Agents

Agents with approval gates: bounded autonomy, mandatory human checkpoints.

Multi-step AI workflows that pause at named gates so the analyst, PM or compliance officer remains the accountable decision-maker.

MiFID II Art. 25 · EU AI Act Art. 14 · AIFMD

5 min read

What it actually is

An agent is a language-model control loop that interleaves reasoning, tool calls and human checkpoints to complete a multi-step task. The foundational pattern is ReAct (Yao et al., ICLR 2023): the model produces an interleaved trace of Thought, Action and Observation tokens, where each Action is a tool call against an external system and each Observation is its return value. The trace forces the model to consult external state instead of inventing it, which is the single most effective hallucination guard known for tool-using systems.

Above ReAct sit orchestration patterns - plan-and-execute (a planner emits a directed graph of steps, an executor runs them, replanning on failure), multi-agent collaboration (distinct roles exchange messages), and tool-use loops (a single model with a long tool registry). The implementation we use most often in regulated work is an explicit state graph: nodes are functions, edges are typed transitions, state is a checkpointed dictionary persisted to a database, and a designated node is an interrupt.

The interrupt is the regulator-visible artefact. When the graph reaches an interrupt node, execution pauses, the current state is durably checkpointed, the relevant draft is surfaced to a human through the host, and the graph waits for an explicit resume command. Resume can happen seconds, hours or days later, from a different process, by a different user. Gating taxonomy: advisory (human sees, does not act), approval (human must accept before publication), veto (the agent proceeds unless stopped within a window), and co-author (human edits the draft before approving). For client-facing material the default is approval or co-author. There is no production-grade pattern in regulated finance that omits the gate.

Why this matters in your firm's workflow

The work that actually pays for an AI investment in an asset manager is the multi-step kind: pull the holdings, run the attribution, draft the quarterly commentary, attach the citations, log the IC-relevant deviations, prepare the regulatory filing, write the cover note. A model that does one of those steps is a productivity tool. A model that chains them is an agent. The chained version is where the operational lift is - and also where the accountability question becomes acute.

Approval gates resolve the accountability question by making the human checkpoint an explicit node in the graph, not a process step the team is supposed to remember. The analyst sees the draft, the PM signs off the IC memo, the compliance officer accepts the regulatory narrative - each one a recorded event with user id, diff hash and timestamp. The agent does the routine. The named human still decides.

Use cases where this pays off: quarterly commentary drafting per strategy, IC memo preparation, limit and mandate monitoring with prepared escalation drafts, regulatory filing preparation, response drafting for auditor questions. Anywhere the work is multi-step, repetitive in shape and high-consequence in output.

The regulator anchor

MiFID II Art. 25 requires firms to ensure that investment advice and portfolio decisions remain the responsibility of a competent person with documented evidence of the suitability analysis. EU AI Act Art. 14 requires human oversight of high-risk AI systems to be designed in - 'effectively overseen by natural persons during the period in which the AI system is in use'. AIFMD requires documented risk-management processes for alternative funds. The approval gate is the technical answer to all three.

Each gate records the approving user, the timestamp, the artefact diff hash, and the resume command. Combined with DORA-conformant logging and a perimeter-resident host running local inference, the regulator can reconstruct who decided what, when, on the basis of which evidence - without anyone in the firm having to 'look it up again'. The gate is not a UX feature. It is the audit row.

How we build it

We model the workflow as a state graph, not as a chat. Each node is a typed function - retrieve_holdings, compute_attribution, draft_commentary, draft_filing - and each edge declares its preconditions. State is a typed dictionary, durably checkpointed to the firm's database. The graph is the documentation: a compliance officer can read the topology in the repository and see exactly where the gates are.

Gates are first-class nodes. An approval gate is a node that calls the host's interrupt primitive, serialises the draft and the supporting context, and waits. The resume command carries the decision (approve, edit, reject), the user identity, and the optional edit diff. The graph then routes accordingly - finalise on approve, revise loop on edit, archive-with-reason on reject. No gate, no continuation: the topology enforces it.

Tooling that the agent calls - retrieval, pricing, document lookup, attribution engines - is exposed through MCP servers the firm operates. Language-model calls run locally where possible; where a frontier model is genuinely required, the call is gated and the payload is constrained to non-sensitive content. Every node entry, every tool call, every gate decision writes a structured audit row.

We keep the agent's tool registry deliberately small per workflow. A quarterly-commentary agent that has access to attribution, retrieval and drafting tools is auditable. A general-purpose 'do-anything' agent with twenty tools is not. Bounded scope is a deployment principle, not a limitation.

What to NOT do

Do not buy 'autonomous agents' for client-facing output. The word is misleading. The production-grade pattern is bounded autonomy with mandatory gates, and a vendor that markets autonomy as an end state is selling the regulator's red-flag deck.

Do not put the gate in a process handbook. If the gate is not wired into the graph, it is a recommendation. Auditors who have spent a year on DORA testing know how to ask whether the gate can be skipped, and a handbook gate can always be skipped.

Do not anthropomorphise the agents. Cartoon avatars labelled 'Researcher' and 'Reviewer' obscure that these are language-model calls with prompts, and buy-side compliance teams specifically reject that register.

Do not deploy without a stop condition. A loop without a termination clause is not bounded autonomy - it is a runaway. Every graph we ship has a maximum step count, a maximum wall-clock budget, and an explicit failure node.