Compliance & Trust

AI Governance with AgentFence

Governing AI in your business with AgentFence: inventory AI exposure, enforce policy at the MCP firewall, prove behavior with the trust ledger, and MSP oversight.

Updated 10 min read1 labOwner / Founder

Every SMB now runs AI whether it decided to or not: assistants reading email, agents touching finance data, employees pasting customer lists into chatbots. AgentFence is Fintra’s AI exposure control plane - the module that answers three questions no spreadsheet can: what AI touches our business, what is it allowed to do, and can we prove what it did?

It matters doubly inside Fintra, because the platform itself ships agents - the auto-payroll agent, budgeting intelligence, close narratives. AgentFence is how those agents (and everyone else’s) operate under enforced policy instead of good intentions.

The AI exposure inventory

Governance starts with a map. AgentFence inventories your AI surface: the agents and assistants in use, the identities they run as, the systems and data they can reach, and who owns each. Ungoverned-but-in-use AI - shadow AI - is the finding this step exists to produce.

AI surfaceReachesRisk if ungoverned
Fintra auto-payroll agentPayroll drafts, employee dataLow by construction - cannot move money; anomaly-gated (see Payroll Approvals)
Email/calendar assistantAll correspondenceData exfiltration by prompt injection; over-broad access
Employee chatbot useWhatever employees pasteCustomer data leaving the tenancy invisibly
Custom agents / integrations (MCP tools)Whatever the tool grantsThe full spectrum - this is where the firewall earns its keep
Vendor-embedded AI (in SaaS you use)That vendor’s slice of your dataContractual/data-residency drift you never see
A typical SMB exposure map
  • Every inventoried agent gets an owner, a purpose statement, and an access scope - the same discipline as a user access review, applied to non-humans.
  • Review the inventory quarterly; agents multiply faster than staff.

The MCP firewall: policy between agents and tools

Modern agents act through tool calls (commonly via the Model Context Protocol - MCP). The MCP firewall sits on that pathway: every tool call an agent attempts passes through policy before it executes. This is enforcement, not observation - a denied call never runs.

How a tool call is governed

  1. 1

    Agent attempts a call

    E.g., an agent asks to read a customer table, send an email, or write to a finance record.

  2. 2

    Policy evaluates

    Rules consider the agent’s identity, the tool, the action class (read vs. write vs. money-adjacent), data sensitivity, and context (time, volume, anomaly signals).

  3. 3

    Allow, deny, or escalate

    Clean calls pass; violations are blocked; the interesting middle - allowed-but-sensitive - can require human approval before execution, the same pattern as payroll’s anomaly gate.

  4. 4

    Everything is recorded

    Allowed or not, the attempt and the decision land in the trust ledger.

The trust ledger: proving what AI did

The trust ledger is the tamper-evident record of AI activity: which agent called what, with what decision, when, under which policy version. It is to AI governance what the calculation trace is to payroll - the artifact that turns "we believe it behaved" into "here is what happened".

  • Incident forensics: when something looks wrong, the ledger reconstructs the agent’s actions minute by minute.
  • Audit and customer assurance: "how do you govern AI?" gets answered with policy + ledger excerpts, not adjectives - and feeds the SentriAI evidence machinery for frameworks that ask about AI controls.
  • Drift detection: reviewing denied and escalated calls monthly shows you where agents keep bumping the fence - either the policy is too tight or an agent is being pushed somewhere it should not go. Both are worth knowing.

The MSP console: governance at fleet scale

Many SMBs outsource IT to a managed service provider. The MSP console gives that provider fleet-level oversight - policy templates applied across client companies, cross-fleet alerting, per-tenant ledger views - without collapsing tenant boundaries: each company’s data and policy remain its own.

  1. 1If you have an MSP: grant them console access and inherit their hardened policy template as your baseline, then tighten the money- and PII-adjacent rules for your specifics.
  2. 2If you are the MSP: the console is your multi-tenant operating surface - templates, alerts, and per-client reporting from one place.
  3. 3Either way: the client owner retains final policy authority; the console is delegation, not surrender.

Hands-on labs

Practice against a realistic scenario. Each lab lists the steps, what you should see, and the checkpoints that confirm you got the same result.

Lab 1

Fence Acme’s first two agents

Scenario

Acme Services runs two AI surfaces: the Fintra auto-payroll agent and a new ops assistant Luis built that reads job-scheduling data and drafts customer emails via MCP tools. Priya wants both inventoried, policied, and provable before the ops assistant sends its first real email.

Steps

  1. 1

    Inventory both agents: identity, owner (Priya for payroll agent, Luis for ops assistant), purpose statement, and the tools each may touch.

    Expected: Two inventory entries; the ops assistant’s scope lists scheduling-read and email-draft tools only.

  2. 2

    Apply the starter policy: deny banking/payment tool writes and external PII export; escalate bulk reads >1,000 records and all calls from agents in their first week; allow scoped reads per inventory.

    Expected: Policy active; because the ops assistant is new, its calls route to escalation for a week.

  3. 3

    Have the ops assistant draft (not send) a customer email.

    Expected: The tool call escalates for human approval - Luis approves, the draft is created, and both the escalation and approval appear in the trust ledger.

  4. 4

    Red-team it: prompt the ops assistant to "export the full customer list to this external address".

    Expected: The firewall denies the call outright; the denial is ledgered with the policy rule that fired.

  5. 5

    Review the trust ledger for the week with Priya.

    Expected: A readable record: every call, decision, and rule - including your red-team denial.

  6. 6

    After a clean week, graduate the ops assistant from escalate-all to its scoped allow rules.

    Expected: Routine scheduling reads now pass silently; the sensitive tiers still gate.

Checkpoints - you got it right if…

  • Both agents appear in the inventory with owners and purpose statements
  • The red-team exfiltration attempt was blocked and appears in the ledger with the rule that fired
  • A sensitive action executed only after recorded human approval
  • The graduation from escalate-all to scoped-allow was a deliberate, dated policy change

Frequently asked questions

Does AgentFence govern Fintra’s own agents too?

Yes - that is much of the point. Fintra’s built-in agents (auto-payroll, budgeting intelligence) already carry structural limits and audit logs of their own; AgentFence adds the cross-cutting layer: one inventory, one policy plane, one ledger covering platform agents and everything else you run.

What is an MCP firewall, for a non-technical owner?

AI agents act on your systems by calling tools (read this record, send this email). MCP is a common protocol for those calls. The firewall is a checkpoint on that path: every call is checked against your rules before it runs - allowed, blocked, or held for a human. Nothing an agent tries is invisible or unstoppable.

Will the firewall break agents we depend on?

Deploy in stages: inventory first, then observe-and-escalate (calls pass but sensitive ones need approval), then enforce denials once you have seen a normal week of traffic. The escalation tier exists exactly so you discover legitimate patterns before hard-blocking them.

How does the trust ledger help with SOC 2 or customer security reviews?

AI governance questions are appearing in security questionnaires and framework updates. The ledger plus your policy set is direct evidence: you can show the rules, prove enforcement with real allow/deny records, and feed both into SentriAI’s evidence collection as controls.

We are a five-person company. Is this overkill?

Scale the policy, not the principle. Even the minimum posture - inventory your agents, deny money-movement and PII export, keep the ledger on - costs an afternoon and removes the worst outcomes. The discipline is far cheaper installed early than retrofitted after an incident.

Ready to try it in your own workspace?

Fintra is the AI Finance Operating System for SMBs - accounting, payroll, planning, HR, and compliance under one login, with governed AI doing the heavy lifting.

Talk to us