Skip to content

For banks, funds, and fintechs

Your agent moved the money. Now an examiner wants the name of who approved it.

An AI agent that can release a payment or place a trade on its own is a control gap your auditors already have a word for. MakerChecker keeps the agent from approving its own irreversible action, a hard refusal in code, holds the money-moving step for a named person, and writes every decision to a signed log an examiner recomputes offline, with no access to your systems and none of our code.

The oldest control in the building

You have run four-eyes on people for a century. Your agent is just a new employee.

Maker and checker is a banking control before it is anything else: the person who prepares a payment cannot be the person who releases it, and dual control on the wire room is older than the computers that run it. An AI agent does not change the control. It changes who you are running it on. The agent prepares, a named person signs the one-way door, and the separation is enforced in code, not left to a prompt.

That is the whole claim on this page. The control your regulators, your auditors, and your own risk function already expect between two people is the control we put between an agent and its own consequential action. It maps to the controls your auditors already enforce between people: the four-eyes principle and SOX segregation of duties. It also speaks to the model-risk expectations, like SR 11-7, that your agent now falls under. We produce the evidence those ask for. We never call your system compliant or certified.

Where an agent must not act alone

Let the agent do the work. Keep the irreversible call on a named person.

Every one of these has a one-way door: a step where a mistake moves real money and cannot be quietly undone. The agent is fast right up to that door. The door is a named person’s to open.

Release fundsPayments and wires

The payments preparer

The agent, freely: Assembles the payment run, matches invoices to purchase orders, flags the duplicates and the beneficiary that changed since last month, and stages the batch.

The named human: Releasing funds above your threshold, or to a newly changed beneficiary, is a named second signer’s call, with the reason recorded word for word. Both are how authorized-push-payment losses happen.

Place the tradeTrading and risk

The mandate watcher

The agent, freely: Monitors positions live, drafts the rebalance, and prepares the order the moment a book drifts from its mandate.

The named human: A trade that breaches a risk limit or steps outside the mandate waits for a named human. Front office proposing and risk approving is not a nicety here, it is the control that separates a strategy from a rogue book.

Post to the ledgerControllership and close

The close copilot

The agent, freely: Reconciles the sub-ledgers overnight, prepares the journal entries, and surfaces the three variances that actually need a human before the books close.

The named human: The agent that prepared an entry can never be the one that posts it. A named controller signs off, because the party doing the work cannot be the only party attesting it was right.

Move customer moneyClient operations

The servicing agent

The agent, freely: Handles the servicing queue, drafts the transfer, updates the standing instruction, and prepares the account change.

The named human: Moving customer money or changing where it lands is a named person’s decision, every time. The agent makes the human fast. It does not get to act alone on someone else’s account.

What makes it hold

Two things a jailbreak cannot talk its way past.

The separation is not a prompt the agent is asked to respect. It is enforced outside the model, at the execution boundary, so an agent that has been talked into anything still cannot approve its own action. And the record is not a dashboard you host. It is a signed file an examiner rechecks themselves.

Jailbreaks will keep landing. The point is that the consequence is stopped anyway, because the approval never lived inside the agent to begin with.

Segregation of duties, in code

The agent that prepared a payment or trade is refused as its own approver. Not discouraged, refused, a hard 403 at the execution boundary. The attempt itself lands in the log.

A record that checks out offline

Every step commits to an Ed25519-signed, hash-chained log. Your own auditor recomputes it on their own laptop, with no access to your systems. Change one row and the chain breaks at that row.

See the six things the engine enforces →

Start where the money moves

Point the free scanner at your agent, then run a paid pilot on a single one-way door.

mc scan will show you, read-only, every action your agent can take today with no one checking. Then we build and run the first governed agent with you, on one workflow where a mistake moves real money.

See it for yourself

See an agent get stopped.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.