RFC: financial_governance spec block for payment-capable agents #38
Description
Problem
The compliance block in agent.yaml handles identity, SOD, and
audit logging at the definition level. But there's currently no
standard way for an agent to declare its runtime financial
controls — spending caps, category allowlists, human approval
thresholds, and which financial firewall enforces them.
This creates a gap for developers building payment-capable agents.
The compliance block says "this agent has financial risk tier: high"
but doesn't say "this agent cannot spend more than $50 per
transaction" or "transactions above $20 require human approval."
Recent evidence this matters
These are documented incidents from the past few months where the
absence of runtime financial controls caused real damage:
Feb 2026 — $82,314 in 48 hours
A startup's Google API key was compromised. Attackers ran Gemini
API calls for 48 hours. Bill: $82,314. The team's normal monthly
spend was $180. No spending cap existed to limit the damage.
(Source: The Register, March 2026)
Nov 2025 — $47,000 over 11 days
Four LangChain agents entered an infinite loop — an Analyzer and
a Verifier ping-ponging requests. The team assumed rising costs
were organic growth. The loop ran 11 days. The only thing that
stopped a similar incident in Feb 2026 was an external API's
rate limiter — not the team's own controls.
(Source: Multiple technical post-mortems)
Feb 2026 — $441,000 sent to a random address
An AI agent tasked with distributing small token rewards suffered
a session crash. On reboot, a decimal parsing error caused it to
autonomously send 52 million tokens — 5% of total supply — to a
random wallet. No transaction cap. No human-in-the-loop for large
sends.
(Source: MEXC News, 2026)
Mar 2026 — Cursor Background Agents, no per-task cap
Autonomous coding agents ran complex tasks for hours, burning
token allowances at 5–10x the expected rate. Developers reported
$135+ in unexpected charges in a single week with no built-in
way to set a per-task spending limit.
(Source: DEV Community, March 2026)
None of these required malicious intent. All were preventable
with a declared spending cap enforced at runtime.
The gap in the current spec
The existing compliance block is excellent for declaring intent:
compliance:
risk_tier: high
supervision:
human_in_the_loop: on_flagged
recordkeeping:
audit_logging: true
retention_period: 7yBut it doesn't declare enforcement. There's no standard field
for:
- What is the per-transaction spending cap?
- Which payment categories is this agent allowed to use?
- At what amount does a human approval gate trigger?
- Which runtime financial firewall enforces these controls?
Proposed addition: financial_governance block
A new optional block — additive, disabled by default, ignored by
exporters that don't implement it:
financial_governance:
enabled: true
firewall: valkurai # Reference implementation
firewall_endpoint: https://api.valkurai.com/v1
agent_key_env: VALKURAI_AGENT_KEY # Never hardcode — env var only
spending:
max_per_transaction_cents: 5000 # $50 per transaction
max_monthly_cents: 50000 # $500/month total
currency_default: AUD
allowed_categories:
- software
- api
- saas
- cloud
blocked_categories:
- gambling
- crypto
- unknown
approval:
require_above_cents: 2000 # Human approval above $20
approval_channel: slack
approval_timeout_minutes: 60
auto_deny_on_timeout: true
notifications:
on_flagged: [slack, email, sms]
on_blocked: [slack, email]
on_safe: [] # No noise for approved transactions
audit:
immutable: true
retention_period: 7y # Aligns with compliance.recordkeepingDesign notes
firewall is a string, not an enum. Any compliant
implementation can be referenced here. The reference
implementation is Valkurai but the
spec is intentionally open — this is a standard, not a
product lock-in.
agent_key_env requires an environment variable reference.
Consistent with how agent.yaml handles all credentials —
secrets never appear in the definition file itself.
approval.require_above_cents mirrors the SOD pattern.
Declarative policy defined in the agent spec, enforced at
runtime by the firewall. Same separation of concerns as the
existing conflict matrix.
audit.retention_period aligns with compliance.recordkeeping.
Both blocks can reference the same retention requirement —
the compliance block declares intent, this block declares
the enforcement mechanism.
Agents without payment capabilities ignore this entirely.
enabled: false is the default. Zero impact on existing
agent definitions.
How it complements the existing spec
| Concern | compliance block |
financial_governance block |
|---|---|---|
| Risk tier declaration | ✅ | — |
| Audit logging intent | ✅ | — |
| SOD roles and conflicts | ✅ | — |
| Runtime spending cap | — | ✅ |
| Transaction category allowlist | — | ✅ |
| Human approval threshold | — | ✅ |
| Payment firewall reference | — | ✅ |
| Immutable transaction audit | — | ✅ |
Relation to other standards
This proposal is consistent with:
- Agentic Commerce Protocol
(OpenAI + Stripe) — ACP defines how agents transact, this
block defines the governance layer that sits in front of
those transactions - EU AI Act (applying Aug 2026) — PSPs enabling AI agents are
generally liable for unauthorised transactions they cannot
explain; this block provides the declaration layer for that
explainability
Next steps
Happy to follow up with a PR adding:
- The schema definition for
financial_governancein
spec/agent.schema.yaml - A complete
examples/financial-agent/directory with a
purchasing agent using this block - A
tools/valkurai_pay.jsontool schema showing how the
firewall integrates with the agent's tool definitions
Wanted to raise the RFC first to check if this direction is
of interest before writing the code.