Five weeks before the EU AI Act's high-risk compliance deadline hits on August 2, 2026,1 a particular kind of headache has settled into the compliance departments of financial institutions across Europe and beyond. The headache has a name. Or rather, it doesn't, which is the problem. What does "agent-authorized" mean inside a control framework built entirely for humans?
Nora Penfield is not a real person. But the role she occupies — Chief Controls Officer at a mid-large European financial services group, former Big Four auditor, twenty-year veteran of every regulatory wave from Basel III to GDPR — is very real, and the problem she's been handed is one that dozens of people in exactly that role are currently losing sleep over. We invented her so we could talk to the problem directly, without the press office in the way.
We caught up with Nora over coffee (hypothetical coffee, naturally) to discuss what happened when her team tried to write the definition.
You were asked to define "agent-authorized" for your firm's control framework. How did that go?
Nora: Badly. Productively, in the end, but the first three weeks were genuinely unsettling. We started where you'd expect: what controls do we need around agent actions? Approval workflows, logging, scope limits. Standard stuff. And then about ten days in, someone on my team asked a question that stopped the room cold: "What fields should the approval record contain?"
We realized we couldn't answer it. Not for the agent. But also not for humans. We'd never had to.
What do you mean?
Nora: When a human approves a payment or a vendor change, what actually gets recorded? A timestamp. A user ID. Maybe a reference number. The system logs that someone clicked "approve." But what did they approve? The specific action? The plan that led to it? The data the decision was based on? The consequences if it goes wrong? The rollback path?
None of that is in the record. It never was. The approval worked because the person clicking the button carried context. They'd been in the meeting, they knew the vendor, they understood the downstream effects. The approval was a compressed gesture.2 It contained all this implicit information that never entered the system.
An agent strips that context away entirely. Suddenly you need the approval record to carry everything the human used to carry in their head. Which forces you to notice that the human record was always incomplete. We just never had a reason to look.
That sounds like it could spiral into an existential crisis about your entire control framework.
Nora: It did, briefly. We had a very quiet Tuesday.
The EU AI Act's Article 14 requires "meaningful" human oversight for high-risk systems.3 How does that land when you're actually trying to operationalize it?
Nora: Article 14 is the one I can recite in my sleep now. Three levels: understand, intervene, halt. The system has to be designed so a natural person can effectively oversee it. And regulators have been clear that rubber-stamping doesn't count. If your override rate is zero, your oversight isn't meaningful.4
But there's no regulatory guidance on what information density constitutes "meaningful."5 How much does the approver need to see? How long do they need to look at it? If I'm approving fifty agent actions an hour, am I overseeing anything, or am I just achieving autonomy by exhaustion?6 Clicking "approve" fast enough that the queue never catches up, until the system is effectively autonomous and the human is decorative.
The honest part? Passive oversight has always been a problem. We just never confronted it because the human approver was also carrying situational awareness from the surrounding work. They sat near the team. They heard the conversations. They knew when something felt off. Agents don't generate that ambient intelligence, and neither does the person supervising them from a dashboard three floors away.
The Article 12 logging requirements seem relevant here. The record has to name the natural person involved.7
Nora: Yes, and this is where it gets technically precise in a way that exposes years of sloppiness. A shared service credential, an OAuth client ID, a service account token: none of those are sufficient. The verified subject claim has to resolve to a human identifier before the request reaches the model.8 Employee ID, customer ID, agent-on-behalf-of.
What we're building toward is dual attribution: every action needs both a system identity and a named human. Most of our existing systems track one or the other, never both, and never in a way that links the human's explicit mandate to the automated action.
I used to think this was an agent problem. It's an infrastructure problem we've been ignoring for a decade. The agents just walked in and turned the lights on.
The US side seems equally unsettled. SR 26-02 explicitly excludes agentic AI from scope.9
Nora: Which has a certain dark comedy to it. They replaced a fifteen-year-old model risk framework and immediately said, "but not the thing everyone's actually deploying." The Treasury FS AI RMF fills some of the gap with 230 control objectives, developed with over a hundred institutions, but it was designed with the explicit acknowledgment that agentic systems create risks traditional frameworks don't capture.10
The line I keep coming back to from that work:
If the answer resides in a policy binder rather than in a system log, defensibility weakens.11
That's the shift. Regulators aren't going to ask whether you have a policy. They're going to ask for the logs, the dashboards, the evidence artifacts. And for agent workflows, those artifacts need to answer a very specific chain: who initiated the task, what authority was granted, what limits applied, what did the agent observe, what action was approved, what state changed, and what recovery path exists.
That's a long chain.
Nora: Seven links. And the uncomfortable part is that it's the chain that should have existed for human approvals too. We just relied on the fact that you could walk over to someone's desk and reconstruct it from memory and goodwill.
What's the hardest open question you're sitting with right now?
Nora: Approval binding. When someone approves an agent's plan, they're approving a described intention. But agents deviate. They encounter unexpected states, they retry, they make judgment calls within their scope. So did the approval cover what actually happened, or only what was proposed?
We don't have an answer. Neither does the regulation. Neither does anyone I've talked to, and I've been asking everyone who'll take the call. But here's the thing: it's the same question we should have been asking about human delegation for years. "I approved the project" has never meant "I approved every decision made within the project." We just never had to draw that line because the human delegate had judgment, and we trusted it, and when things went wrong we sorted it out over lunch and a difficult conversation.
Agents don't do lunch. So now we need the line drawn in the system.
If you could go back to the beginning of this assignment, what would you tell yourself?
Nora: Stop trying to define agent authorization. You're defining authorization, full stop. The agent just finally made you do it properly.
The agent just finally made you do it properly.
Nora Penfield is a composite character. Her regulatory citations are real. Her Tuesday was imagined, but probably happened somewhere.
Footnotes
-
EU AI Act high-risk compliance deadline: August 2, 2026. See AliceLabs, "EU AI Act for Financial Services," May 2026. https://alicelabs.ai/en/insights/eu-ai-act-for-financial-services ↩
-
The concept of a "click as compressed gesture" is explored in TinyFish's research on authorization and agent identity. ↩
-
EU AI Act, Article 14: Human Oversight. Full text at https://artificialintelligenceact.eu/article/14/ ↩
-
AI Governance Library, "Human Oversight under Article 14 of the EU AI Act," October 2025. https://aigouvernance.com/human-oversight-under-article-14-of-the-eu-ai-act/ ↩
-
IAPP, "EU AI Act shines light on human oversight needs," February 2026. https://iapp.org/news/a/eu-ai-act-shines-light-on-human-oversight-needs ↩
-
The concept of "autonomy by exhaustion" appears in research on human-in-the-loop design for agent systems. ↩
-
EU AI Act, Article 12: Record-Keeping. Full text at https://artificialintelligenceact.eu/article/12/ ↩
-
Help Net Security, "What the EU AI Act requires for AI agent logging," April 2026. https://www.helpnetsecurity.com/2026/04/16/eu-ai-act-logging-requirements/ ↩
-
RiskTemplate, "NIST AI RMF for Financial Services: Crosswalk to SR 26-02," April 2026. https://risktemplate.com/blog/2026-04-24-nist-ai-rmf-sr-26-02-fs-ai-rmf-crosswalk-financial-services/ ↩
-
Lowenstein Sandler, "Financial Services AI Risk Management Framework: Operationalizing the 230 Control Objectives," February 2026. https://www.lowenstein.com/news-insights/publications/client-alerts/financial-services-ai-risk-management-framework-operationalizing-the-230-control-objectives-before-the-market-wakes-up-data-privacy ↩
-
ZwillGen, "U.S. Treasury Department Publishes AI Guidance for Financial Services," March 2026. https://www.zwillgen.com/artificial-intelligence/us-treasury-department-publishes-ai-guidance-financial-services/ ↩
