Your Company’s New ‘AI Agent’ Isn’t an Efficiency Tool—It’s a Shadow CFO With a Spending Limit (and auditors are already freaking out)

Q: What is an “AI agent” in finance, exactly?

Deloitte describes agentic AI as systems that can **autonomously plan, execute, and adapt actions** to achieve objectives, often by connecting across tools and initiating tasks. In finance, that can mean moving beyond drafting analysis to taking operational steps—routing approvals, creating purchase orders, or triggering payments—depending on permissions and integrations.

Q: Why are auditors more concerned about agents than chatbots?

Chatbots mostly create **advice and content**. Agents can **execute actions**. That shifts the risk from “wrong output” to **unauthorized or unreviewed transactions**, which directly affects internal controls over operations, financial reporting, and compliance. COSO’s 2026 GenAI guidance reflects this by mapping risks and controls in audit-ready terms.

Once software can initiate transactions, the risk stops being “bad advice” and becomes unauthorized execution. Auditors don’t want vibes—they want authority, logs, ownership, and testable controls.

By TheMurrow Editorial

April 2, 2026

Your Company’s New ‘AI Agent’ Isn’t an Efficiency Tool—It’s a Shadow CFO With a Spending Limit (and auditors are already freaking out)

Key Points

1Treat agentic AI like delegated authority: once it initiates transactions, the risk becomes control bypass, not just bad outputs.
2Reframe permissions around money: spending limits can help, but only with immutable logs, ownership, monitoring, and testable evidence.
3Expect audit and regulatory pressure: COSO’s 2026 GenAI controls and FINRA’s deepfake warnings raise the bar for approvals and records.

A finance leader used to worry about spreadsheets.

Now the anxiety sits somewhere else: inside the workflow.

An “AI agent” that executes starts looking like delegated finance

An “AI agent” that can draft a memo is one thing. An “AI agent” that can initiate actions—create purchase orders, change a vendor in ERP, approve an invoice, trigger an ACH or wire, shift budget between cost centers, reorder inventory, or spin up cloud resources—starts to look less like a productivity tool and more like a delegated operator.

That’s why a quiet phrase has begun to circulate in audit and internal-control circles: shadow CFO. Not because a bot is plotting in the dark, but because autonomy changes the risk. The failure mode shifts from “bad advice” to unauthorized execution, and the consequences arrive faster than most control environments were built to handle.

“The moment software can initiate transactions, the conversation stops being about accuracy and starts being about authority.”
— — TheMurrow

The new meaning of “agentic”: autonomy that touches money

The term “agentic AI” is easy to trivialize if you picture a chat window that happens to be more capable than last year’s model. Deloitte uses a tighter definition: agentic AI systems “autonomously plan, execute, and adapt actions to achieve complex objectives,” often by connecting across systems and initiating tasks without step-by-step human direction. That definition matters because it draws a clean line between assistance and execution.

Deloitte’s internal audit “hot topics” report for 2026 goes further, flagging a specific category of exposure: “control bypass risk.” In plain English, an agent can initiate actions outside established approval chains—raising the prospect of fraud, financial misstatements, or data breaches. That is not a philosophical objection to AI. It is a map of how modern systems fail when speed outruns oversight.

From “tool” to “operator” in one integration

Most finance teams are used to software automations that behave predictably. Rules-based workflows do what they were configured to do, and the configuration changes are usually visible and reviewable.

Agentic systems introduce a different dynamic. When a system can decide which step comes next—what invoice to route, what exception to clear, which vendor to select—it becomes hard to describe the boundary between “automation” and “delegation.” Engineers often focus on whether the agent completes the task. Auditors focus on whether the agent completed the task with the right authority, evidence, and accountability.

Why the “spending limit” is becoming the new permission boundary

One practical response already showing up inside organizations is the redefinition of approvals around money, not process. Instead of asking, “Can the agent post an invoice?” teams ask, “Can the agent post invoices up to $X, per vendor, per day, with documented policy checks?”

Call it a workaround or a mature control design—either way, it reflects a new reality: spend thresholds are becoming a proxy for human approval. That can be sensible. It can also create blind spots if limits are set loosely, monitored weakly, or treated as a substitute for attribution and audit evidence.

“Spending limits look like safety rails—until you realize the rails are meaningless without logs, ownership, and testing.”
— — TheMurrow

What auditors are actually worried about: evidence, not vibes

The stereotype says auditors are nervous because AI feels novel. The more accurate picture is procedural: internal-control expectations are being translated into GenAI terms with unusual specificity, and the result is friction with how fast businesses want to deploy.

A landmark in that translation arrived with COSO’s “Achieving Effective Internal Control Over Generative AI (GenAI)” (©2026). COSO is not a startup with a point of view; it’s the organization behind the Internal Control–Integrated Framework that underpins much of corporate control design and external assurance. The message is direct: rapid GenAI adoption can compress decision cycles and introduce risks that threaten reliability of operations, reporting, and compliance if unmanaged.

COSO’s shift: from principles to audit-ready templates

COSO’s 2026 document does more than warn. It provides:

- A capability-first taxonomy of GenAI uses (eight types, including “orchestration” and “judgment”) with tailored control implications
- Minimum control expectations aligned to COSO’s five components
- Templates for risk assessment matrices, control testing procedures, and metrics dashboards—materials designed to close the gap between broad governance talk and what auditors need as evidence

That last point is the hinge. When auditors request proof, they are not asking for a slide deck about “responsible AI.” They are asking for documentation they can test: who approved the design, what access controls exist, what logs are retained, what monitoring runs, and what changed when.

Four risk classes COSO explicitly calls out

COSO emphasizes concrete risk categories relevant to agentic systems, including:

1. Prompt-injection attacks (inputs that manipulate a model into taking unsafe actions)
2. Hallucinations (plausible but incorrect outputs)
3. Opaque reasoning (difficulty explaining why a decision was made)
4. Model drift and rapid configuration changes (behavior changes over time)

None of these are abstract in finance. An “orchestration” use case that can move from recommendation to execution turns each category into potential books-and-records pain.

“Auditors aren’t panicking about AI. They’re reacting to how quickly small control gaps can become material when execution is automated.”
— — TheMurrow

“Who’s accountable?” The attribution problem when an agent acts

Deloitte highlights an uncomfortable truth: “It is often unclear who is accountable when an AI agent acts independently.” That single sentence explains why internal audit and compliance teams are pressing harder now than they did during the first wave of chat-based pilots.

Accountability in finance is not an ethical preference. It is a control requirement. External auditors, regulators, and boards expect a company to answer questions that sound simple until an agent sits in the middle:

- Who approved the transaction?
- Who had access to initiate or alter it?
- Who changed the system configuration?
- What evidence supports reliance on automated controls?

Delegation without ownership becomes “shadow finance”

When business units deploy tools without enterprise oversight, Deloitte labels the pattern “shadow AI.” COSO also warns that GenAI adoption is easy enough that shadow deployments can emerge outside formal IT and governance channels.

Combine shadow AI with agentic execution and you get the organizational version of the “shadow CFO” idea: spend decisions and workflow approvals start happening in parallel to formal finance operations. Not necessarily malicious. Often it begins as a well-meaning team automating exceptions to move faster. The problem arrives when those exceptions become routine and nobody can say, with confidence, what the agent is authorized to do today.

Audit evidence is a design problem, not a documentation problem

Many teams try to fix this late by writing policies after deployment. That rarely satisfies auditors, because the missing artifact isn’t a policy memo—it’s the system evidence:

- Durable logs showing prompts, actions, and outcomes
- Controls over who can change the agent’s tools, permissions, or thresholds
- Monitoring that detects unusual vendor changes or payment patterns
- A clear line of responsibility for ongoing performance and incident response

Without those, accountability becomes a debate. Auditors dislike debates.

The regulatory thread: deepfakes weaken approvals as automation expands

Even when regulators don’t explicitly target “agents,” they are reinforcing expectations around governance, records, and control integrity in technology-mediated environments.

FINRA’s 2026 Annual Regulatory Oversight Report (dated Dec. 9, 2025) adds a standalone GenAI section (“NEW FOR 2026”) and reiterates risks tied to cyber-enabled fraud and identity deception—voice clones, fake IDs, deepfake selfies. That matters for finance operations because the choke points in procure-to-pay and treasury often rely on human verification: call-backs, email approvals, identity checks, and exception handling.

A dangerous overlap: weaker authentication, faster execution

Two trends are colliding:

1. Impersonation is improving. Deepfakes and voice cloning raise the odds that an approval request looks and sounds legitimate.
2. Workflows are accelerating. Agentic automation reduces friction between request and execution.

Agents do not need a literal “corporate card” to create spend risk. If the approval environment becomes easier to spoof, then pushing more execution into automated systems increases exposure—especially if the agent can act on messages, tickets, calls, or loosely validated identities.

“Books and records” pressure arrives through the side door

Regulatory scrutiny often starts with a simple question after an incident: show the record. What happened, when, by whom, and under what authority?

If the organization can’t reconstruct an agent’s actions—or can’t show why it trusted the agent to take them—then the incident becomes more than a security failure. It becomes a governance failure. COSO’s emphasis on audit-ready mapping anticipates that reality.

Where the money actually moves: procure-to-pay and treasury as the front line

Agentic risk sounds theoretical until you map it to the workflows that move cash. The core issue is not whether an agent can “reason.” The issue is whether it can execute inside systems that were built for humans and deterministic automations.

Procure-to-pay: speed creates new failure modes

A typical procure-to-pay chain includes vendor setup, purchase orders, receiving, invoice matching, approvals, and payment. Agentic capabilities can touch multiple links:

- Creating or modifying purchase orders
- Selecting vendors or switching vendors during sourcing
- Approving invoices or clearing exceptions
- Routing approvals based on inferred policy
- Triggering payment actions once conditions appear “met”

Each touchpoint has a classic control objective—authorization, segregation of duties, completeness, accuracy. Agentic orchestration compresses these steps into fewer moments of human review, which raises the stakes for the controls that remain.

Treasury: reversibility matters more than cleverness

Treasury functions often live on narrower margins of error. A mistaken inventory order can be unwound. A misdirected wire is harder.

That’s why finance leaders increasingly ask a blunt operational question: Is the action reversible? If the answer is “no” or “not quickly,” then autonomy needs tighter boundaries, stronger authentication, and better monitoring than many early agent deployments include.

Practical control design: what “good” looks like without killing innovation

The most useful way to frame agentic AI in finance is neither panic nor permissionless experimentation. It is control design that assumes autonomy will expand and builds guardrails that can be tested.

COSO’s 2026 guidance is helpful here because it translates principles into control expectations. Deloitte’s warnings are useful because they identify likely failure patterns: control bypass, shadow deployments, and unclear accountability. Put together, they point to a workable agenda.

Minimum viable controls for agentic finance workflows

A practical baseline tends to include:

- Defined authorization boundaries (what the agent can do, up to what limits, in which systems)
- Spend thresholds and policy checks enforced technically, not just documented
- Segregation of duties preserved through permissions (an agent should not both create a vendor and approve a payment to it)
- Immutable logging of prompts, actions, approvals, and system changes
- Change control for agent configuration, tools, and access rights
- Monitoring and exception alerts (unusual vendor changes, payment spikes, out-of-policy actions)
- Human review for high-risk actions (irreversible payments, vendor bank-detail changes, budget transfers)

These are not exotic. They are the internal-control playbook translated into agentic terms.

The cultural change: finance needs a seat in the build, not just the audit

One reason shadow AI appears is organizational. Business units can deploy tools faster than governance can respond. COSO explicitly warns about that ease of adoption.

The answer is not to make finance the department of “no.” The answer is to embed control requirements early: finance and internal audit define the control objectives, security defines identity and access, IT defines logging and change control, and the business defines the workflow. Agents then operate inside a governed system rather than alongside it.

A fair counterpoint: autonomy can strengthen controls—if designed honestly

Skepticism about agentic AI is warranted, but so is a balanced view. Properly implemented, automation can reduce some traditional risks.

Humans bypass controls too. Humans approve invoices while distracted. Humans can be bribed, coerced, or socially engineered. A well-designed agent can enforce policies consistently, apply thresholds reliably, and produce richer audit trails than a scattered email-based approval process.

Deloitte’s warnings do not argue against autonomy. They argue against autonomy that bypasses controls. COSO’s guidance does not argue against GenAI. It argues for internal control design that keeps pace with compressed decision cycles.

The “shadow CFO” framing lands because it captures a true shift: when systems can execute, they hold financial power. Whether that power reduces risk or multiplies it depends on whether the organization treats agentic capability as a finance transformation—or as a clever plugin.

A mature view accepts both realities: agentic AI can improve compliance through consistent enforcement, and it can also create new single points of failure if accountability, access, and evidence are not engineered from the start.

TheMurrow takeaway: the fight isn’t about AI—it’s about authority

Agentic AI will keep moving into the financial bloodstream of organizations because the incentives are strong: faster operations, fewer manual handoffs, fewer exception queues. The question is not whether teams will experiment. They already are.

The question is whether the organization can answer, with evidence, the classic control questions in an agentic world: Who authorized it? Who can change it? What happened? Can you prove it?

A “shadow CFO” is not a robot in a corner office. It’s a system acting with financial consequence while governance lags behind. COSO’s 2026 work makes the control expectations explicit. Deloitte’s 2026 audit warnings make the bypass risks explicit. FINRA’s 2026 focus on GenAI-enabled deception makes the approval environment weaker at the same time automation is getting stronger.

Finance leaders don’t need to fear autonomy. They need to price it correctly: autonomy without controls is not efficiency. It’s an unbudgeted liability.

1) What is an “AI agent” in finance, exactly?

Deloitte describes agentic AI as systems that can autonomously plan, execute, and adapt actions to achieve objectives, often by connecting across tools and initiating tasks. In finance, that can mean moving beyond drafting analysis to taking operational steps—routing approvals, creating purchase orders, or triggering payments—depending on permissions and integrations.

2) Why are auditors more concerned about agents than chatbots?

Chatbots mostly create advice and content. Agents can execute actions. That shifts the risk from “wrong output” to unauthorized or unreviewed transactions, which directly affects internal controls over operations, financial reporting, and compliance. COSO’s 2026 GenAI guidance reflects this by mapping risks and controls in audit-ready terms.

3) What does “control bypass risk” mean?

Deloitte uses the term to describe situations where an AI agent initiates actions outside established approval chains. A control bypass can happen through excessive permissions, unclear boundaries, shadow deployments, or weak monitoring. The risk is not theoretical: bypassed approvals can lead to fraud exposure, misstatements, or data breaches.

4) What is “shadow AI,” and why does it matter?

“Shadow AI,” flagged by both Deloitte and COSO, refers to GenAI systems deployed by business units without enterprise oversight. In finance workflows, that can create a parallel, informal decision-and-execution channel—hard to monitor, hard to audit, and difficult to hold accountable when incidents occur.

5) How does GenAI-enabled fraud affect finance approvals?

FINRA’s 2026 Annual Regulatory Oversight Report highlights GenAI-enabled deception such as voice clones, fake IDs, and deepfake selfies. Those techniques can weaken the reliability of identity checks and approval workflows. If approvals become easier to spoof while agentic systems make execution faster, the organization’s exposure increases.

6) Are spending limits a real solution—or just a bandage?

Spending limits can be a practical control boundary—caps per transaction, per day, or per vendor—especially when agents are allowed to execute routine tasks. Limits are not sufficient by themselves. Auditors also expect logs, change control, access governance, monitoring, and clear accountability for agent behavior and configuration.

7) Can agentic AI improve internal controls rather than weaken them?

Yes, if designed with control objectives in mind. Agents can enforce policies consistently and generate strong audit trails, potentially reducing human error and ad hoc approvals. The benefits appear when autonomy is paired with COSO-aligned controls: clear authorization, segregation of duties, evidence-quality logging, and ongoing monitoring and testing.

Key Insight

The “shadow CFO” risk isn’t that AI makes mistakes—it’s that AI can execute. Evidence-quality logs, change control, and clear authority boundaries decide whether autonomy becomes efficiency or liability.

Minimum viable controls (as described in the article)

✓Defined authorization boundaries (what the agent can do, up to what limits, in which systems)
✓Spend thresholds and policy checks enforced technically, not just documented
✓Segregation of duties preserved through permissions
✓Immutable logging of prompts, actions, approvals, and system changes
✓Change control for agent configuration, tools, and access rights
✓Monitoring and exception alerts (unusual vendor changes, payment spikes, out-of-policy actions)
✓Human review for high-risk actions (irreversible payments, vendor bank-detail changes, budget transfers)

COSO’s “Achieving Effective Internal Control Over Generative AI (GenAI)” is cited as a landmark shift toward audit-ready GenAI control templates and testing expectations.

2026

Deloitte’s 2026 internal audit “hot topics” flags “control bypass risk” and warns accountability is often unclear when agents act independently.

Dec. 9, 2025

FINRA’s 2026 Annual Regulatory Oversight Report (dated Dec. 9, 2025) adds a standalone GenAI section and stresses deepfake-driven identity deception risks.

About the Author

TheMurrow Editorial is a writer for TheMurrow covering business & money.

Frequently Asked Questions

What is an “AI agent” in finance, exactly?

Why are auditors more concerned about agents than chatbots?

What does “control bypass risk” mean?

What is “shadow AI,” and why does it matter?

How does GenAI-enabled fraud affect finance approvals?

Are spending limits a real solution—or just a bandage?

More in Business & Money

Business & Money·Mar 29

Wall Street Promised ‘Private Credit’ Can’t Have Bank Runs—So Why Are Apollo and Morgan Stanley Capping Redemptions in March 2026?

Private credit avoids daily withdrawals—but not mass exit attempts. In March 2026, capped quarterly windows turned investor panic into proration and a growing redemption queue.

Business & Money·Mar 25

BlackRock’s ‘Digital T‑Bills’ Aren’t a Crypto Bet—They’re a Run on Wall Street’s Plumbing (and the first place the risk shows up isn’t price)

BUIDL’s pitch isn’t Bitcoin upside—it’s faster settlement and collateral mobility. The risk isn’t Treasuries; it’s whether on-chain transfers and legal ownership line up when margin calls hit.

Business & Money·Mar 19

The EU Just ‘Simplified’ Sustainability Reporting (Feb. 24, 2026). Here’s the Weird Accounting Move Companies Can Now Use to Look Cleaner Without Changing Much

Brussels calls it “simplification,” but the real shift is narrower scope and looser verification. That combination gives remaining in-scope firms more discretion to prove what they claim—while many others can step out of mandatory reporting altogether.

Business & Money·Mar 17

12% of Office Loans Are Already Delinquent—So Why Aren’t Banks ‘Blowing Up’? The Accounting Trick Keeping the CRE Reckoning Off Your Radar (for now)

That viral “12% delinquent” stat isn’t about office loans broadly—or banks specifically. It’s office loans inside CMBS, where maturity defaults, extensions, and accounting labels can change what you see before risk actually disappears.

Business & Money·Mar 8

New York Is Writing ‘Buy Now, Pay Later’ Rules in 2026—Here’s the data trail you didn’t know you were agreeing to (and why it changes your credit even when it’s ‘0%’)

NYDFS is moving BNPL from “checkout feature” to supervised consumer credit—while targeting the quiet cost most users miss: the behavioral data pipeline behind “0%.”

$Basel III ‘Endgame’ Is Coming Back in 2026—Here’s the Mortgage Math Banks Don’t Want You to Notice (and why “more capital” can mean fewer loans)$

Business & Money·Mar 7

Basel III ‘Endgame’ Is Coming Back in 2026—Here’s the Mortgage Math Banks Don’t Want You to Notice (and why “more capital” can mean fewer loans)

Mortgage rates grab headlines, but capital rules decide what mortgages cost banks to hold. With a re-proposal looming and a long phase-in, 2026 could be the year the new incentives start showing up in pricing, underwriting, and who gets approved.

Business & Money·Mar 4

The 4‑Day Week Is Spreading in 2026—But It’s Not a ‘Perk’: It’s a Balance‑Sheet Hack (and the KPI that decides who gets Fridays off)

In 2026, “four-day week” doesn’t mean one thing—companies are running three different versions, and only one truly reduces work. Whether Fridays survive comes down to productivity stability and a CFO-ready scorecard.

Business & Money·Mar 2

The IRS Killed Direct File—So Who Gets Your ‘Free’ Tax Return Now (and why it can quietly cost you $160 anyway)?

Direct File briefly made federal tax filing feel like a basic public service—no upsells, no traps, no partner funnels. With it suspended, the “free” on-ramp shifts back to private software—and the fees and friction come with it.

Explainers·Apr 2

The ‘Right to Repair’ Bill Isn’t About Fixing Cars—It’s About Who Owns the Data Your Vehicle Generates (and 3 groups are fighting over it in Congress right now)

Modern repairs increasingly require access to telematics and software permissions that can be routed through an automaker’s cloud. The REPAIR Act would decide whether that data access is a legal right—or a gated platform.

Reviews·Apr 2

Amazon Is Splitting Star Ratings by Design in 2026—So Which “4.6★” Product Are You Actually Buying?

In 2026, Amazon’s star rating can change when you click a different option on the same listing. That’s great for accuracy—and destabilizing for how people shop.

Health & Wellness·Apr 2

The FDA Says the GLP‑1 Shortage Is ‘Over.’ So Why Are Millions Still Getting ‘Semaglutide’ From Compounders—and What’s Actually in Those Vials?

The FDA’s “resolved” label is national policy—not a guarantee at your pharmacy counter. Price, insurance gatekeeping, and telehealth convenience keep compounded vials in motion, even as enforcement tightens.

Travel·Apr 2

Europe Is Quietly Killing Passport Stamps on April 10, 2026—Here’s Why Your ‘90/180 Days’ Math Is About to Start Failing at the Border

The 90/180 rule isn’t changing—but the evidence is. Once EES becomes fully operational, a database (not your stamps) becomes the border’s source of truth.

Breaking News·Apr 2

40 Countries Just Met in London to ‘Reopen’ the Strait of Hormuz—Because Iran’s New “Toll Booth” Could Decide What You Pay at the Pump Next Week

With tens of thousands of seafarers stranded and traffic “trickling through,” governments are treating Hormuz like shared infrastructure—not a private risk calculation. The allegation driving urgency: an IRGC-run permissioned corridor that resembles a paywall.

Opinion·Apr 2

Everyone’s Mad About Trump’s Birthright-Citizenship Order—But the Supreme Court Fight Is Really a Power-Grab to Make Millions ‘Legally Provisional’ Until 2027

EO 14160 doesn’t rewrite the Constitution—it targets recognition. The conflict hits first where citizenship becomes real: passports, Social Security numbers, and federal files—while courts fight over who can stop it, and where.

Breaking News·Apr 1

SpaceX Just Quietly Filed for an IPO — the $75 Billion Listing That Could Reshape Your 401(k) (and Musk’s Power)

A confidential SEC submission is a real regulatory step—yet the biggest figures ($75B raised, $1.75T valuation) remain unanchored until a public S‑1 forces proof.

Sports·Apr 1

MLB Just Made a Deal With Polymarket—and It Exposes the Bet That Could Break Sports Integrity Before October 2026

MLB didn’t just add a sponsor—it backed a regulatory argument. The Polymarket partnership plus a first-of-its-kind CFTC MOU puts micro-markets and enforcement speed on a collision course before October 2026.