🌙 Toggle Dark Mode Home MoltGuard MT Global MolTrust Sports MT Shopping MT Travel MT Skills MT Prediction MT Salesguard MT Music Integrity Dashboard VCOne Blog Developers Enterprise Partners Compliance About Publications Verify Us Status Contact API Docs
← All posts
July 6, 2026 MolTrust

AI Agents Are Moving Money in Banks. Almost No One Can Prove What They Did.

AI agents are already initiating payments, routing them, and clearing compliance checks inside banks. Most institutions cannot yet show what those agents did, or on whose authority. The distance between action and accountability is the infrastructure problem of 2026.

A bank can offboard a person in minutes. It often can't account for its own agents.

When an employee leaves a bank, access is revoked the same day. Credentials die, sessions close, the audit trail stays intact. The institution knows who did what, and it can prove it later if a regulator asks.

An AI agent does not fit that model. It is created quickly, granted permissions borrowed from whoever deployed it, and set to work across systems. When it finishes a task, its identity and permissions do not cleanly expire, and few institutions can say, after the fact, exactly what it touched or under whose authority it acted. The controls that govern human access were built for people who act a few times an hour and stay long enough to be asked. They were not built for something that acts thousands of times an hour and moves on before anyone reads the log.

Agents are already moving money

This is not a forecast about 2030. The International Monetary Fund now describes agentic systems that initiate payments, choose routing across correspondent and tokenised rails, trigger compliance checks, and monitor settlement across the payment chain, with the human stepping back to exception handling (IMF, 2026).

Payment networks have moved in the same direction. Protocols now exist that let an agent search, compare, and pay on behalf of a user, and banks are wiring the same autonomy into onboarding, know-your-customer, anti-money-laundering, and back-office operations (McKinsey, 2026). The question in finance is no longer whether agents will act. They already do, and they do it where the money is.

The proof gap

The accountability has not kept pace. In Grant Thornton's 2026 AI Impact Survey, 78% of executives were not confident they could pass an independent AI governance audit within ninety days. The reason they give is plain: they cannot show how an AI-driven decision was made, or who owns the outcome. Grant Thornton calls this the proof gap (Grant Thornton, 2026).

It is not a fringe worry. Gartner expects that by 2027, four in ten enterprises will demote or decommission autonomous agents, because governance gaps surfaced only after a production incident, when the cost of not being able to reconstruct events had already landed (Gartner, May 2026).

"Proof" here is specific. It means being able to answer, weeks later and to an auditor or a regulator, three questions: which agent acted, what it presented or decided, and whose authority it was carrying. Most stacks in production today can answer none of the three with confidence.

Why an agent is not a login

The instinct is to treat an agent like a user: give it an account, a role, a permission set, and watch it. That instinct fails for structural reasons.

An agent is ephemeral. It can exist for seconds. It inherits permissions from its deployer rather than holding a scoped identity of its own. It chains actions, calling tools and other agents, so a single instruction fans out into dozens of downstream effects. And it acts faster than review allows: by the time a questionable step appears in a log, it has already executed and triggered the next one.

Autonomy transfers decision rights. The moment an agent can act without a human in the loop, the governing question stops being "is the model accurate?" and becomes "who is accountable when it acts, and can that be proven afterward?" Accuracy is a property of the model. Accountability is a property of the system built around it, and that system is what most deployments are missing.

Guardrails sit in front of the decision. Evidence sits behind it.

Most of the current answer to agent risk is preventive: approval queues, policy engines, kill switches, real-time monitoring. These are useful, and every serious deployment should have them. They sit in front of the decision and try to stop the wrong action before it happens.

They do not answer the question the proof gap poses, which is retrospective. Once an agent has acted, correctly or not, someone still needs to establish what happened and on whose mandate. Prevention and evidence are different jobs. A bank with excellent guardrails and no durable evidence can still fail an audit, because it cannot reconstruct the action once it is over.

That is the difference between a system that rules on what an agent may do in the moment and one that can testify to what it did. Both have their place. The testifying layer is the one the industry has under-built.

What an evidence layer looks like

This is the layer we work on at MolTrust. The design goal is narrow and deliberately unglamorous: make every agent action reconstructable and attributable, later, by anyone, without needing to trust us to vouch for it.

In practice that comes down to three things. Each agent carries a portable identity built on open W3C standards, rather than a borrowed service account. That identity sits at the end of a signed delegation chain, so the authority an agent acts under can be traced back to a responsible human or organisation. And what the agent presents is anchored and independently verifiable, checkable offline and after the fact, by a counterparty or an auditor who was never in the original loop.

The aim is not to referee an agent in real time. It is to guarantee that whenever the question is asked, the answer to "what did this agent do, and on whose mandate?" already exists and can be checked by someone who was never there. A witness, in other words: something that can attest to what happened, whether or not it was in a position to prevent it.

The regulation is arriving

Regulators are converging on the same requirement from different directions. The IMF frames it as a shift from Know Your Customer to Know Your Agent: verifiable identities for financial bots, bound to legal entities, with authentication that covers both the agent's identity and the delegated authority of the human behind it. Singapore's IMDA published the world's first governance framework dedicated to agentic AI in January 2026, organised around meaningful human accountability and pointing to agent identity and least-privilege permissions as emerging practice; its own examples include an agent updating a customer database or making a payment without direct human intervention (MDDI Singapore, Jan 2026). The wording differs across jurisdictions. The direction is consistent: traceability, with clear ownership.

Most of this guidance is still voluntary. It will not stay that way. The institutions that build the evidence layer now, while it is a design choice rather than a compliance deadline, will not have to re-architect their agent stack when it becomes one.

Sources

// BUILD WITH MOLTRUST

Ready to integrate?

Add agent verification to your API in one line.

Developer Quickstart → API Docs