The FINOS AI Governance Framework is the financial industry’s open standard for governing AI in regulated environments — and it is actively expanding into agentic AI. Kakunin is an open-source implementation of controls for several of its agentic-security risks: cryptographic agent identity, pre-action scope enforcement, behavioral revocation, and regulator-ready audit.
Risk identifiers and titles are from the published framework. For each, the concrete control Kakunin provides — every one of them open source under AGPL-3.0, so the mitigation itself is auditable, not a black box.
| FINOS AIGF risk | The threat | Kakunin control |
|---|---|---|
| AIR-SEC-024 Agent Action Authorization Bypass | An agent performs an action outside its intended authority — a tool call, transaction, or API request it was never scoped to make. | Every agent holds a short-lived X.509 certificate scoped to an explicit permitted_actions set. verify_agent_scope checks the certificate, scope, and revocation status before the action runs — a pre-execution gate, not an after-the-fact log. |
| AIR-OP-028 Multi-Agent Trust Boundary Violations | In a multi-agent system, one agent impersonates or over-trusts another, crossing a boundary that should have been enforced. | Each agent gets its own certificate and verifiable identity. Agents (and counterparties) verify one another against a single canonical CA, keylessly — trust boundaries become cryptographic, not conventions. |
| AIR-SEC-029 Agent-Mediated Credential Discovery & Harvesting | An agent discovers, exfiltrates, or reuses credentials it was given access to — the classic secrets-sprawl failure for autonomous systems. | Bring-your-own-agent credentials are encrypted at rest (AES-256-GCM) and released only within scoped, audited access. Agent private keys live in AWS KMS HSMs and never leave. |
| AIR-SEC-026 MCP Server Supply-Chain Compromise | A tampered Model Context Protocol server or dependency injects malicious behavior into the agent’s toolchain. | The @kakunin/mcp server publishes with npm provenance attestations traceable to a public commit and CI run, and carries an OpenSSF Scorecard. Consumers can verify the artifact’s origin with npm audit signatures. |
| AIR-SEC-027 Agent State Persistence Poisoning | An attacker corrupts an agent’s persisted state or memory so its future behavior drifts maliciously. | Behavioral drift detection scores the agent’s actions against a rolling 30-day baseline; every state-changing action is written to an immutable, WORM-backed audit log, so poisoning shows up as measurable drift. |
| AIR-OP-006 Non-Deterministic Behaviour | The same inputs produce different, unpredictable actions — hard to bound or certify for a regulated deployment. | A real-time risk score bounds behavior operationally: when it crosses threshold, the agent’s certificate is automatically revoked within seconds, halting further action regardless of what the model does next. |
| AIR-RC-022 Regulatory Compliance & Oversight | The organization cannot demonstrate to a regulator that its AI systems are governed, monitored, and accountable. | An append-only, S3 Object-Lock-backed audit trail records every action, and signed compliance reports export the evidence for MiCA and the EU AI Act — oversight you can hand to a regulator, not reconstruct. |
Kakunin is not affiliated with or endorsed by FINOS. This is our own mapping of Kakunin’s controls to the open FINOS AI Governance Framework, offered as a worked reference implementation.
Frameworks define what to control. Deploying agents in a regulated business needs something that actually enforces it. Three reasons Kakunin fits the framework’s agentic direction.
The framework distinguishes preventative from detective controls. Kakunin’s scope check runs before an action executes — a preventative control for agent-authorization risks, backed by a detective audit trail for the rest.
The framework’s newest risks — AIR-SEC-024 through AIR-SEC-029 and AIR-OP-028 — are about autonomous agents crossing boundaries. That is precisely the surface Kakunin was built for: verifiable per-agent identity and cryptographically enforced scope.
For a governance control, transparency is the point. The entire platform is AGPL-3.0 — issuance, the risk model, revocation, the audit pipeline. A regulator or counterparty can read exactly how a decision was made.
The framework is a community standard, and so is Kakunin. If you are working on agentic-AI governance in financial services, the mapping above is a starting point, not a finished answer.
Read the full risk and mitigation catalogue at air-governance-framework.finos.org.
The framework welcomes contributions via DCO-signed pull requests and bi-weekly meetings on the FINOS calendar.
Every control mapped above is open at github.com/nqzai/kakunin-core (AGPL-3.0).
Start in the sandbox — real X.509 certificates, 100 free per day, no card. Certify an agent, scope it, and watch a risk breach auto-revoke it.