LIGHTS OUT FINANCE
Lights Out Finance · In this paper: Controls & Assurance

The auditor will see you now

Autonomy that cannot be assured is a finding waiting for a fieldwork date. The control plane that makes agents attestable — identity, entitlement, policy-as-code, evidence, model risk — and why census beats sampling.

AB
Adil Bahir
Founder & Editor, Lights Out Finance · Two decades in finance transformation, quantitative finance, and enterprise AI
Interactive white paper · July 2026 · lightsoutfinance.net · 10-min read · Print / PDF
In the thesisLayer 5: the control plane that makes autonomy attestable.
In brief
“A human reviews everything” is review theater, not a control. Defensible designs distribute human attention by risk — policy, escalation, attestation — not by volume.
Five layers make an agent attestable: named identity, coded segregation of duties, policy-as-code, immutable evidence, and model-risk discipline borrowed from banking.
Assurance flips from sampling to census. Every action is policy-checked in-line and logged; the audit question becomes “prove nothing ran outside the policy.”

There is a conversation every finance leader piloting autonomous operations will eventually have, and most are unprepared for it. It happens when the external auditor, or the audit committee, asks the only question that matters: who approved that journal? If the honest answer is “a model, and we’re not entirely sure why,” the pilot is over — and it deserves to be. Autonomy that cannot be assured is not an operating model. It is a finding waiting for a fieldwork date.

The good news, which this paper argues in detail, is that the assurance problem is not a brake on autonomy. Designed correctly, it is the strongest argument for it. Manual operations generate evidence reluctantly, after the fact, by people reconstructing what they did. Autonomous operations, built on the right control plane, generate evidence as an inseparable by-product of every action. The paradox of the autonomous back office is that it can be more auditable than the human one it replaces — but only if assurance is an architectural requirement, not a compliance retrofit.

“A human reviews everything” is not a control

Start by retiring the most common comfort blanket. When an organization bolts a mandatory human approval onto every agent action, it believes it has added a control. What it has usually added is review theater: a person confronted with four hundred machine-generated items a day, approving at a pace no meaningful review could survive. Auditors have a decades-old name for this pattern from the manual world — the rubber-stamp reviewer — and they test for it. A checkbox clicked in 1.8 seconds is not evidence of judgment; it is evidence of throughput.

The defensible design distributes human attention by risk, not by volume. Policy defines — explicitly, in writing, in advance — which actions execute autonomously within thresholds, which require pre-approval, and which are prohibited to the machine entirely. The human role concentrates where it is real: setting the policy, judging the escalations, and attesting over the environment. Fewer approvals, each of which actually means something. That is not less control than approve-everything. It is the first honest version of it.

A checkbox clicked in 1.8 seconds is not evidence of judgment. It is evidence of throughput.

The control plane: five layers that make an agent attestable

Identity. Every agent is a first-class principal: named, credentialed, entitled like a person, with no shared service accounts and no ambient authority. When the log says who did it, “who” must resolve to exactly one accountable identity — and to the human owner who sponsors it.

Entitlement. Segregation of duties survives the transition intact. The agent that proposes a journal is not the agent that approves it; the agent that creates a vendor cannot release a payment to one. These are the same SoD rules control functions have enforced for decades — now enforced in code, against principals that never share passwords.

Policy-as-code. The accounting policy, the treasury policy, the approval matrix — expressed as executable, versioned rules the agent checks before acting, not guidance it might have read. The policy document and the operating behavior become, for the first time in the history of the back office, the same artifact. When policy changes, the diff is the audit trail.

Evidence. Every action writes an immutable record: inputs seen, policy version applied, rationale, outcome, and downstream references. Not because a regulation demanded it, but because that is how the system works at all. This is the layer that turns fieldwork from an excavation into a query.

Model risk. The models inside agents are inventoried, validated, monitored for drift, and given kill criteria — the discipline banks have run under model-risk-management regimes for years, extended to operational agents. If a bank can govern a pricing model that moves billions, a controller can govern a matching model that clears exceptions. The playbook exists; it needs adopting, not inventing.

Exhibit 1
From sampling to census
MANUAL OPERATION — ASSURANCE BY SAMPLE Population of transactions · a sample is tested months later · evidence assembled by hand · findings arrive after the risk did AUTONOMOUS OPERATION — ASSURANCE BY CENSUS Every action policy-checked before execution · every decision logged with inputs, rationale, and outcome · the control runs in-line The audit question inverts: not “show me evidence for these 25 items” but “show me the policy, and prove nothing ran outside it.”
Manual assurance tests a sample of the past. In-line assurance policy-checks the whole population before execution — and keeps the receipts.

From sampling to census

Here is where the economics of audit flip. Traditional assurance is archaeological: months after the fact, select twenty-five items, request support, chase, inspect, extrapolate. The sample exists because testing everything was impossible. In an autonomous operation, testing everything is not only possible — it already happened, in-line, at execution time. The auditor’s question changes shape: from “show me evidence for these items” to “show me the policy, show me that the enforcement mechanism works, and prove nothing executed outside it.” One control tested well replaces a thousand items sampled badly.

None of this is exotic to the assurance profession. It maps cleanly onto the frameworks already governing the estate: ICFR/SOX management testing shifts toward automated control monitoring; service-organization reporting (ISAE 3402 / SOC 1) extends naturally to agent-operated processes; and the emerging AI-governance regimes — the EU AI Act’s requirements on logging, oversight, and transparency chief among them — ask for precisely the artifacts this architecture produces as exhaust. Firms that build the control plane first will experience AI regulation largely as a documentation exercise. Firms that bolt it on afterwards will experience it as remediation.

Exhibit 2 · Interactive
Sampling versus census: the detection gap
The uncomfortable arithmetic of sample-based assurance. Set a realistic control-failure rate and watch what a 25-item sample can honestly promise.
Failures actually in the population
Probability the sample sees even one
Expected failures found in sample
Failures a census screens
policy-checked in-line, pre-execution
P(detect ≥1) = 1 − (1 − p)n. At a 0.3% failure rate, a 25-item sample has roughly a 7% chance of surfacing a single failure — and the population contains hundreds. Census assurance does not estimate the failure count; it prevents most of it and evidences the rest.

The arithmetic of review theater

Before any committee debates whether machine dispositions are “risky,” it should run the calculator above on its current state. Four hundred items into a reviewer-day with three genuine minutes each requires twenty hours of attention from a person who has five and a half; the surplus — typically two-thirds of the queue — is being approved by momentum and attested by hope. This is not an indictment of the reviewers, who are doing the only thing the design permits. It is an indictment of a control that was specified by volume rather than capacity, and it is the single most effective exhibit in the business case for risk-routing: the status quo is not the safe baseline the machines must beat. The status quo is theater with a signature on it, and the arithmetic has been available to anyone who multiplied.

Exhibit 3 · Interactive
The review-theater calculator
The approve-everything control, audited by arithmetic. How many of today’s approvals could physically have been reviewed?
Items a genuine review-day can cover
Theater share of today’s approvals
Seconds actually spent per item
Reviewers needed to make review real
Theater share = approvals beyond physical review capacity. The exit is not hiring to the fourth output — it is the risk-routed design of this paper: census screening by machine, human minutes concentrated on the flagged minority, and the arithmetic finally consistent with the attestation being signed.

Model risk without the mystique

The phrase “model risk management” makes finance controllers reach for consultants, which is a shame, because they already run its exact logic elsewhere. A model inventory is a fixed-asset register for judgment: what exists, who owns it, what it is approved to do. Validation is a control test: does it perform within tolerance on data it has not seen. Drift monitoring is a variance analysis: actuals against expectation, investigated past a threshold. Kill criteria are a delegation-of-authority schedule: the conditions under which permission is withdrawn, decided before the emergency rather than during it. Controllers translate unfamiliar regimes into these primitives for a living; the machinery of banking’s SR 11-7 tradition — inventory, validate, monitor, retire — is a familiar audit program pointed at a new asset class. The mystique is the vendor’s; the discipline is already yours.

The close is where you feel it first

If the census argument sounds abstract, walk it into the most familiar control environment in finance. A campaign close (The Continuous Close) produces its evidence in arrears — screenshots, tie-out workbooks, review notes reconstructed for the auditor months later — and the annual ICFR cycle tests a sliver of it. A continuous close on this control plane produces the audit file as exhaust: every reconciliation carries its policy version, every adjustment its rationale, every exception its disposition. The external audit’s substantive burden falls precisely as management’s assurance rises, and the fee conversation changes shape along with the fieldwork. The same logic then walks outward — to payment screening (Treasury as Code), to alert disposition, to any control that currently exists as a procedure plus a prayer.

Who signs

Accountability does not transfer to software, and no serious design pretends it does. The CFO still certifies; the controller still attests; internal audit still opines. What changes is what they are attesting over: less “my people followed the procedure, mostly, we sampled it” and more “the policy is right, the enforcement is proven, the exceptions were judged.” That is a stronger signature, not a weaker one — and in my experience it is the moment the audit committee stops treating autonomy as a risk topic and starts treating it as a controls upgrade.

The gap between those two conversations is measurable. The Index below measures it — including the evidence and controls dimension most self-assessments politely skip.

What leaders should do
Run the review-theater calculator on your own control environment.

Before debating whether machine dispositions are risky, quantify how much of today’s human review is arithmetically impossible — that number is the baseline autonomy must beat.

Commission the control plane before the next agent.

Identity, entitlement, policy-as-code, evidence, model risk — five layers, specified once, inherited by every process that follows.

Invite the auditors into design review.

Census-grade evidence changes their fieldwork; firms that show the machinery early convert the audit relationship from objection to co-design.

Where does your operation sit?

The Lights Out Maturity Index: six questions, two minutes, no scales to interpret. Your anonymous result joins the inaugural Lights Out Finance Survey — the benchmark this publication reports on.

Take the Autonomy Readiness CheckTake the Maturity Index Browse all papers
Notes & references
ISAE 3402 / SOC 1 — the international and US standards under which service organizations report on their controls; the reporting regime continuous evidence ultimately feeds.
SR 11-7 — the Federal Reserve/OCC supervisory guidance on model risk management: inventory, validate, monitor, retire.
EU AI Act — the EU’s AI regulation, phasing in through 2025–2027; logging, human-oversight, and transparency duties for high-risk systems.
Sarbanes-Oxley — US internal-controls attestation; the regime management sign-off and evidence quality answer to.
Interactive models in this paper are the author’s analysis. Default values are illustrative; every input is exposed so you can calibrate with your own figures.
About the author
AB
Adil Bahir

Founder & Editor of Lights Out Finance. Big 4 partner in CFO Advisory & Finance Transformation with two decades across the Americas, EMEA, and APAC; DEng in AI (George Washington), MBA in Finance (Cornell), Master in Financial Engineering (Queen’s Smith); US CPA, CGMA, FRM, CQF, CTP, CDAA. Full profile →

Related papers