01

Begin with proposals and narrow recurring operations

Agentic payments in treasury should start with cash visibility, exception triage, payment proposal preparation, and low-risk recurring transfers where counterparties and limits are already governed. High-value, new-beneficiary, cross-border, or irreversible transactions should retain independent approval until the organization has evidence for a narrower delegated class.

A treasury mandate should name the legal entity, accounts, asset or currency, beneficiary scope, purpose, maximum amount, frequency, time window, required approvals, and prohibited routes. Conversational approval must be normalized into those fields before a payment instruction reaches a signer or bank channel.

  • Keep beneficiary creation separate from payment approval.
  • Require independent step-up for changed settlement instructions.
  • Enforce per-transaction, aggregate, and velocity limits outside the model.
  • Preserve maker-checker roles even when an agent prepares both sides of the workflow.
02

Make liquidity decisions explainable and reproducible

A liquidity agent may compare balances, forecasts, yield, fees, cutoffs, and counterparty limits. Store the input snapshot, policy version, selected action, rejected alternatives, and approval record. A plausible natural-language explanation is not a substitute for the deterministic calculation and constraints that produced the transfer.

Market data and account feeds can be stale, incomplete, or adversarial. The effect boundary should validate freshness, source, units, account identity, and allowed destination before executing the recommendation.

Treasury decision inputs and control checks
InputFailure modeControl
BalanceStale or wrong legal entityTimestamp, account and entity binding
BeneficiaryInstruction fraudIndependent verification and allowlist
Rate or feeChanged economicsQuote expiry and maximum cost
ForecastModel error or missing obligationBuffer policy and human exception
RailUnexpected finality or cutoffApproved routes and settlement-state model
03

Keep compliance and authority as separate gates

A payment can be authorized by the principal and still require sanctions, anti-money-laundering, fraud, tax, or internal policy review. Conversely, passing a screening control does not prove that the agent had authority. Record each decision, data source, timestamp, and result independently.

Virtual-asset and cross-border activity can change obligations based on custody, jurisdiction, counterparty, and role in the funds flow. The system should route uncertain cases to qualified review rather than encoding a universal compliance answer into the prompt.

04

Close the loop in the ledger and bank record

Treasury operations need a chain from mandate to payment instruction, provider acknowledgement, settlement statement, bank or onchain evidence, fee, foreign-exchange result, and general-ledger entry. Use stable identifiers and suspense states for uncertain outcomes instead of letting the agent label a task complete.

Reconciliation exceptions should not automatically trigger another transfer. First inspect the rail, adapter, and ledger state. Recovery authority should be narrower than the original mandate when it changes beneficiary, amount, or route.

Treasury autonomy is earned when the organization can stop, explain, and reconcile every effect—not when the agent can move money quickly.

Source discipline

Primary sources

Product status and protocol behavior are checked against maintainer documentation. Company sources establish what their organizations publish; they do not independently prove adoption or performance.

  1. AI Risk Management FrameworkNIST
  2. Digital Identity GuidelinesNIST
  3. Virtual assetsFinancial Action Task Force
  4. Announcing Agent Payments Protocol (AP2)Google Cloud