By Hindol Datta, CPA, CIA (Certified Internal Auditor) | Fractional CFO | AI Governance Advisor
We Have Seen This Movie Before
On October 19, 1987, the Dow Jones Industrial Average fell 508 points in a single trading session, a 22.6 percent decline that erased approximately $500 billion in market capitalization and remains the largest single-day percentage decline in the index’s history. The cause, as the Federal Reserve’s historical record and subsequent academic analysis have documented, was not a single catastrophic decision by a single reckless actor. It was the emergent behavior of a collection of computer-driven portfolio insurance programs, each individually rational, each individually authorized, each doing precisely what its governance framework instructed it to do, interacting with each other and with broader market conditions in ways that no individual program’s governance structure was designed to anticipate or interrupt.
Portfolio insurance was a hedging technique that used computer models to automatically sell stock index futures as prices declined, designed to protect institutional portfolios from downside risk. The strategy was widely adopted in the years preceding the crash, with institutions collectively holding positions of extraordinary scale. When markets began to fall on October 19, the programs responded identically and simultaneously: they sold. Their selling drove prices lower, which triggered further selling by other programs, which drove prices lower still, creating the feedback loop that Robert Shiller, in his subsequent analysis, described with clinical precision as a vicious circle in which an initial price decline starts the portfolio insurers’ selling, causing further price declines, causing portfolio insurers to sell again, and so on. The system-level behavior was qualitatively different from and irreducible to the behavior of any individual program within it. No governance framework designed at the program level could have detected or interrupted what was occurring at the system level.
Twenty-three years later, on May 6, 2010, a single sell algorithm that traded approximately $4.1 billion in E-Mini S&P 500 futures contracts triggered a cascade of high-frequency trading responses, sending the Dow Jones Industrial Average down nearly 1,000 points in approximately ten minutes before most of the loss was recovered within the same trading session. The SEC and CFTC joint investigation, which took nearly five months to complete despite the event lasting 36 minutes, documented how unrelated trading algorithms activated across different parts of the financial marketplace and cascaded into a systemic event for the entire United States equity market. Individual equities briefly traded at prices of 1 cent and $100,000, neither of which reflected any rational assessment of underlying value. The algorithms were doing exactly what they were programmed to do. The outcome was something that no individual algorithm’s designers had imagined or intended.
The governance frameworks your board approved were designed for AI that generates outputs and waits for a human decision. Agentic AI does not wait. It acts. The gap between those two architectures is where the next wave of enterprise liability is forming.
These events from financial market history are not merely cautionary tales about trading algorithms. They are the most extensively documented case studies available for understanding what happens when autonomous systems, each individually governed and individually rational, interact with each other and with complex environments at machine speed in pursuit of goals that were each individually authorized at the moment of deployment. The enterprise AI governance crisis of 2026 is structurally identical to both events, operating at a scale that encompasses not just financial markets but every workflow, every procurement decision, every hiring process, and every customer interaction in the organizations that have deployed agentic AI. The difference is that in 1987 and 2010, the autonomous systems were confined to financial markets. In 2026, they are inside the enterprise.
What Agentic AI Actually Means for a CFO, Shareholder, and Board
The distinction between generative AI and agentic AI is not a technical nuance. It is a governance discontinuity of the first order, with direct financial implications that most boards have not yet formally assessed. Generative AI produces outputs such as summaries, drafts, recommendations, and analyses. A human receives the output, evaluates it, and decides what to do with it. The human is in the loop. The governance framework for generative AI is, at its core, an output review framework. It asks: Is the output accurate, appropriate, and compliant? If the answer is no, the human discards it, and the damage is limited to whatever was lost in the review process.
Agentic AI is categorically different. An AI agent has a goal, a set of tools, and the authority to use those tools autonomously to pursue the goal. It can browse external websites, execute code, query and modify databases, send communications, call APIs, process payments, execute trades, and initiate contractual commitments, all without a human reviewing and approving each individual action. The agent plans its approach, executes its plan across multiple steps, and adapts its behavior based on the outcomes it observes, exactly the way a human contractor would. The governance framework for agentic AI is not an output review framework. It is a control architecture framework, and the two are fundamentally different in their design requirements, their risk profiles, and their failure modes.
Deloitte’s Q4 2025 CFO Signals survey found that 54 percent of CFOs are prioritizing AI agent integration in 2026, making it the top finance technology investment priority, ahead of data quality improvements. Nearly half of finance leaders in strategic roles have already deployed AI agents for specific finance activities. By 2028, according to projections cited by Wolters Kluwer in its January 2026 CFO outlook, 33 percent of enterprise software will incorporate agentic AI for autonomous workflows. The deployment curve is steep, accelerating, and organizational. The development curve for governance frameworks is not keeping pace with change. A 2026 survey of 1,879 IT leaders found that while 97 percent of organizations are exploring agentic AI strategies, only 12 percent have a centralized platform to manage AI sprawl. That gap between deployment and governance is where the 2026 portfolio insurance feedback loop is forming.
The following table maps the historical precedents for autonomous system governance failures against the current agentic AI environment, across the dimensions most relevant to CFO and board risk assessment.
| Event | Year | Autonomous System Type | Governance Framework in Place | What the Framework Could Not See | Financial Impact | Resolution |
| Black Monday | 1987 | Portfolio insurance programs using computer models to sell futures on price declines | Individual program authorization; institutional risk management at the portfolio level | System-level feedback loops between programs responding to the same signals simultaneously | $500 billion in market capitalization erased in one session; $1.71 trillion in worldwide losses | Circuit breakers introduced; coordinated market-wide trading halts; settlement system reforms |
| 2008 Financial Crisis | 2003-2008 | Collateralized debt obligations and credit default swaps are trading at machine speed across interconnected counterparties | Individual instrument ratings (AAA); counterparty exposure limits, and institutional risk frameworks | Systemic interconnection between instruments; correlated failure risk across the entire financial system | $12 trillion in US household wealth destroyed; global GDP contraction; sovereign bailouts | Dodd-Frank Act; capital requirements; systemic risk designation; stress testing mandates |
| Flash Crash | 2010 | High-frequency trading algorithms responding to a single large sell algorithm at microsecond speed | Individual firm position limits; market surveillance; SEC/CFTC oversight | Hot-potato volume effect between HFT algorithms; speed of interaction exceeding human oversight capacity | Nearly $1 trillion in market value temporarily erased; 36-minute event requiring 5 months to investigate | Circuit breakers for individual securities; consolidated audit trail requirements; HFT registration |
| Agentic AI Enterprise Risk | 2024-present | AI agents with authority to commit capital, modify ERP records, execute transactions, and interface with external systems autonomously | Individual agent authorization; policy-based access controls; annual AI risk reviews | System-level interaction between multiple agents; goal drift; agentic sprawl across uncoordinated deployments | Unquantified; Gartner projects over 40% of agentic AI projects canceled by 2027 due to poor governance; mounting liability | Independent assurance architecture; agent control rooms; circuit breakers for high-value autonomous transactions |
The Derivatives Warning Nobody Heeded: A Lesson in Dismissed Foresight
In his 2002 annual letter to Berkshire Hathaway shareholders, Warren Buffett described financial derivatives as time bombs and financial weapons of mass destruction, carrying dangers that, while then latent, were potentially lethal. The letter was widely read. The warning was widely noted. It was not widely acted upon. The derivative markets continued to expand for six more years, with the total notional value of over-the-counter derivatives reaching just shy of $35 trillion in the second half of 2008, the precise moment that Lehman Brothers collapsed and the systemic risk that Buffett had described materialized in the most consequential financial crisis since the Great Depression.
The structural reason that Buffett’s warning was not acted upon is precisely the reason that agentic AI governance warnings are not being acted upon today. The organizations deploying derivatives in 2002 through 2007 were not indifferent to risk. They had sophisticated risk management functions, experienced boards, and extensive regulatory oversight. What they lacked was a governance framework designed to evaluate systemic interaction risk rather than individual instrument risk. The ratings agencies assessed individual CDOs. The risk functions assessed individual counterparty exposures. The regulators reviewed individual firm balance sheets. Nobody was assessing what happened when all those individually rated, managed, and regulated instruments failed simultaneously because they were all exposed to the same underlying systemic risk. The governance architecture was designed for a world in which risks were independent. The derivatives market had created a world in which they were deeply correlated.
The agentic AI equivalent of this correlation risk is what researchers and practitioners have begun calling agentic AI sprawl: the condition in which multiple AI agents, each individually authorized and individually governed, are deployed across the enterprise in an uncoordinated manner, with different ownership, different access permissions, different monitoring coverage, and different objectives, but with the capacity to interact with each other and with shared enterprise systems in ways that create system-level behaviors invisible to any individual agent’s governance framework. The ABA Banking Journal published an article in 2026 titled “Are We Sleepwalking Into an Agentic AI Crisis?”, naming the governance gap as a systemic financial services risk. Deloitte has formally recommended agent control rooms with kill switches and real-time audit logs as a standard governance requirement for enterprise AI deployments, acknowledging that the current state of agentic AI governance is insufficient for the scale of deployments already underway.
In 2003, Warren Buffett warned that derivatives were financial weapons of mass destruction. The warning was noted. It was not acted upon. Six years later, the systemic risk materialized. The organizations raising concerns about agentic AI governance today are making the same argument. The boards dismissing those concerns are making the same error.
The Five Agentic Risks That Do Not Appear in the Current Risk Register
The governance frameworks that most enterprises have built for their AI deployments in 2024 and 2025 were designed for generative AI: models that produce outputs, humans who review them, and risk registers that log incidents that surface. Those frameworks are not merely insufficient for agentic AI. They are structurally incapable of detecting the most consequential categories of agentic risk for the same reason that the pre-1987 governance frameworks were structurally incapable of detecting portfolio insurance feedback loops. The risk does not live at the individual output level. It lives at the system interaction level. And the current measurement architecture is not designed to look there.
Unauthorized Financial Commitment
An AI agent authorized to optimize procurement costs can, in the course of pursuing that goal, execute purchase orders, enter into vendor agreements, and commit corporate capital to multi-year contracts without any individual action crossing the authorization threshold that would trigger a human review. The IMF’s 2026 analysis of agentic AI in payments explicitly identifies this risk, noting that as autonomous agents execute transactions at high speed, the requirement for human approval of high-value or high-risk transactions must be technically enforced rather than merely policy-stated. The distinction between technical enforcement and policy statement is the governance gap. A policy that says agents should not commit more than $50,000 without human approval is not a control. A system architecture that technically prevents the agent from executing any commitment above $50,000 without a human authorization token is a control. Most enterprise agentic deployments in 2026 have the former. Almost none have the latter.
Conflicting ERP Writes and Data Integrity Failure
When multiple AI agents have write access to the same enterprise resource planning system, the risk of conflicting data modifications is not merely a data quality problem. It is a problem of financial reporting integrity. An agent optimizing accounts payable timing, an agent optimizing cash flow forecasting, and an agent managing vendor relationships may each make individually rational modifications to the same underlying records, creating a state of the ERP that no individual agent intended and that the financial reporting system will treat as authoritative. The first indication that this has occurred may be a variance in a management report that triggers an inquiry, or a material misstatement in a financial filing that triggers a regulatory examination. ChatFin’s April 2026 analysis of agentic sprawl in finance identifies conflicting ERP writes as one of the five specific risks that emerge from uncoordinated multi-agent deployments and notes that the aggregated effect of minor, individually insignificant modifications can produce reporting distortions disproportionate to any individual agent’s authorized scope.
Goal Drift and Unauthorized Action
An AI agent assigned a goal pursues it through the means available to it. If the most efficient path to the goal requires an action that the agent was not explicitly prohibited from taking but was never explicitly authorized to take, the agent may take that action without any awareness that it has exceeded its intended scope. The OWASP Top 10 for Large Language Model Applications identifies excessive agency as a vulnerability in which an autonomous agent undertakes damaging actions, including modifying database records or executing financial transactions, in response to how its goal was specified rather than to any external attack. This is the enterprise equivalent of the portfolio insurance feedback loop: the agent is doing exactly what it was told to do, not what the organization meant for it to do, and the gap between those two states is the source of the liability.
Credential Exposure and Supply Chain Attack
In April 2026, a supply chain attack on the OpenAI plugin ecosystem compromised agent credentials from 47 enterprise deployments simultaneously. The IBM 2026 X-Force Threat Intelligence Index documented that large supply chain and third-party compromises have nearly quadrupled since 2020, as attackers increasingly exploit environments where software is built and deployed or SaaS integrations are activated. An AI agent with credentials to access enterprise systems, execute transactions, and communicate with external parties is not merely a software vulnerability. It is a credentialed actor whose compromise gives the attacker the same access and authority that the agent itself possessed, at machine speed and scale, with the same governance gaps that made the agent difficult to monitor in the first place.
The Shadow Ledger: Unmonitored Performance Degradation
Most organizations that claim they can audit AI agent decisions are producing transaction records: which agent fired, what output it produced, when, and where. What a transaction record cannot tell you is what rule authorized the decision, whether the agent’s reasoning has degraded from its original validated state, or whether the cumulative effect of thousands of individual minor decisions has created a systematic bias in outcomes that no individual decision would reveal. Gartner predicts that more than 40 percent of agentic AI projects will be canceled by the end of 2027, with poor governance cited as the primary cause. The shadow ledger, the accumulation of agent decisions that were each within technical authorization limits but collectively produced outcomes that the organization did not intend and cannot easily reconstruct, is the agentic equivalent of the derivatives book that was individually rated AAA but systemically correlated to the same underlying risk.
The following table maps the five agentic risk categories against their financial exposure dimensions for CFO assessment.
| Agentic Risk Category | Governance Framework Can Detect? | Speed of Accumulation | Financial Exposure | CFO Control Requirement |
| Unauthorized financial commitment | Only if the individual transaction exceeds the policy threshold, multi-transaction accumulation is invisible | Machine speed; multiple commitments per second across the agent fleet | Open-ended contractual liability; potential for commitments exceeding the authorization framework | Technical enforcement of commitment limits via authorization tokens; not policy-only |
| Conflicting ERP writes | Only through reconciliation variance analysis; may surface in financial reporting | Continuous; each agent write cycle compounds the distortion | Financial reporting integrity risk; potential material misstatement; restatement exposure | Agent access sequencing controls; write conflict detection in real time |
| Goal drift and unauthorized action | Only if the resulting action triggers an existing alert threshold | Progressive; accelerates as the agent encounters barriers to goal pursuit | Liability for unauthorized contractual, financial, and regulatory actions | Explicit prohibition architecture; human-in-loop triggers for actions outside the defined scope |
| Credential exposure and supply chain attack | Only after a breach is detected, the average dwell time for AI breaches is extended | Immediate upon credential compromise, the attacker operates at machine speed | $10.22 million average cost for shadow AI-related breaches; full agent authority transferred to attacker | Credential isolation; just-in-time access provisioning, and agent identity governance |
| Shadow ledger accumulation | Not detectable through transaction records; requires decision reasoning audit | Gradual; individually minor decisions accumulate into systematic bias | Regulatory liability for discriminatory or non-compliant patterns across the full decision population | Independent assurance with decision reasoning audit capability; continuous monitoring |
What the Historical Resolutions Actually Achieved and What They Left Unresolved
The circuit breakers introduced after Black Monday were genuine governance innovations. They interrupted the feedback loop by pausing trading when price declines exceeded defined thresholds, giving the system time to reach a new equilibrium before the cascade could compound further. They addressed the specific failure mode of the 1987 crash with engineering precision. They did not address the underlying condition that made the crash possible: the deployment of autonomous systems at scale without a governance architecture capable of detecting system-level emergent behavior. The Flash Crash of 2010 demonstrated this incompleteness with uncomfortable clarity: twenty-three years after circuit breakers were introduced, a single sell algorithm interacting with a fleet of high-frequency trading programs produced a market event that erased nearly $1 trillion in value in ten minutes and took five months to investigate.
The Dodd-Frank response to the 2008 crisis was more architecturally ambitious. The systemic risk designation framework, which identified institutions whose failure would create cascading risk for the broader financial system, was the first regulatory acknowledgment that individual-level governance was insufficient for system-level risk. The stress testing mandates required institutions to demonstrate that they could withstand correlated failure scenarios rather than merely independent adverse events. These were genuine advances. They were also, as the subsequent decade demonstrated, insufficient for the next category of systemic risk they had not been designed to anticipate: AI-driven trading strategies and algorithmic interconnections that continue to produce flash-crash events in equity and cryptocurrency markets.
The consistent lesson across all three historical events is this: governance resolutions are designed around the failure modes that have already materialized. They are backward-looking by construction, because the regulatory process requires documented harm before it can mandate preventive architecture. The enterprises and investors that waited for the resolution to tell them what governance they needed absorbed the losses that made the resolution necessary. The enterprises and investors that built the governance architecture before the resolution was mandated captured the advantage of operating during the period between when the risk became real and when the regulatory requirement became mandatory.
The Circuit Breaker for Agentic AI: What Independent Assurance Provides
The circuit breaker that Black Monday required was technically simple but conceptually transformative: it interrupted autonomous system behavior at the system level rather than the individual program level, using an externally imposed threshold that no individual program’s governance framework would have triggered on its own. The agentic AI equivalent of that circuit breaker is independent assurance architecture: a governance infrastructure that evaluates agent behavior across the full population of deployments simultaneously, identifies system-level patterns that no individual agent’s monitoring framework can detect, and provides the externally validated documentation that regulators, underwriters, and transaction counsel require as evidence that the organization has governance capability proportionate to its deployment scale.
The three questions that every CFO should be able to answer about their organization’s agentic AI deployment, and that independent assurance provides the documented basis to answer, are these. First, what is the maximum financial commitment that any AI agent can make on behalf of the corporation without human authorization, and is that limit enforced by technical architecture rather than policy statement alone? Second, if multiple AI agents are simultaneously pursuing their individually assigned goals in ways that interact with each other and with shared enterprise systems, what is the mechanism by which system-level behavior is monitored and interrupted before it settles on the balance sheet? Third, if an AI agent exceeds its authorized scope and creates a contractual, regulatory, or financial liability, what documented evidence can the organization produce to demonstrate that it had a governance architecture proportionate to the risk, and that the failure was not the result of organizational indifference to a known and foreseeable risk?
The first question addresses the risk of unauthorized commitment. The second addresses the systemic interaction risk that the portfolio insurance programs and the Flash Crash algorithms demonstrated was the most consequential category. The third addresses the fiduciary and legal accountability question that Delaware courts, EU regulators, and plaintiffs’ counsel are increasingly asking with specificity. Independent AI assurance platforms that evaluate agentic systems across the full population of deployments, score behavior against trust dimensions mapped to applicable regulatory frameworks, and produce documented board-ready assessments of governance adequacy, provide the architectural equivalent of the circuit breaker: an externally validated intervention mechanism that operates at the system level rather than the individual agent level, and that produces the documented evidence base that separates organizations with genuine governance capability from those engaged in governance theater.
By 2028, according to projections cited in the Wolters Kluwer CFO outlook, 33 percent of enterprise software will incorporate agentic AI for autonomous workflows. That deployment curve is not theoretical. It is already underway. The governance frameworks designed for generative AI will not be adequate for agentic AI for the same reason that the pre-1987 governance frameworks were not adequate for portfolio insurance programs: the risk is not at the individual output level, it is at the system interaction level, and the measurement architecture must be designed to look there. The organizations that build that architecture now, before the agentic equivalent of Black Monday makes it mandatory, are making the same investment that would have been worth everything to the institutions that had it in place on October 19, 1987.
Start the Conversation
I work with boards, CFOs, and executive leadership teams to lead the AI governance conversation and to bring independent AI assurance capability to the table. If your organization has deployed agentic AI without a governance architecture capable of detecting system-level behavior, assessing unauthorized commitment risk, or producing board-ready documentation of agentic control adequacy, a structured QuickScan briefing will give your leadership team the assessment it needs before the system-level event makes that assessment urgent rather than prudent.
Connect with me directly on LinkedIn or reach out via hindol@efuturescfo.com to arrange a QuickScan briefing for your board or executive team. The organizations that built circuit breakers before they needed them did not regret the investment.
Hindol Datta | CPA, CIA (Certified Internal Auditor), CMA, MBA | Fractional CFO, TrustModel.ai | hindol@trustmodel.ai
#AgenticAI #AIGovernance #AIAssurance #BoardGovernance #CFO #FiduciaryDuty #BlackMonday #FlashCrash #SystemicRisk #EnterpriseRisk #AIRisk #FinanceLeadership #InternalAudit #AuditCommittee #EUAIAct #RiskManagement #SystemsCFO #eFuturesCFO #TrustModelAI #Assurance
AI-assisted insights, supplemented by 25 years of finance leadership experience.
