Every anti-money-laundering (AML) team knows the same arithmetic. A transaction-monitoring system fires alerts — a wire to a high-risk jurisdiction, a flurry of structured cash deposits, a counterparty that suddenly matches a watchlist — and the overwhelming majority are noise. An analyst still has to open each one, pull the customer's history, read the narrative, and decide whether it goes away or goes up the chain. The backlog is permanent, the staffing is expensive, and the false-positive rate is the running joke of the industry.
An AI agent is very good at exactly this work: gather the data, summarize the pattern, dismiss the obvious clears, and escalate the rest. That is the attraction, and it is real. The danger is the quiet step that comes next — letting the agent decide that an alert isn't suspicious, and closing it. That is not triage. That is a regulated decision being made by an actor no one authorized to make it.
What the agent should do, and where it must stop
There is a clean line through the alert lifecycle, and it is worth drawing it explicitly before any agent touches the queue.
| Stage | Who acts | Why |
|---|---|---|
| Gather KYC, history, counterparties | Agent | Mechanical, high-volume, reviewable |
| Summarize the pattern, score the risk | Agent | Fast, draftable, never final |
| Dismiss obvious clears | Agent, under policy | Reversible, sampled, logged |
| Decide to escalate or file a SAR | Named officer | Mandated human judgment |
The first three stages are where the speed lives. The agent reads what would have taken an analyst twenty minutes and produces a dossier in seconds. It can clear the noise that policy already defines as clearable — a known salary deposit, a whitelisted intra-group transfer — and it can rank the rest so the humans see the dangerous cases first.
The fourth stage is different in kind. Filing a suspicious-activity report (SAR) — the regulatory notice a US financial institution sends when it spots likely illicit activity, mandated under the Bank Secrecy Act (BSA) — is a decision the law assigns to a person. So is the inverse: deciding that a flagged pattern is not worth reporting. Both are judgment calls with legal weight, and both belong to a named officer, not to a model that summarized the file.
The Wolfsberg standard says the same thing
This is not a MakerChecker opinion. The Wolfsberg Group — the consortium of global banks that writes the de facto reference for financial-crime controls — names the four-eyes principle, the maker-checker split, as the control standard for exactly these decisions. One actor prepares; a different, qualified actor reviews and signs. The reviewer is accountable for the call.
The principle predates AI by a century, and that is the point. When the maker was a junior analyst and the checker was an MLRO (money-laundering reporting officer), the segregation was enforced by org charts and sign-off forms. When the maker becomes an agent, the org chart no longer helps. The agent does not sit in a reporting line. It cannot be disciplined, deposed, or held personally liable. The control has to move somewhere the agent cannot edit — and stay provable.
Why the prompt won't hold this line
The obvious fix is to instruct the agent: triage everything, but never close a high-risk alert and never file a SAR without a human. This reads like a control. It is a request.
A prompt instruction has no record of who set the boundary, no version history when it changes, and no proof — months later, in a 504 examination or a discovery request — that the agent actually stopped where it was told. An agent that is re-prompted, upgraded, or jailbroken can quietly start closing the cases it was meant to escalate, and nothing in the file would show the boundary ever existed. "It was in the system prompt" is not evidence an examiner accepts.
A control plane moves the boundary out of the agent and into enforced, versioned policy. The agent's authority to act on an alert is a grant attached to its role, denied by default, and that grant simply does not include "close a high-risk case" or "submit a SAR." The agent can propose the escalation. It structurally cannot complete it.
The requester cannot approve its own request
Here is the rule that does the real work, and it is the one prompts can never deliver. When the triage agent escalates an alert, it becomes the requester. The control plane parks the run at an approval gate and demands a signature from a named officer — and the officer who signs cannot be the agent that raised it. The same actor provably cannot be both maker and checker on one alert.
This matters more with agents than it ever did with people, because an agent is fast enough to escalate and self-approve thousands of times before anyone notices the pattern. Structural segregation removes the possibility rather than auditing for it after the fact. The agent that prepared the case is barred from clearing it, full stop, and every attempt — including the refusals — lands in the record.
What the officer signs is captured with its meaning intact: the decision, the signer's identity, and the reason in their own words, linked to the exact version of the dossier they reviewed. That is the SAR decision becoming defensible evidence rather than a checkbox.
What the examiner gets
NYDFS Part 504 requires a senior officer or the board to certify, every year, that the institution's transaction- monitoring and filtering program works as designed. That certification is personal. When an agent is in the alert pipeline, the person signing it needs to answer one question without flinching: prove the agent could not close a reportable case on its own, and prove the record of who decided what is intact.
A control plane answers it directly. Every action the agent took, every alert it cleared under policy, every escalation it raised, and every human signature lands in an append-only, hash-chained, cryptographically signed ledger. Change one record and the chain visibly breaks. The output is an evidence bundle a third party can verify offline, against a published spec, without touching your systems — which is exactly the posture you want when the third party is a regulator who distrusts the vendor by default.
This is also where the line with content guardrails matters. Tools that screen an agent's output for prompt injection or unsafe text answer "is this content dangerous?" They are useful and they are not this. A control plane answers a different question entirely: "is this actor authorized to take this action, and who signed it?" You want both. Only one of them keeps a SAR decision in human hands.
Done this way, the split holds at speed: the agent does the volume, the institution keeps the judgment, and the decision the law reserves for a person stays there — not as policy hope, but as a structural fact the audit trail can demonstrate to anyone who asks. For the wider picture of where agents belong in the alert-handling, sanctions, and reconciliation stack, see how this fits the bank middle office.
See how it works, or book a demo to watch a triage agent get blocked from approving its own escalation — live.