The rapid deployment of AI agents across the financial sector and software development is catastrophically outpacing the ability of traditional compliance to monitor them. While businesses scramble to embed autonomy into every process, the risk management gap is widening into a chasm. As Hannah Liu, Riya Saxena, and Shiv Asthana from the Responsible AI Institute and Imperial College London point out, existing standards like NIST AI RMF or ISO/IEC 42001 are little more than a collection of well-meaning guidelines unsuited for the unique challenges of agency. Even the much-touted EU AI Act was effectively obsolete before its publication: its drafts were finalized before autonomous agents became mainstream.

Quantifying Agency Through Twelve Dimensions

The TrustX Agent Risk Classification (ARC) methodology aims to convert subjective executive anxiety into a measurable score. At its core is a rubric of 12 dimensions that categorizes "chaos" across seven types of systems—ranging from simple assistants to end-to-end business processes. Utilizing the GPA + IAT model (perception, planning, and action), the framework evaluates five levels of autonomy. This is an attempt to establish a rigid coordinate system in a field that previously relied on developer intuition.

ARC is a repeatable classification tool that enables the quantitative risk assessment of seven distinct types of agentic systems.

The output is a three-tier risk grade. For tech leads, this marks a shift from vague checklists to concrete architectural discipline: if an agent is capable of multi-stage actions within a closed loop, its risk grade automatically triggers the implementation of specific controls. Security is no longer a matter of "faith"; it is a matter of meeting a numerical threshold.

Closing the Architectural Audit Gap

Traditional banking risk management (such as SR 11-7) de facto ignores generative AI, forcing architects to operate in the dark. TrustX ARC fills this void by offering specialized extensions, such as one specifically for Coding Assistants. The framework maps technical vulnerabilities to corporate risk levels, building a bridge between raw code and business risk.

Agent capabilities are proliferating faster than the practices required to reliably evaluate them.

The TrustX framework signals the end of the era of static compliance. AI risk management is evolving into a continuous monitoring process. The immediate priority for risk managers is to conduct a comprehensive audit and map current autonomous processes onto this three-tier system. Only then can they understand which agents are already exerting uncontrolled influence over the company’s intellectual property or financial flows.

AI AgentsAI RegulationAI SafetyAI in FinanceCybersecurity