For banks, funds, and fintechs
Your agent moved the money. Now an examiner wants the name of who approved it.
An AI agent that can release a payment or place a trade on its own is a control gap your auditors already have a word for. MakerChecker keeps the agent from approving its own irreversible action, a hard refusal in code, holds the money-moving step for a named person, and writes every decision to a signed log an examiner recomputes offline, with no access to your systems and none of our code.
The oldest control in the building
You have run four-eyes on people for a century. Your agent is just a new employee.
Maker and checker is a banking control before it is anything else: the person who prepares a payment cannot be the person who releases it, and dual control on the wire room is older than the computers that run it. An AI agent does not change the control. It changes who you are running it on. The agent prepares, a named person signs the one-way door, and the separation is enforced in code, not left to a prompt.
That is the whole claim on this page. The control your regulators, your auditors, and your own risk function already expect between two people is the control we put between an agent and its own consequential action. It maps to the controls your auditors already enforce between people: the four-eyes principle and SOX segregation of duties. It also speaks to the model-risk expectations, like SR 11-7, that your agent now falls under. We produce the evidence those ask for. We never call your system compliant or certified.
Where an agent must not act alone
Let the agent do the work. Keep the irreversible call on a named person.
Every one of these has a one-way door: a step where a mistake moves real money and cannot be quietly undone. The agent is fast right up to that door. The door is a named person’s to open.
The payments preparer
The agent, freely: Assembles the payment run, matches invoices to purchase orders, flags the duplicates and the beneficiary that changed since last month, and stages the batch.
The named human: Releasing funds above your threshold, or to a newly changed beneficiary, is a named second signer’s call, with the reason recorded word for word. Both are how authorized-push-payment losses happen.
The mandate watcher
The agent, freely: Monitors positions live, drafts the rebalance, and prepares the order the moment a book drifts from its mandate.
The named human: A trade that breaches a risk limit or steps outside the mandate waits for a named human. Front office proposing and risk approving is not a nicety here, it is the control that separates a strategy from a rogue book.
The close copilot
The agent, freely: Reconciles the sub-ledgers overnight, prepares the journal entries, and surfaces the three variances that actually need a human before the books close.
The named human: The agent that prepared an entry can never be the one that posts it. A named controller signs off, because the party doing the work cannot be the only party attesting it was right.
The servicing agent
The agent, freely: Handles the servicing queue, drafts the transfer, updates the standing instruction, and prepares the account change.
The named human: Moving customer money or changing where it lands is a named person’s decision, every time. The agent makes the human fast. It does not get to act alone on someone else’s account.
What makes it hold
Two things a jailbreak cannot talk its way past.
The separation is not a prompt the agent is asked to respect. It is enforced outside the model, at the execution boundary, so an agent that has been talked into anything still cannot approve its own action. And the record is not a dashboard you host. It is a signed file an examiner rechecks themselves.
Jailbreaks will keep landing. The point is that the consequence is stopped anyway, because the approval never lived inside the agent to begin with.
Segregation of duties, in code
The agent that prepared a payment or trade is refused as its own approver. Not discouraged, refused, a hard 403 at the execution boundary. The attempt itself lands in the log.
A record that checks out offline
Every step commits to an Ed25519-signed, hash-chained log. Your own auditor recomputes it on their own laptop, with no access to your systems. Change one row and the chain breaks at that row.
Start where the money moves
Point the free scanner at your agent, then run a paid pilot on a single one-way door.
mc scan will show you, read-only, every action your agent can take today with no one checking. Then we build and run the first governed agent with you, on one workflow where a mistake moves real money.
Keep reading
See it for yourself
See an agent get stopped.
One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.
Designed against the rules your auditors already enforce.