCI DSS Requirement 10 asks for, and the authorization evidence SOX 404 control testing expects. Auditors verify the hash chain themselves; no one has to take your logs on faith.

Our examiners had never seen an autonomous payout process before. We handed them the receipt chain and the policy definitions, and the conversation moved from whether agents should touch payments to how many more flows we could hand over.
Elena Marsh
Head of Payment Operations, Meridian Pay

Put a verified agent to work in financial services.

Mint a passport, attach a policy, and watch the first signed receipt land — free for your first three agents.