133 identified risks. 15 categories. 13 regulatory frameworks that cover, at best, 14% of them. Risk is not a section in your agentic AI business case. It is the variable that determines whether the business case survives contact with production.
The companion articles in this series address the economics of agentic AI from four perspectives: the strategic investment case, total cost of ownership, organisational budgeting, and token-level consumption governance. Each article acknowledges risk, including governance premiums, failure costs, coordination tax, and security infrastructure. But none of them address the structure of risk in agentic AI, or the economic implications of deploying systems whose risk surface is fundamentally different from any technology financial services has previously adopted.
This matters for a specific reason: every cost estimate, every ROI projection, and every budget allocation in the preceding articles is conditional on risk being managed. Unmanaged risk does not appear as a line item in a TCO model. Instead, it appears as a regulatory fine that exceeds the agent’s lifetime value, a data breach that triggers remediation costs dwarfing the deployment budget, a silent compliance failure that accumulates liability for months before detection, or a multi-agent cascade that corrupts a transaction pipeline during peak processing.
Risk is not an appendix to the business case. It is the variable that determines whether the business case holds.
The Corvair Agentic AI Risk Catalog identifies 133 distinct risks across 15 categories, evaluated using the DAMAGE scoring framework. The Regulatory Coverage Matrix maps these risks against 13 regulatory and industry frameworks. The findings are sobering: the most comprehensive framework available, the Berkeley Agentic Profile, addresses only 14% of identified risks, with another 28% partially covered. The remaining 58% represent genuine regulatory blind spots where organisations must self-govern without established standards.
This article translates those findings into economic terms: what do these risks cost, how do they change the investment calculus, and what does the governance gap mean for organisations building agentic AI business cases?
Traditional enterprise technology risk follows established patterns. Software has bugs; you test, patch, and maintain. Infrastructure fails; you build redundancy and disaster recovery. Data gets breached; you encrypt, control access, and monitor. These risks are well-understood, well-governed, and actuarially tractable. Insurance products exist. Regulatory frameworks are mature. Organisations know what to budget.
Agentic AI introduces risk categories that have no precedent in enterprise technology, and the economic implications of that novelty are severe.
The most dangerous risks in agentic AI are emergent. They arise from the interaction of components that are individually well-behaved. A model that performs accurately. A data pipeline with clean inputs. An orchestration layer that routes correctly. Each component passes its individual test. But when the model consumes data from the pipeline through natural language reasoning, the pipeline’s structured uncertainty is lost. The model writes “the applicant’s credit risk is moderate” with no indication of confidence interval, data freshness, or model uncertainty. The orchestration layer routes this confident-sounding output to a decision system that acts on it as fact.
No single component failed. The system produced a decision that no competent human would have made, because the uncertainty that a human would naturally carry through the process was stripped away at each agent boundary. See The Compound Error Problem for the mathematical framework underlying this failure mode.
This pattern, compound risk that is invisible at the component level, is the defining characteristic of agentic AI risk. It means that component-level testing, the foundation of traditional software quality assurance, is necessary but radically insufficient. It means that risk assessments focused on individual models (the scope of SR 11-7, the foundation of most financial services AI governance) miss the majority of the risk surface. And it means that the governance investment required to detect and manage emergent risk is structurally higher than organisations accustomed to component-level governance expect.
Traditional software executes instructions. When it fails, the scope of failure is bounded by the scope of its authority: a bug in a report generator produces a bad report, not an unauthorised transaction. Agentic AI acts autonomously within delegated authority. When an agent fails, the scope of failure is bounded by the scope of its delegated authority, which in many deployments includes the ability to initiate transactions, modify data, communicate with customers, invoke other agents, and make decisions that create legal and regulatory obligations.
The risk catalog identifies this as the Authority and Privilege category, which includes ten distinct risks including cumulative operational authority (DAMAGE score 4.5), the highest-severity risk in the catalog. When a high-privilege user invokes a low-privilege agent, the agent may inherit the user’s session context. IAM systems track the agent’s registered identity, not its cumulative operational authority. Over time, through delegation chains and context propagation, agents can accumulate operational authority that exceeds any individual human’s authorisation without triggering a single access control alert.
The economic implication: a single authority-related failure can produce losses that exceed the agent’s lifetime value creation. This is not theoretical. It is the documented failure pattern in every financial services technology category that has ever involved delegated transaction authority, from rogue trading to unauthorised wire transfers. Agentic AI adds a new vector for the same category of loss.
Agents do not operate in isolation. They interact with existing institutional infrastructure at seven critical touchpoints: ML models and MLOps pipelines, transaction systems, workflow and orchestration engines, data infrastructure, communication protocols and capability infrastructure, identity and access management, and human-in-the-loop channels.
Each touchpoint has an established risk owner: Model Risk Management owns ML models. Operations owns transaction systems. The CDO owns data infrastructure. The CISO owns identity and access. Compliance owns human channels. But no single risk owner governs agents that operate across all seven touchpoints simultaneously, which is what production agents do.
This governance gap is not an organisational inconvenience. It is an economic risk. When an agent fails in a way that spans multiple touchpoints, for example consuming a model output through natural language (ML risk), using it to initiate a transaction (operations risk), via an API with accumulated privileges (identity risk), while writing results to a data store that feeds downstream compliance processes (data risk), the incident response involves five different risk owners, none of whom has complete visibility into what happened or unilateral authority to remediate. The coordination cost of multi-owner incident response is three to five times the cost of single-owner response, and the time to resolution is correspondingly longer, which matters when the agent is still running and potentially compounding the damage.
The Corvair Agentic AI Risk Catalog evaluates each of 133 risks using the DAMAGE framework: six dimensions that collectively determine economic severity.
Detectability. How difficult is the risk to identify before harm materialises? Risks with low detectability (silent quality degradation, gradual drift, or slow accumulation of operational authority) are economically more dangerous than dramatic failures because they accumulate cost over extended periods before anyone intervenes. A retry loop that burns £5,000 in tokens is visible and bounded. A compliance agent whose accuracy degrades from 95% to 82% over six months produces incorrect decisions on thousands of transactions before detection, with remediation costs that dwarf the token waste.
Autonomy Sensitivity. How much does risk severity increase as agent autonomy increases? This dimension directly affects the economic case for human-in-the-loop architectures. Risks with high autonomy sensitivity, such as veto-tradeoff confusion (DAMAGE score 4.5), where agents cannot distinguish between situations requiring conservative refusal and those requiring nuanced judgement, create disproportionate economic exposure in fully autonomous deployments. The governance investment to manage autonomy-sensitive risks is the economic cost of the “human oversight” that appears as a design principle in every responsible AI framework but rarely appears as a budget line.
Multiplicative Potential. Can the risk compound across agents, systems, or time? Multiplicative risks are the economic worst case because their costs scale non-linearly. A single-agent failure with bounded scope might cost $10,000 to remediate. The same failure in a multi-agent system where the output feeds downstream agents can cascade into hundreds of corrupted transactions, each requiring investigation and correction, producing remediation costs of $500,000 or more. The TCO article’s failure cost layer (Layer 5) budgets for bounded failures; however, multiplicative risks can exceed those budgets by an order of magnitude.
Attack Surface. How exposed is the risk to adversarial exploitation? Prompt injection (DAMAGE score 4.5) is the canonical example: a technically sophisticated attack that can cause agents to execute unauthorised actions, exfiltrate data, or compromise decision integrity. But attack surface extends beyond deliberate adversarial action. It includes the vulnerability of agent communication protocols to spoofing, the exploitability of dynamic capability discovery (where agents acquire new tools at runtime), and the exposure created when agents interact with external data sources whose integrity cannot be guaranteed.
The economic implication of attack surface is twofold: direct loss from successful attacks, and the ongoing security investment required to defend the surface. The TCO article’s governance and security layer (Layer 8) estimates $30,000–$120,000 annually, a figure that assumes moderate attack surface. Organisations deploying agents with high attack surface exposure (customer-facing agents, agents with external API access, multi-agent systems with dynamic capability discovery) should budget significantly higher.
Governance Gap. How well do current regulatory and industry frameworks cover this risk? This is where the Regulatory Coverage Matrix becomes economically relevant. Risks covered by established frameworks (SR 11-7, GDPR, DORA) have known governance requirements: the organisation knows what to build and can estimate the cost. Risks in regulatory blind spots require governance design from first principles, which is more expensive and carries the additional cost of uncertainty about whether the designed governance will satisfy future regulatory expectations.
The economic cost of governance gaps is not the cost of compliance. It is the cost of uncertainty about what compliance requires. Organisations in regulatory blind spots must either invest conservatively (building governance that may exceed eventual regulatory requirements, at significant cost) or accept exposure (operating with lighter governance and accepting the risk that future regulatory expectations will be more demanding than current practice). Neither option is free.
Enterprise Impact. What is the maximum blast radius if the risk materialises? This dimension captures the tail risk: the worst-case economic scenario. For most operational risks, enterprise impact is bounded by the scope of the affected process. For the highest-severity agentic AI risks (cumulative operational authority, silent data commingling with DAMAGE score 4.3, and cross-jurisdictional privacy conflict with DAMAGE score 4.4), enterprise impact extends to regulatory enforcement action, class-action litigation exposure, and reputational damage that affects the organisation’s franchise value.
The risk catalog and DAMAGE framework provide the analytical structure. Translating that structure into economic terms requires connecting risk categories to cost categories.
Some risks produce direct, quantifiable losses when they materialise. Unauthorised transactions from authority escalation. Financial penalties from regulatory non-compliance. Customer compensation from incorrect decisions. Data breach remediation costs. These are the costs that traditional risk frameworks model well: expected loss calculated as probability of occurrence multiplied by severity of impact.
For agentic AI, direct loss estimation is complicated by the emergent and multiplicative nature of the risks. Traditional expected-loss models assume independent risk events with bounded severity. Agentic AI risks are correlated (a data quality failure triggers reasoning failures, which trigger transaction integrity failures) and potentially unbounded (a cascading failure propagates until someone intervenes). Organisations should model direct losses using stress scenarios rather than expected-value calculations, asking “what does a plausible worst case cost?” rather than “what does the average failure cost?”
The cost of preventing, detecting, and managing risks. These costs appear in the TCO model as Layer 8 (governance and security infrastructure) and are influenced by the risk profile of the specific deployment. An agent with low autonomy operating on clean internal data within a single system has a modest governance requirement. An agent with delegated transaction authority operating across multiple systems with external data dependencies and customer-facing interactions has a governance requirement that may equal or exceed its build cost.
The regulatory coverage matrix provides a practical tool for estimating governance investment. Risks covered by established frameworks (SR 11-7, GDPR, DORA) have known governance requirements: the organisation knows what to build and can estimate the cost. Risks in regulatory blind spots require governance design from first principles, which is more expensive and carries the additional cost of uncertainty about whether the designed governance will satisfy future regulatory expectations.
The cost of responding to risk events after they occur. For agentic AI, remediation costs are structurally higher than traditional software remediation for three reasons.
First, agentic failures can be subtle. A deterministic software failure produces an error. An agent failure may produce output that looks correct but is not, requiring investigation to determine which outputs are affected, how far downstream the incorrect outputs have propagated, and which decisions, transactions, or communications need to be reversed or corrected. This forensic work is expensive and time-consuming.
Second, multi-touchpoint failures require multi-owner remediation. When an incident spans ML models, transaction systems, data infrastructure, and compliance processes, the remediation involves coordinating across five or more organisational functions, each with its own incident response process, escalation chain, and remediation timeline. The coordination cost alone can exceed the cost of the technical fix.
Third, regulatory remediation for AI failures is still being defined. When a traditional system fails in a regulated context, the organisation knows the remediation playbook: disclosure requirements, customer notification obligations, and regulatory reporting timelines. When an AI agent fails, these obligations are less clear, creating legal and compliance uncertainty that translates to higher remediation cost (conservative organisations will over-remediate to manage uncertainty) and longer resolution timelines.
Some risks are best managed by not deploying. This means limiting agent scope, maintaining human-in-the-loop oversight, or deferring deployment until governance capabilities mature. These constraints have real economic cost: the value that a more autonomous or more broadly scoped agent would capture, minus the value actually captured by the constrained deployment.
This is the economic trade-off at the heart of responsible AI deployment. More autonomy captures more value but creates more risk. Less autonomy captures less value but is more governable. The optimal point depends on the organisation’s risk appetite, governance maturity, and the specific risk profile of the deployment, which is why risk assessment is not a compliance exercise but an economic input to the business case.
The Regulatory Coverage Matrix maps 133 agentic AI risks against 13 regulatory and industry frameworks. The findings have direct economic implications for every organisation building agentic AI business cases.
The best-performing framework, the Berkeley Agentic Profile, addresses 14% of identified risks fully, with another 28% partially covered. The remaining 58% are unaddressed. Traditional frameworks fare worse. SR 11-7 (the foundation of financial services model risk management) addresses 3% fully. DORA (the EU’s digital operational resilience act) addresses 3% fully. GDPR addresses 4% fully.
This does not mean these frameworks are irrelevant. They provide essential governance for the risks they cover. It means they are dramatically insufficient as a complete governance solution for agentic AI.
The economic implication: organisations cannot outsource governance design to regulatory compliance. Meeting current regulatory requirements is necessary but covers only a fraction of the actual risk surface. The governance investment required for responsible agentic AI deployment substantially exceeds the cost of regulatory compliance alone.
The risks most unique to agentic AI (dynamic authority accumulation, veto-tradeoff confusion, emergent coordination failure, context window data exposure, and A2A card manipulation) fall almost entirely outside existing regulatory frameworks. These are not edge cases. They are among the highest-severity risks in the catalog, with DAMAGE scores of 4.0 or above.
Organisations that govern agentic AI using only existing regulatory frameworks are governing less than a quarter of their actual risk surface at full coverage, with another quarter partially addressed. More than half of identified risks fall entirely outside current frameworks, not because the organisation is negligent, but because the frameworks were designed for a different technology paradigm.
The current coverage gap will narrow as regulators develop agentic AI-specific guidance. The EU AI Act’s implementation, the evolution of MAS AIRG, and emerging frameworks from NIST and sector-specific regulators will gradually extend coverage. See the Cross-Framework Comparison for how these frameworks interact and where their coverage overlaps. However, regulatory development cycles are measured in years, while agentic AI deployment cycles are measured in months.
Organisations deploying now face a timing mismatch: they must make governance investment decisions today against regulatory requirements that will be defined tomorrow. The economically rational response is to invest in governance that exceeds current requirements but aligns with the direction of regulatory travel, which is toward greater auditability, explainability, and human oversight of autonomous decision-making.
The alternative, minimising governance to current requirements and adapting when regulations change, creates future remediation costs that typically exceed the cost of forward-looking governance investment. This is not a hypothetical pattern. It is the documented experience of every regulated industry that has underinvested in governance ahead of regulatory expansion, from Basel II/III capital requirements to GDPR data protection.
The preceding analysis suggests a practical framework for incorporating risk into agentic AI business cases.
For each planned agent deployment, identify which of the 133 catalogued risks are relevant. Not all risks apply to every deployment. An agent operating within a single system on internal data with human-in-the-loop oversight has a fundamentally different risk profile than a multi-agent system operating across institutional touchpoints with delegated authority and external data dependencies.
The seven institutional touchpoints provide the mapping structure: which touchpoints does the agent interact with? For each touchpoint, which risk categories are activated? This produces a deployment-specific risk profile that is far more useful than generic risk assessments.
For each relevant risk, assess the six DAMAGE dimensions in the context of the specific deployment. A risk that scores high on multiplicative potential in a multi-agent system may score low in a single-agent deployment. A risk that scores high on governance gap in one jurisdiction may be well-covered in another.
Prioritise risks scoring 3.5 or above on any individual dimension, and risks scoring 3.0 or above on three or more dimensions. These represent the risks with sufficient economic severity to affect the business case.
For each prioritised risk, estimate:
Prevention cost. What governance, monitoring, and architectural investment is required to reduce the risk to an acceptable level? This feeds directly into the TCO model’s Layer 8 (governance and security infrastructure).
Detection cost. What monitoring infrastructure is required to detect the risk if it materialises despite prevention? This also feeds Layer 8, and informs the monitoring thresholds described in the token economics article.
Expected loss. What is the realistic worst case if the risk materialises? Use scenarios rather than expected values. A 5% probability of a $2 million regulatory fine is not the same economic exposure as a $100,000 expected loss; the tail risk matters more than the average.
Remediation cost. What does recovery cost after a risk event? Include forensic investigation, multi-owner coordination, regulatory reporting, customer communication, and system remediation. For high-severity risks, remediation costs often exceed direct losses.
Incorporate risk economics into the existing business case framework:
Adjust TCO. Add prevention and detection costs to the appropriate TCO layers. These are not optional costs. They are the investment required to maintain the governance premium that sustains ROI over time.
Adjust ROI timeline. Risk events delay value capture. Build risk-adjusted scenarios that model the impact of a significant risk event in years one, two, and three on the cumulative ROI curve.
Adjust deployment scope. Risk assessment may indicate that a more constrained deployment (narrower scope, more human oversight, and fewer institutional touchpoints) produces better risk-adjusted returns than a broader deployment with higher risk exposure. The value of the forgone autonomy is real, but it is often less than the governance investment required to manage the risk that autonomy creates.
Present risk as a variable, not an appendix. The business case should show stakeholders how ROI changes under different risk assumptions. “Under our base case risk assumptions, three-year ROI is 7.4:1. Under a stress scenario including one significant risk event in year two, three-year ROI is 4.8:1. Under an ungoverned scenario where risk events occur without detection infrastructure, three-year ROI degrades to 2.1:1 as remediation costs accumulate.” This framing connects governance investment directly to financial outcomes and makes the economic case for the governance premium concrete.
The regulatory coverage gap means that for the majority of agentic AI risks, organisations must self-govern. There is no external framework to comply with. There is no regulatory checklist to follow. There is no established standard against which auditors will evaluate the organisation’s practice.
This is uncomfortable for regulated financial services organisations accustomed to governance by regulation. It is also an opportunity. Organisations that develop robust self-governance frameworks for agentic AI, frameworks grounded in systematic risk identification, economic analysis, and governance investment proportional to risk severity, will be positioned to:
Lead rather than follow. When regulations emerge, organisations with mature self-governance will already exceed requirements. The compliance cost of new regulations will be incremental rather than transformative.
Demonstrate control to regulators. In the absence of specific requirements, regulators evaluate intent and capability. Organisations that can demonstrate they have identified the risks, assessed their severity, and invested in governance proportional to that severity will receive more favourable regulatory treatment than organisations that waited for specific requirements.
Capture the governance premium. As documented throughout this series, governed AI deployments deliver two to three times the cumulative ROI of ungoverned deployments. The governance premium is not an abstract concept. It is a measurable financial outcome driven by reduced failure costs, sustained accuracy, regulatory resilience, and continuous improvement. Risk-informed self-governance is the mechanism that produces it.
Advise peers and shape standards. Organisations with operational experience in agentic AI risk governance will contribute to the frameworks that eventually become industry standards. This is not altruism. It is strategic positioning that ensures future regulatory requirements align with the organisation’s existing practice rather than requiring costly remediation.
Risk is not a section in the agentic AI business case. It is the hidden variable that determines whether the economic projections in Articles 1 through 4 survive contact with production.
One hundred thirty-three identified risks across 15 categories represent a risk surface fundamentally different from any technology financial services has previously adopted. The risks are emergent (arising from component interactions rather than component failures), autonomous (operating within delegated authority that amplifies consequences), and cross-functional (spanning institutional touchpoints with no unified governance owner).
Current regulatory frameworks cover, at best, 14% of this risk surface. With only 14% of risks fully addressed by even the best available framework, organisations must self-govern for the vast majority of their risk surface, not as a compliance exercise but as an economic investment that protects and compounds the returns projected in the business case.
The practical framework: map deployments against the risk catalog, score relevant risks using DAMAGE dimensions, estimate economic exposure, and adjust the business case to reflect risk as a variable rather than an assumption. Business cases that treat risk as an appendix will be surprised. Business cases that treat risk as a variable will be prepared.
The risk economics framework in this article connects directly to four advisory services, depending on organisational maturity:
“We need to understand our risk exposure before we deploy.” The Agentic AI Risk & Controls Workshop is a focused 2-day engagement that builds internal understanding of agent architecture, the DAMAGE framework, and the specific failure modes described in this article. It produces an institution-specific risk taxonomy and a controls checklist aligned to MAS AIRG, the foundation for risk-informed deployment decisions.
“We need a governance framework that addresses the regulatory coverage gap.” The AI Governance Framework Design engagement produces the policy suite, risk committee charter, materiality assessment methodology, and lifecycle control framework that this article argues current regulatory frameworks do not provide. For organisations in Singapore, the MAS AIRG Readiness Assessment maps current governance against requirements and produces a prioritised compliance roadmap.
“We need to operationalise risk governance across a portfolio of agents.” The Data & AI Centre of Excellence establishes the hub-and-spoke governance structure that solves the “no unified risk owner” problem this article identifies. It includes agent registry, risk classification, monitoring infrastructure, and the cross-functional governance coordination that multi-touchpoint agent deployments require.
“We need ongoing advisory as the regulatory landscape evolves.” The Fractional AI Governance Advisor provides continuous regulatory monitoring, governance evolution, and the quarterly reviews that keep risk management current as both the technology and the regulatory environment change.
Schedule a briefing to discuss your risk governance requirements.
This article is part of a seven-article series on the economics of agentic AI in financial services.
133 identified risks, 15 categories, and a governance gap that no existing framework fully addresses. Start with a structured risk assessment before committing to production deployment.
Schedule a Briefing Explore the Risk Catalog