Consent opened the account.Authority was never granted.
Open finance gave software the keys to the world's bank accounts. Agentic AI turned that software into an actor. Between the consent token and the payment sits a question no observability stack can answer: was this exact action allowed — at this moment, at this amount, by this agent?
ASKwas it in scope?ASKwas the grant live?ASKwho made it final?ASKcan you prove it later?ASKdid consent mean this?ASKwho wears the loss?ASKwas it in scope?ASKwas the grant live?ASKwho made it final?ASKcan you prove it later?ASKdid consent mean this?ASKwho wears the loss?
The gap
The consent screen was written for apps that read. Agents act.
Every open-finance regime was designed around a human tapping "approve" for an app that mostly looks at data. An autonomous agent inverts that: it moves money, switches products and commits its principal — thousands of times, unattended.
01the consent illusion
A token proves the user let you in — not that they meant this payment.
Consent is granted once, broadly, in advance. The action happens later, specifically, at machine speed. Between those two moments lives every incident report this industry will ever write.
02silent scope creep
The actor never sleeps, so the drift never shows.
An agent permitted to "manage payments" will, eventually, manage one you did not mean. Not malice — inference. A standing permission plus a reasoning engine is an unbounded mandate.
03the wrong question
Logs answer "what happened" — the dispute asks "was it allowed".
Observability reconstructs behaviour. The auditor, the ombudsman and the regulator ask about authority: in scope, live grant, named approver. Most stacks simply cannot answer.
Anatomy
One governed action, five moments — in order, every time.
Not a workflow diagram — an authority chain. It plays below; tap any step to jump.
01
Intentthe agent proposes the act
02
Mandate checkis this in scope — right now?
03
Verdictallow · deny · escalate
04
Named finalitya person with standing binds it
05
Sealed proofevidence exists before the question
Doctrine
The three laws of agentic open finance
If the industry adopts nothing else, it should adopt these. Each closes a failure class consent tokens were never designed to close.
LAW · I
Every action carries its own authority
No standing permission. A grant is scoped to the act — this payee, this ceiling, this window — and checked at execution, not at onboarding. The agent allowed to pay this morning must be allowed again this afternoon. Boring by design: boring is what auditable looks like.
LAW · II
Finality has a name
Below the line, agents run free and fast. Above it — new payee, new ceiling, irreversible transfer — the act stays provisional until a person with the standing to bind says so. When the regulator asks "who authorised this?", the answer is a name, never a model version.
LAW · III
Proof outlives the moment
Every verdict is sealed when it happens: the mandate that applied, the grant that was live, the person who bound it. Not logs assembled after the incident — evidence that already exists before the question is asked. March's dispute is answered from January's seal.
Audiences
Who has to get this right
The gap looks different from every seat at the table. The fix is the same discipline.
You are the account. You wear the loss.
When a third-party agent misfires against an account you hold, the customer calls you. The token was valid, the API worked as documented — and the money is still gone. Your defence is not "consent was granted". It is "the action was checked against a live mandate, and here is the sealed record."
The bank that can prove per-action authority will set the terms of agentic access. The bank that can't will switch it off — and lose the channel.
Your agent's ceiling is its trust, not its intelligence.
Nobody lets a brilliant agent near serious money on brilliance alone. The unlock is bounded autonomy you can demonstrate: show that your agent cannot exceed its mandate even when its reasoning says it should, and doors open that capability alone never will.
"It asks before it binds" is a feature you can sell. "Trust the model" is not.
You aggregate consents. Do you aggregate authority?
A wallet holding forty consent tokens holds forty open doors and zero mandates. The product that wins agentic finance lets the user say: this agent may move this much, to these payees, this month — and shows the proof it never did more.
That screen — the mandate screen, not the consent screen — is the interface this decade gets judged on.
The question is not "was consent given?"
It is: "show me the authority for this specific action." Consent regimes audit the door. Agentic regimes must audit the act — was the mandate live, was the scope honoured, who made it final, and can the answer be reproduced from sealed evidence rather than the firm's own after-the-fact narrative?
Firms that answer per-action are supervisable at machine speed. Firms that can't are asking you to trust a log.
Agentic open finance will be judged not by what agents could do — but by what they were allowed to do.