A Research Direction for Bounded AI in Regulated Digital Finance

The conference paper discussed here was presented at AAI 2026 by Aleksey Katulevskiy, Strategy & Partnerships Lead, Polity.

An Argument, Not a Launch

Polity participated in the Fifth Serbian International Conference on Applied Artificial Intelligence (AAI 2026), held in Kragujevac on 20–21 May 2026 under the patronage of the University of Kragujevac, alongside computer science researchers, Nobel laureates, and industry experts (1).

There was no token, no investment proposition, and no commercial announcement. Polity went to make a different kind of statement: that bounded, identity-aware, accountable AI is the version of the technology most likely to clear supervisory scrutiny in regulated digital finance – and that the unbounded alternative, however capable, is far less likely to.

The paper, “Bounded Agentic AI for Regulated Digital Finance: An Architectural Research Direction,” was presented in Kragujevac by Aleksey Katulevskiy, Polity’s Strategy and Partnerships Lead.

“We didn’t bring a product to Kragujevac. We brought an argument: that bounded, accountable AI is the version with a credible path through supervisory scrutiny. And an invitation to argue back.” – Aleksey Katulevskiy, Strategy & Partnerships, Polity

The thesis is deliberately unfashionable in a year of unbounded autonomy claims. Finance is not primarily a prediction problem; it is a coordination problem under constraints – legal, fiduciary, identity, jurisdictional, audit, and human. An AI that can summarise a regulatory corpus in seconds is impressive. An AI that can be trusted to act on that corpus – in someone else’s name, with someone else’s money, under a regulator’s oversight – is a different problem entirely, and it is the problem Polity set out to address. That this is the right problem to be working on is increasingly the industry’s own framing. Recent analysis defines agentic AI governance precisely as the structured management of delegated authority. It locates the hard problem not in what an agent outputs, but in whether an institution can prove the agent had authority to act (11). The same analysis notes that existing model-risk guidance was written for models with stable input-output behaviour. By itself, it does not resolve the agent-specific questions: delegated authority, runtime permissions, tool access, and action accountability – the very gap Polity’s research is addressed to (12).

The Word Polity Refused to Drop

More than one thoughtful observer, before and during the conference, suggested quietly deleting the contested word from the paper’s title: “agentic.” The reasoning was sound. Most of what Polity described – onboarding companions, fraud radars, proposal explainers, audit-evidence layers – only explains, translates, flags, and summarises. Call it advisory AI, the argument went, and a year’s worth of hype baggage falls away with the word. Polity kept it. The reasoning for keeping it is the whole point of the work.

Three reasons:

• Some of the use cases genuinely act. A pre-trade verifier that blocks a transaction, or a supervisory monitor that fires a real-time alert, is not advising – it is acting, narrowly and reversibly, but acting. Labelling that “advisory” is a quiet dishonesty about capability, exactly what this work exists to prevent.
• Revocable delegation is the safe form of agency, not its absence. An AI operating under cryptographically verifiable, time-bounded, revocable delegation is still an agent – an agent on a leash. To cede the word is to imply that safety means having no agent at all. It does not, and regulated finance cannot afford to pretend otherwise.
• The word is where the conversation is. The regulatory and engineering debate about autonomous AI is happening under the heading “agentic.” Step outside it and the term belongs entirely to those making unbounded autonomy claims. The responsible move is not to flee the word but to occupy it and define it.

In the Polity context, an AI system is treated as agentic when it can initiate, deny, sequence, modify, or conditionally execute an action within a bounded delegation scope, without requiring synchronous human approval for every intermediate step. That threshold matters: it draws a line between explanation, which informs a human decision, and execution, which has an effect of its own. Most of the cases Polity describes sit on the explanatory side of the line and are fairly called assistive. The agentic label is reserved for the minority that cross it; the work of this paper is to insist that, when a system does cross it, it crosses under delegation that is identified, scoped, time-bound, and revocable.

Not a Cage. A Leash.

Polity’s case rests on a single distinction, easily mistaken for a slogan but meant as an engineering claim: not a cage, a leash. The distinction is the spine of the case. Polity refers to it as the leash principle: capability is not removed but bound to an identity, a scope, a time limit, and a responsible holder. It is the organising idea the rest of this work builds on.

A cage prevents capability. It says the AI may not act, full stop – comfortable to promise and useless in practice, because the institutions adopting these systems have real work that needs doing. A cage does not remove that work; it pushes the capability somewhere less governed.

A leash permits capability and binds it. It is the principle that capability should come with an identity, a scope, a time limit, and a responsible holder. The six bounded-AI design objectives express what that principle requires, and each one corresponds to a question a supervisor will ask:

The six bounded-AI design objectives, framed as supervisory questions:

A cage answers none of these questions, because a cage pretends they never arise. The purpose of the leash is not to make AI less capable. It is to make every capable action attributable, bounded, and accountable to a person or institution the law already recognises.

The distinction Polity is drawing is narrower than “AI with policies attached.” A policy engine, a role-based permission scheme, or a compliance wrapper constrains what a system is allowed to output; the harder problem, and the one Polity addresses, is constraining what it is allowed to do. The objective is to bound executable authority before an action proceeds, not to filter outputs after they are generated. That is why the boundedness has to hold at the layers where authority is granted, propagated, and exercised: identity, delegation, orchestration, and execution. It cannot sit at the level of a prompt, a guideline, or a review carried out after the fact. A constraint expressed only as instruction can be argued with, drifted from, or worked around; a constraint expressed in the structure of the system has to be satisfied for an action to proceed at all. Polity’s design commitment is that boundedness of the second kind must survive conditions the first kind does not: asynchronous execution, partial compromise, adversarial interaction, and change in the underlying model. This is the direction the recent literature on accountable AI in finance has taken. Work on regulatory governance for AI-driven financial systems argues for embedding auditing, monitoring, and explainability into the lifecycle of a system rather than treating them as after-the-fact additions (9). Design-research work on agentic compliance proposes reference architectures in which automation is embedded within accountable governance structures rather than bolted on after it (10).

“You can’t bolt accountability onto an autonomous system after it acts. Authority has to be bound where it lives – in identity, in delegation, in execution – or it isn’t bound at all. That’s the whole reason for building at the substrate, not the application layer.” – Alexandre Kotcherguine, Founder & Vision Officer, Polity

The Architectural Posture

A leash needs something to anchor to. What Polity disclosed at AAI 2026 is not that anchoring architecture but the posture it must satisfy: the design commitments any Polity-aligned system is being built to honour. Polity calls the posture Polity-Aligned Intelligence. The term should not be read as a claim about “alignment” in the sense familiar from mainstream AI-safety discourse, where the question is whether a model’s behaviour matches human values or intent. Polity-Aligned Intelligence is an architectural commitment, not a behavioural one: it concerns where authority sits, how it is delegated, and how it is bounded, not what a model believes or prefers. The alignment in question is alignment to a structure of accountability. It rests on five themes. They are not features; they are constraints the system accepts on itself so that the AI operating within it stays attributable.

The five themes of Polity-Aligned Intelligence:

It is worth being plain about what stage this is. The five themes are the level of detail Polity has made public; the substrate that would realise them remains in research, and no product, deployment, pilot, or technical specification was presented at AAI 2026. The contribution is a documented research direction, not a system an institution can buy today. The governance gap it speaks to, however, is concrete. The frameworks most often cited – the US National Institute of Standards and Technology’s AI Risk Management Framework among them (2) – were not designed around autonomous, tool-using agents operating under delegated authority. They were written for a setting in which the hard questions about runtime behaviour, accountability for delegated action, and durable decision records did not yet press. That this is a genuine gap rather than a Polity assertion is now independently documented. Work extending the NIST framework for agentic systems identifies agent autonomy, runtime behavioural governance, and delegation-chain accountability as concepts the original framework does not contemplate (6). The wider 2025–26 literature on agentic AI in finance treats governance for accountability and stability as a primary open research problem (7). Polity’s argument is that those questions cannot be answered by additions at the application layer after the fact; they belong at the substrate level. Named plainly, the hard problem is not model intelligence. It is the runtime governance of delegated authority: how authority is propagated through a chain of delegation; how it is constrained as it is exercised across multiple steps; how revocation takes effect once an action sequence is already under way; and how authority is terminated cleanly when its scope or time limit is reached. The cost of leaving that problem unsolved is not hypothetical. Industry analysis projects that more than 40 per cent of agentic AI projects will be cancelled by the end of 2027 – attributing the failure mode to escalating costs, unclear business value, and inadequate risk controls, not to the limits of the technology (8). Polity offers the work as a research direction, not a finished design, because that is the question the substrate still has to be built to answer.

“In regulated finance, the hard problem was never model intelligence. It’s the runtime governance of delegated authority: who acted, under what scope, for how long, and whether it can be unwound.” – Aleksey Katulevskiy, Strategy & Partnerships, Polity

What Bounded AI Looks Like in Practice

The posture is easiest to judge against concrete uses. Polity grouped the illustrative cases into three families and one exploratory direction, each carrying the same hard limit: bounded AI does not move money and does not replace a regulated institution.

• Consumer protection. A trusted onboarding companion, an anti-fraud radar, a service-discovery aid, a dignity layer for financial inclusion. Each translates, explains, and restores human agency – it does not act in the user’s place.
• Institutional efficiency. An internal workflow assistant; a trade-execution verifier that checks an action against the permissions and conditions that should govern it before it proceeds; a cross-border payment aid that helps a treasurer compare routes against their own criteria. Here the AI may act, but only within a narrow scope that remains revocable and to which it can be held.
• Supervisory oversight. An evidence layer that gives supervisors traceable audit trails; a plain-language governance-proposal explainer with no voting authority; a systemic-risk monitor that stays dormant under normal conditions and is brought into use only under explicit, authorised control.
• Exploratory – a crisis-scenario analysis layer. Activated only under explicit, authorised crisis governance, it would help supervisors think through how stress in one part of a system might propagate to another. It has no execution authority: decision support, and nothing more.

Most of these – explainers, flaggers, summarisers – are assistive, sitting on the explanatory side of the line. The trade-execution verifier and the dormant systemic-risk monitor are the cases that cross it, and they may do so only under the delegation discipline set out earlier: identified, scoped, time-bound, revocable.

A bounded posture does not claim that failure or abuse becomes impossible. It would be its own kind of overstatement to claim otherwise. Delegated authority can be misused. A delegation chain can be extended further than intended; an identity can be compromised; agents can be made to act in concert in ways no single grant of authority anticipated; instructions can be injected to push a system past its scope. What a bounded posture changes is not whether such failures can occur, but what they look like when they do. The aim is to transform the failure surface from opaque autonomy, where an action cannot be attributed, scoped, or unwound, into attributable governance, where a failed or abused action is still tied to an identity, a scope, a time window, and a record that a supervisor can follow. Bounded systems can still fail; the design intent is that they fail inside a structure of accountability, not outside one.

Ten principles govern the research: human benefit, user control, transparency, auditability, accountability, privacy, security, fairness, jurisdictional respect, and the one that most constrains Polity itself, no overstatement: capabilities are validated before they are claimed, in writing, in code, and in conduct. Each is well established on its own; the point Polity makes is narrower. Designing them into the architecture, rather than appending them as policy, is what makes them structural rather than aspirational.

None of this is an abstract debate about terminology. The consumer-protection cases have specific people behind them: the shopkeeper in Lagos onboarding to a payment rail, the farmer in rural Brazil checking whether a service is what it claims to be, the remittance sender in the Philippines, the pensioner in Montenegro. Roughly 1.3 billion adults remain outside the formal financial system (3); whether the next wave of technology reaches them with financial tools worthy of their trust or with old extraction in new vocabulary is, in part, an architectural choice.

“The test of this work isn’t whether it impresses a regulator on a slide. It’s whether it reaches the shopkeeper, the pensioner, the remittance sender – with tools worthy of their trust, not old extraction in new vocabulary.” – Aleksey Katulevskiy, Strategy & Partnerships, Polity

Why the Timing Is Not Incidental

Two regulatory clocks are running. The EU’s Markets in Crypto-Assets Regulation closes its transitional grandfathering period on 1 July 2026, after which crypto-asset service providers without full authorisation must stop serving EU clients (4); the regulated-finance operators Polity’s research is intended to serve are moving into a supervised regime. The clock that bears on the AI itself is the EU AI Act, whose high-risk regime will bring AI systems used in financial services under conformity assessment, logging, human-oversight, and transparency obligations (5). The question is no longer whether AI will be used in these systems, but whether it can be used accountably; a system that cannot answer a supervisor’s questions will struggle to remain inside the regulated perimeter.

The timing of those obligations has recently settled. An original application date of 2 August 2026 for high-risk systems proved unworkable while supporting standards were still being drafted. Under the Digital Omnibus reforms, a political agreement reached on 7 May 2026 – still subject to formal adoption – moved the date for stand-alone high-risk systems to 2 December 2027. Stand-alone high-risk is the AI Act category that captures AI used in financial services. Product-embedded systems follow on 2 August 2028 (5). The extension buys preparation time; it does not change the direction of travel. A system answerable to a supervisor is becoming a precondition for operating in the EU, not an optional virtue, and the obligations the Act names – automatic event logging and demonstrable human oversight among them – are exactly the obligations a bounded posture is built to satisfy.

Unbounded AI is being marketed into exactly this environment. It looks impressive on a demo screen and becomes a liability on a regulator’s desk. Polity’s contribution at AAI 2026 was to argue, in public and ahead of any deployment, that the bounded version is the one with a credible path through supervisory scrutiny – and to set out the design commitments that make “bounded” a concrete engineering target rather than a reassuring adjective.

That commitment is defined as much by what Polity will not do as by what it will. Polity does not intermediate, execute, custody, route, or control financial transactions. It does not replace regulated entities or assume their obligations under MiCA, sanctions regimes, AML/CFT rules, or the travel rule. The model is architectural enablement, not regulatory arbitrage; a bounded posture is what keeps the two from being confused.

“The architectures we choose for AI in regulated finance over the next eighteen months will decide whether this technology earns institutional trust or quietly forfeits it. That’s not a technical footnote – it’s stewardship over the substrate the next generation inherits.” – Alexandre Kotcherguine, Founder & Vision Officer, Polity

An Invitation to Argue

Polity is not asking for this research to be taken on faith. The five themes were presented as a research direction so that they could be argued with. The open questions are real ones: where “revocable” actually ends; what an “immutable decision log” means once the model itself is updated; whether “delegation chain” is a clean abstraction or a leaky one. A research direction that cannot withstand those questions has not earned the trust it asks for, and Polity does not claim to have settled them. These are also, in Polity’s reading, the questions the wider field is moving toward, and where it expects the next few years of regulated-finance practice to converge. Three seem likely to matter most: the emergence of shared standards for describing and verifying a delegation chain across systems; durable, tamper-evident decision records that survive a change in the underlying model; and well-defined revocation semantics – what it means, precisely, to withdraw authority from an action sequence already under way. Polity does not claim to own these problems. It claims only to have named them early, and to be building toward the layer at which they have to be answered.

A finished specification invites applause; an open research direction invites the critique that improves it. Polity wants the second. The paper is public, the research direction is on the table, and the invitation stands: to the researchers, regulators, institutions, and communities who will see what Polity cannot.

“The architectures being written now will outlast every demo in this field. They’ll decide whether AI in regulated finance becomes an instrument of trust or just another chapter of quiet extraction – and that isn’t a verdict any one team should render alone. So this is my ask. If you build these systems, regulate them, study them, or stand to be served by them: don’t watch from the sidelines. Test this work. Argue with it. Break it where it’s weak, and help rebuild it stronger. The institutions that have to answer for these systems, and the people who will live inside them, deserve nothing less than our best and most contested thinking. Help us get this right – while it’s still being written.” – Aleksey Katulevskiy, Strategy & Partnerships, Polity

This article reflects the position Polity presented at AAI 2026 (1).

About Polity

Polity builds substrate infrastructure for operators of regulated on-chain finance networks. Its frameworks bridge decentralised systems and institutional compliance, with a focus on MiCA alignment across European and international markets. The AAI 2026 paper is part of an ongoing research programme; no product is announced, no token is discussed, and no investment proposition is made.

Disclaimer: This article is published for informational and research purposes only. It does not constitute investment, legal, or financial advice, nor an offer or solicitation. References to regulatory frameworks are descriptive of the operating environment and not representations of compliance. Polity does not act as a crypto-asset service provider, custodian, broker, or regulated financial intermediary in any jurisdiction in connection with the research described. Anti-money-laundering, sanctions, and data-protection obligations rest with licensed and regulated parties. All third-party sources are cited for reference; their inclusion does not imply endorsement by or affiliation with Polity.

References

• AAI 2026 (2026). ‘Fifth Serbian International Conference on Applied Artificial Intelligence – Conference Programme.’ University of Kragujevac. Available at: https://aai2026.kg.ac.rs/ (Accessed: 26 May 2026).
• National Institute of Standards and Technology (2023). ‘Artificial Intelligence Risk Management Framework (AI RMF 1.0).’ NIST AI 100-1. Available at: https://www.nist.gov/itl/ai-risk-management-framework (Accessed: 26 May 2026).
• World Bank (2025). ‘The Global Findex Database 2025: Connectivity and Financial Inclusion in the Digital Economy.’ Available at: https://www.worldbank.org/en/publication/globalfindex (Accessed: 26 May 2026).
• European Securities and Markets Authority (2025). ‘Markets in Crypto-Assets Regulation (MiCA) – transitional period and list of grandfathering periods decided by Member States.’ ESMA. Available at: https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica (Accessed: 26 May 2026).
• European Commission (2026). ‘Regulatory framework on artificial intelligence – AI Act: implementation timeline following the Digital Omnibus political agreement of 7 May 2026 (high-risk system obligations applying from 2 December 2027).’ Shaping Europe’s Digital Future. Available at: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai (Accessed: 27 May 2026).
• Cloud Security Alliance (2026). ‘NIST AI RMF Agentic Profile (proposed).’ Proposed extensions to the AI Risk Management Framework addressing agent autonomy, tool-use risk, runtime behavioural governance, and delegation-chain accountability. Available at: https://labs.cloudsecurityalliance.org/agentic/agentic-nist-ai-rmf-profile-v1/ (Accessed: 27 May 2026).
• Aldridge, I. et al. (2026). ‘Agentic Artificial Intelligence in Finance: A Comprehensive Survey.’ arXiv preprint arXiv:2604.21672. Survey of agent design patterns and governance mechanisms for accountability and stability. Available at: https://arxiv.org/abs/2604.21672 (Accessed: 27 May 2026).
• Gartner (2025). ‘Gartner Predicts Over 40% of Agentic AI Projects Will Be Canceled by End of 2027.’ Press release, 25 June 2025. Available at: https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027 (Accessed: 27 May 2026).
• Arshad, M. D. and Tripathi, C. K. (2025). ‘Algorithmic Accountability and Ethical AI Frameworks for Regulatory Governance in Financial Technologies.’ International Journal of Science and Research Archive, 16(3), pp. 796–799. Proposes a lifecycle governance model embedding algorithmic auditing, continuous monitoring, and explainability into AI-driven financial systems. Available at: https://doi.org/10.30574/ijsra.2025.16.3.2599 (Accessed: 27 May 2026).
• ‘Agentic AI for Financial Crime Compliance’ (2025). arXiv preprint arXiv:2509.13137. Action Design Research study proposing a reference architecture for accountable, auditable agentic compliance workflows. Available at: https://arxiv.org/abs/2509.13137 (Accessed: 27 May 2026).
• Palo Alto Networks (2026). ‘A Complete Guide to Agentic AI Governance.’ Cyberpedia. Defines agentic AI governance as the structured management of delegated authority and argues that governance must extend beyond model alignment into runtime action control. Available at: https://www.paloaltonetworks.com/cyberpedia/what-is-agentic-ai-governance (Accessed: 27 May 2026).
• Fontao, E. (2026). ‘Know the Agent Before It Moves the Money: KYA for Agentic Finance.’ Industry analysis, 5 May 2026. Argues that revised model-risk guidance does not by itself resolve agent-specific delegated authority, runtime permissions, tool access, and action accountability. Available at: https://www.estebanf.com/ai-strategy/2026/05/05/know-the-agent-before-it-moves-the-money/ (Accessed: 27 May 2026).