Home/FINOS AI Governance Framework
Open Standards · Agentic AI Risk · AGPL-3.0

Controls for the FINOS AI Governance Framework. Open source.

The FINOS AI Governance Framework is the financial industry’s open standard for governing AI in regulated environments — and it is actively expanding into agentic AI. Kakunin is an open-source implementation of controls for several of its agentic-security risks: cryptographic agent identity, pre-action scope enforcement, behavioral revocation, and regulator-ready audit.

7AIGF risks Kakunin helps mitigate
AgenticFocused on the framework’s new agent risks
AGPL-3.0Every control is auditable source
OpenFINOS is part of the Linux Foundation
01 — RISK MAPPING

FINOS AIGF risks → Kakunin controls

Risk identifiers and titles are from the published framework. For each, the concrete control Kakunin provides — every one of them open source under AGPL-3.0, so the mitigation itself is auditable, not a black box.

FINOS AIGF riskThe threatKakunin control
AIR-SEC-024
Agent Action Authorization Bypass
An agent performs an action outside its intended authority — a tool call, transaction, or API request it was never scoped to make.Every agent holds a short-lived X.509 certificate scoped to an explicit permitted_actions set. verify_agent_scope checks the certificate, scope, and revocation status before the action runs — a pre-execution gate, not an after-the-fact log.
AIR-OP-028
Multi-Agent Trust Boundary Violations
In a multi-agent system, one agent impersonates or over-trusts another, crossing a boundary that should have been enforced.Each agent gets its own certificate and verifiable identity. Agents (and counterparties) verify one another against a single canonical CA, keylessly — trust boundaries become cryptographic, not conventions.
AIR-SEC-029
Agent-Mediated Credential Discovery & Harvesting
An agent discovers, exfiltrates, or reuses credentials it was given access to — the classic secrets-sprawl failure for autonomous systems.Bring-your-own-agent credentials are encrypted at rest (AES-256-GCM) and released only within scoped, audited access. Agent private keys live in AWS KMS HSMs and never leave.
AIR-SEC-026
MCP Server Supply-Chain Compromise
A tampered Model Context Protocol server or dependency injects malicious behavior into the agent’s toolchain.The @kakunin/mcp server publishes with npm provenance attestations traceable to a public commit and CI run, and carries an OpenSSF Scorecard. Consumers can verify the artifact’s origin with npm audit signatures.
AIR-SEC-027
Agent State Persistence Poisoning
An attacker corrupts an agent’s persisted state or memory so its future behavior drifts maliciously.Behavioral drift detection scores the agent’s actions against a rolling 30-day baseline; every state-changing action is written to an immutable, WORM-backed audit log, so poisoning shows up as measurable drift.
AIR-OP-006
Non-Deterministic Behaviour
The same inputs produce different, unpredictable actions — hard to bound or certify for a regulated deployment.A real-time risk score bounds behavior operationally: when it crosses threshold, the agent’s certificate is automatically revoked within seconds, halting further action regardless of what the model does next.
AIR-RC-022
Regulatory Compliance & Oversight
The organization cannot demonstrate to a regulator that its AI systems are governed, monitored, and accountable.An append-only, S3 Object-Lock-backed audit trail records every action, and signed compliance reports export the evidence for MiCA and the EU AI Act — oversight you can hand to a regulator, not reconstruct.

Kakunin is not affiliated with or endorsed by FINOS. This is our own mapping of Kakunin’s controls to the open FINOS AI Governance Framework, offered as a worked reference implementation.

02 — WHY IT MATTERS

A standard needs implementations

Frameworks define what to control. Deploying agents in a regulated business needs something that actually enforces it. Three reasons Kakunin fits the framework’s agentic direction.

1

Preventative, not just detective

The framework distinguishes preventative from detective controls. Kakunin’s scope check runs before an action executes — a preventative control for agent-authorization risks, backed by a detective audit trail for the rest.

2

Built for the agentic risk set

The framework’s newest risks — AIR-SEC-024 through AIR-SEC-029 and AIR-OP-028 — are about autonomous agents crossing boundaries. That is precisely the surface Kakunin was built for: verifiable per-agent identity and cryptographically enforced scope.

3

Auditable by design

For a governance control, transparency is the point. The entire platform is AGPL-3.0 — issuance, the risk model, revocation, the audit pipeline. A regulator or counterparty can read exactly how a decision was made.

03 — GET INVOLVED

Building this in the open

The framework is a community standard, and so is Kakunin. If you are working on agentic-AI governance in financial services, the mapping above is a starting point, not a finished answer.

The Framework →

Read the full risk and mitigation catalogue at air-governance-framework.finos.org.

Contribute upstream →

The framework welcomes contributions via DCO-signed pull requests and bi-weekly meetings on the FINOS calendar.

Read Kakunin’s source →

Every control mapped above is open at github.com/nqzai/kakunin-core (AGPL-3.0).

Govern your agents against the framework.

Start in the sandbox — real X.509 certificates, 100 free per day, no card. Certify an agent, scope it, and watch a risk breach auto-revoke it.