Agents that move money,
under controls that hold
Payment operations teams use govern.sh to give payout and reconciliation agents real authority — bounded by spend caps, dual-control approvals, and a signed record of every transfer that regulators can verify independently.
Where autonomy breaks down today
Shared service accounts hide the actor
When six automations share one banking API credential, a mistaken transfer traces back to a service account — not to the process, prompt, or deploy that caused it.
Limits live in code review, not runtime
A wire cap enforced by an if-statement disappears the moment the model reasons around it. Nothing independent of the agent stands between a bad plan and the payment rail.
Audit season means log archaeology
Reconstructing who authorized which payout from application logs takes weeks each quarter, and the result is still a narrative — not evidence an examiner can check.
A payout, from request to receipt
Friday, 9:02 a.m. — treasury-agent begins the weekly vendor payout run. Here is how one $18,400 transfer moves through govern.sh.
treasury-agent presents its passport
PassportThe agent authenticates with its Ed25519 identity — not a shared banking credential. Every downstream decision is attributed to this specific agent and its current key.
The transfer is checked against policy
Policytreasury-guardrail evaluates the call in 6 ms: the counterparty is on the approved vendor list and the amount is inside the $25,000 weekly budget.
Dual control kicks in above $10,000
ApprovalThe amount crosses the dual-control threshold, so the transfer is held — not failed — and routed to treasury operations for a second pair of eyes.
Marcus approves from Slack
ApprovalThe on-duty treasury analyst sees the counterparty, amount, and remaining budget in one card and approves. The hold lasted 74 seconds; the transfer executes.
A signed receipt joins the chain
ReceiptThe receipt captures the agent, the policy verdict, the approver, and the transfer reference — signed and chained to the receipt before it, exportable as SOX evidence.
Controls your risk committee already understands
govern.sh expresses the controls finance teams have always run — limits, dual authorization, segregation of duties — as runtime enforcement on agents.
Route any transfer above a threshold to a named human queue. Approvals land in Slack or email and resolve in seconds, not ticket cycles.
Daily, weekly, or monthly caps per agent and per counterparty. A compromised or confused agent hits its ceiling before it hits your account.
Policy decisions run in single-digit milliseconds in your infrastructure, so governance never adds meaningful latency to a payment flow.
Receipts export as signed JSON with verification keys included, mapped to PCI DSS and SOX evidence requests out of the box.
Representative outcomes reported by govern.sh customers in financial services.
Built for examined environments
Receipts capture actor, action, verdict, approver, and signature for every payment operation — the individual accountability PCI DSS Requirement 10 asks for, and the authorization evidence SOX 404 control testing expects. Auditors verify the hash chain themselves; no one has to take your logs on faith.
Our examiners had never seen an autonomous payout process before. We handed them the receipt chain and the policy definitions, and the conversation moved from whether agents should touch payments to how many more flows we could hand over.
Related use cases
Put a verified agent to work in financial services.
Mint a passport, attach a policy, and watch the first signed receipt land — free for your first three agents.