19 Jun 2026

The Orange Innovation piece on multi-agent security is ostensibly about threat detection, but the real lesson sits underneath that: agentic AI systems fail or succeed at the infrastructure layer, long before you get to the interesting AI behaviour.

Most of the AI conversation in UK financial services is still happening at the model layer. Which LLM? Which vendor? Which use case? The Orange team built something that actually works in a regulated production environment, and the reason it works has almost nothing to do with the model. It works because each agent runs as a discrete Kubernetes workload with its own identity, its own resource limits, and its own blast radius.

That architecture decision matters enormously for anyone building AI agents in a consumer credit context. The FCA does not care how clever your model is. It cares whether you can explain what happened, isolate a failure, and demonstrate that one misbehaving component cannot compromise the whole system. Treating agents as proper workloads rather than glorified API calls gives you audit trails, containment, and operational visibility.

The other detail worth taking seriously is the pre-filtering step. A classical ML model screens events before they ever reach an LLM-driven agent. This is sensible engineering, and it runs counter to the instinct many teams have to route everything through the most capable model available. LLMs are expensive, slow, and non-deterministic. Using them selectively, only where their capabilities are genuinely needed, keeps costs manageable and makes behaviour more predictable.

For consumer finance specifically, where you might be building agents that touch affordability assessments, fraud rules, or customer communications, that layered approach is also a regulatory necessity. Deterministic policy controls via something like OPA sit above the AI layer. The agent proposes, the policy decides.

The question I'd put to any technology leader currently prototyping agentic systems is this: if your most important AI agent behaved unexpectedly at 2am on a bank holiday, how long would it take you to understand exactly what it did and why?

Snowflake's ARD announcement is being read as a developer productivity story. It is actually a controls story, and that distinction matters enormously if you work in regulated financial services.

The pitch is straightforward: standardise how AI agents find and invoke capabilities across your enterprise, so they can wire themselves together without human intervention at each step. Describe, curate, search, execute. Clean four-step flow, sensible protocol design.

But read that back slowly. AI clients automatically finding and invoking approved capabilities. In a consumer credit environment, where every decisioning touchpoint carries regulatory weight, the word 'automatically' does a lot of heavy lifting.

The FCA's Consumer Duty requires firms to demonstrate that outcomes for customers are actively monitored and that harm is identified and remedied. That is hard enough when humans are making explicit integration decisions. When agents are discovering and invoking capabilities dynamically, the audit trail question becomes genuinely difficult. Which agent called what, when, on whose authorisation, and what customer outcome resulted?

The curation step is everything

ARD's flow includes a curation stage, where approved capabilities are catalogued for agents to find. That is where compliance teams in financial services need to plant their flag. The curation layer is not a data engineering task. It is a risk and governance task that happens to have a technical implementation.

Firms that treat ARD-style protocols as infrastructure decisions, signed off in an architecture review, will eventually face a regulator asking why a particular data source or scoring capability was available for autonomous invocation at all.

The organisations that get ahead of this will build capability catalogues with the same rigour they apply to third-party supplier assessments. Documented, risk-rated, with clear ownership of what each capability is permitted to do in which context.

Agentic AI is moving faster than most governance frameworks in UK consumer finance. The protocols are arriving. The question is whether the controls thinking arrives at the same time, or six months later after something goes wrong.