Technical7 de julio de 202613 min read

How to Implement SAFR: Architecture, Patterns, and Build vs Buy

Implementing MAS's SAFR framework: reference architecture, native vs gateway deployment, control calibration, escalation operations, and build vs buy.

Antonella Serine

Antonella Serine

Founder, KLA

Founder of KLA, building the independent runtime governance control plane for regulated AI agents under the EU AI Act.

Reference architecture

The SAFR reference architecture, stage by stage: Governance Envelope, identity verification, controls, disposition, audit record

Deployment patterns

Native and gateway deployment patterns, with the sequencing the white paper recommends for existing agent estates

Worked calibrations

Worked control calibrations for a treasury payments agent and a compliance-triage agent

Build vs buy

What building the runtime layer in-house requires, when building makes sense, and when buying does

Four-week pilot

A four-week pilot plan that ends in independently verifiable evidence

Safeguards for Agentic Finance at Runtime (SAFR) is a reference approach for a runtime governance layer for agentic AI in financial services, published in July 2026 by MAS's BuildFin.ai programme and written with Ant International, Circle, HSBC, J.P. Morgan Chase, Manulife, Mastercard, OCBC, and Visa. The white paper "defines data structures, evaluation logic, and escalation contracts for agentic AI deployment." It leaves the implementation to each institution: SAFR "serves as an industry reference for institutions to implement within their own infrastructure, using their own rule configurations and governance arrangements." This guide covers the engineering decisions that implementation requires: the reference architecture, the choice between native and gateway deployment, what to encode in controls, disposition calibration, escalation operations, the evidence layer, and a build-vs-buy analysis. For the framework itself — the four components, the Governance Envelope, mandates, and the ecosystem around SAFR — start with SAFR, explained. For the component-by-component KLA mapping, see the SAFR implementation page.

The SAFR reference architecture

SAFR "sits between the agent and the systems it acts on, evaluating proposed actions before execution, while working alongside existing payment rails, settlement protocols, compliance engines, and core banking systems." The design goal, in the paper's words: "no agentic action reaches execution without having been declared, authorised, and assessed." An implementation is a pipeline with a fixed order, and an audit log that records every stage of it.

The pipeline runs as follows. The agent proposes an action. Before anything executes, the proposal is packaged in a Governance Envelope carrying three classes of information: the action itself (type, scope, parameters), the action trace (the steps the agent actually executed in arriving at the proposal, including tool calls made, data retrieved, and checks performed), and context metadata (agent identity, applicable mandate, current account or system state, and operative policy constraints). The envelope is validated for completeness and coherence. Agent Identity then verifies the proposing agent against the authoritative registry; a failed verification means immediate rejection, recorded in the Audit Log. The Controls Repository identifies which of the institution's controls apply. The Disposition Engine evaluates the action against those controls and returns one of four binding outcomes: Deny, Escalate, Auto-Execute, or Observe. Financial rails execute if and only if the outcome permits, and the Audit Log records the full governance trace for every outcome, denials included.

Envelope integrity is a first-order design problem. The action trace and the action details are both agent-declared, and a sophisticated adversarial injection can fabricate them together. The paper's requirement: "The envelope is therefore treated as a document to be authenticated against its origin, not merely as a record of what the agent reported." In practice this pushes implementers toward capturing the envelope at a point the agent cannot forge — inside the execution path, or at the network boundary — and it is the strongest argument for choosing your deployment pattern deliberately.

The four SAFR components and what each demands of an implementation
ComponentFunctionImplementation note
Agent IdentityBinds each proposed action to a recognized, registered agent, verified against that agent's registry entry before any other evaluation proceedsIn closed-loop environments, a direct lookup against the institution's own registry; on open networks the component must determine which of several registries (internal, payment-network, inter-institutional) is authoritative
Controls RepositoryThe institution's configurable rulebook, drawn from organizational policies, regulatory requirements, product rules, and user-provided mandatesGeneric controls (authorization checks, exposure limits) are deterministic; AI-specific controls (evidence quality, envelope integrity) may involve probabilistic or semantic assessment
Disposition EngineEvaluates each in-scope action deterministically against the retrieved controlsProduces "a defined, binding outcome for every proposed action calibrated to the specific risk it presents"
Audit LogAn immutable, tamper-evident, append-only record of every governance decisionRecords all four outcomes; see the evidence layer section below

Native or gateway: choosing a deployment pattern

The white paper defines two integration patterns, and most institutions will end up running both. SAFR, explained covers the mechanics of each pattern, envelope emission in the agent and gateway interception at the infrastructure layer; the implementation decision is when to choose which.

The sequencing guidance comes straight from the paper: "For institutions with many existing agents, the gateway pattern serves as a practical starting point by establishing coverage first and native instrumentation can follow for new builds." Concretely: new capabilities get native instrumentation from day one, and the existing estate gets a gateway in front of it. Run both patterns against one controls repository, one disposition engine, and one audit log, so a mixed estate produces a single consistent governance record.

When to choose each deployment pattern
PatternWhen to choose it
Native IntegrationNew agent deployments, where instrumenting the agent gives the tightest integration, the most granular record, and the cleanest audit trail
Gateway IntegrationLegacy systems, third-party agents, and existing deployments, where coverage has to arrive without changes to agent code

What to encode in SAFR controls

A control in SAFR encodes five things: permitted action types, decision logic, escalation conditions, a validity period, and the principal authority under which the agent acts. Controls draw on four sources: organizational policies, regulatory requirements, product rules, and user-provided mandates.

The mandate is the anchor. "A mandate is the mechanism through which a user defines the bounds of the authority delegated to an agent" — explicit and machine-readable: what the agent may do, within what limits, under what conditions. "An agent cannot extend the scope of a mandate through its own reasoning or inference." The design lineage is capability-based security, the model that underlies OAuth 2.0; the paper cites the Agent Payments Protocol (AP2), with its cryptographically signed mandates, as a prominent industry example.

The paper groups controls into four categories:

The four control categories: what to encode and what to test
CategoryWhat to encodeWhat to test
AuthorizationAgent-to-principal bindings, delegation depth, and an action-type allowlist per agent class, all resolvable at evaluation timeAn action type outside the allowlist is denied even from a correctly registered agent; a delegation deeper than the encoded depth is denied
Exposure LimitsPer-action thresholds and aggregate windows sourced from your existing delegated authority framework, with the Auto-Execute, Escalate, and Deny bands stated as explicit amountsAn action that would breach an aggregate window's remaining headroom escalates even when its own amount sits inside the per-action band
Rate LimitsA maximum action rate per time window for each agent class, with a defined outcome for actions beyond the capA burst beyond the cap, whatever its cause (runaway agent, data feed error, adversarial injection), is denied and flagged for investigation
Evidence QualityThe required evidence for each action type and the minimum stated-confidence threshold for autonomous execution; the treasury calibration below requires a matched invoice record per paymentAn action whose stated confidence falls below the threshold routes to human review whatever its value; test with a deliberately weak evidence match

Calibrating controls for a treasury payments agent

Here is what that looks like calibrated for a treasury payments agent. The values are illustrative; set yours from your delegated authority framework.

For a compliance-triage agent — alert enrichment, risk disposition proposals, filing preparation — the controls that carry the load are evidence-quality thresholds: auto-closure of an alert requires the evidence contract to be met at or above threshold, proposed high-risk dispositions escalate to a named reviewer, and any action that would suppress an open alert is denied outright. We walk that workflow end to end, through all four components, in SAFR for AML and compliance triage.

Illustrative calibration — treasury payments agent
ControlIllustrative setting
AuthorizationAgent class `treasury-payments` may initiate vendor and intercompany payments for Treasury Operations as principal. Delegation depth 1: the agent may hold delegated authority and may sub-delegate to no other agent
Per-action exposure limitAuto-Execute below US$25,000. Escalate from US$25,000 to US$250,000. Deny above US$250,000, the ceiling of the desk's delegated authority
Aggregate exposure windowUS$500,000 per rolling 24 hours; a payment that would exceed the window's remaining headroom escalates
Rate limitMaximum 20 payment initiations per hour; actions beyond the cap are denied and flagged for investigation
Evidence qualityEvery payment must reference a matched invoice record; a match below the confidence threshold escalates to human review regardless of amount
Validity periodMandate valid for the current quarter; actions proposed outside the validity period are denied

Calibrating the four dispositions

Every in-scope action resolves to one of four outcomes from the Disposition Engine:

All four outcomes feed the Audit Log. Assignment is driven by five calibration factors the paper names: action reversibility, financial materiality, customer impact severity, regulatory sensitivity, and novelty or anomaly — departure from established patterns within the mandate. Higher-risk profiles shift outcomes toward Deny or Escalate. Calibration is set at design time through the governance parameters of the controls, which is why the pilot plan below budgets a full week for tuning against real traffic.

Observe deserves deliberate design attention: it lets a new control run against live traffic and generate structured review material while execution continues, the natural setting for thresholds you intend to tighten after seeing real behavior.

Calibrating the four dispositions: what to encode and what to test
DispositionWhat to encodeWhat to test
DenyHard regulatory and policy constraints, and the risk thresholds above which an action is rejected outright; in the treasury calibration, amounts above US$250,000, the ceiling of the desk's delegated authorityA constraint-violating action never reaches the rails, and its Audit Log entry names the rule that fired and the specific reason
EscalateThe escalation conditions in each control, marking where the autonomous band ends below the Deny ceiling; US$25,000 to US$250,000 for the treasury agentSimulated traffic yields an Escalate volume the review team can clear, and every escalation carries a timeout window defaulting to block or to a senior reviewer
Auto-ExecuteThe autonomous band each control leaves open: the action types, amounts, and conditions under which execution proceeds with no reviewer in the pathSampled auto-executed actions each show a full governance trace: envelope, rules applied, basis, stage timings
ObservePatterns and signals configured as warranting attention below the escalation threshold, each producing a structured observation while the action executesObservations are retrievable and queryable when the threshold review comes due

Escalation operations: design them before go-live

The paper describes today's typical escalation as a notification, an email alert, or a dashboard flag — no deadline, no standard decision format, no audit record: "the appearance of human oversight without the substance of it." A SAFR implementation replaces that with a designed operation, along three dimensions.

Volume. "An escalation function that generates more reviews than the institution can meaningfully process defeats its own purpose." Size thresholds against actual reviewer capacity; if simulation produces more Escalate outcomes than the team can clear, fix the controls before launch.

Turnaround. Every escalation should carry a timeout window. If no decision arrives within it, the default is to block the action or escalate to a senior reviewer. Set the window from realistic reviewer availability, including overnight and weekend coverage.

Authority. Reviewers need clear authority to approve, modify, or decline, and their decisions "carry the same institutional weight as the original agent decision." That implies named individual reviewers, recorded rationale on every decision, and role definitions that map onto your existing approval hierarchy.

Re-authorize every step

In multi-step workflows, the control flow applies to each agent action independently. "An Auto-Execute or Observe outcome at one step carries no authority into the next," because the agent adapts to intermediate results and changing conditions as it works.

This single sentence has large implementation consequences. The evaluation path must be fast enough to run on every action, so latency belongs in the engineering budget from the start. Mandates must be resolvable per action. Session-level approval caching is ruled out by design. And a ten-step workflow produces ten governance traces, each with its own envelope, disposition, and basis — exactly what an inspector reconstructing the run will want.

The evidence layer: the SAFR Audit Log

Each Audit Log entry captures six things: the governance envelope as submitted, the mandate against which the action was checked, the outcome produced by the Disposition Engine, the specific rules applied, the basis for that outcome, and the time elapsed at each stage. The log is immutable, tamper-evident, and append-only. The paper's standard: "The log is the authoritative record, independent of any party with an interest in how events are characterised after the fact."

That standard sits above what ordinary application logging provides, and three properties need engineering from the outset: append-only writes, so records accumulate and never mutate; tamper evidence, in practice cryptographic chaining, so any alteration of a past record is detectable; and independent verifiability, meaning an auditor can confirm the integrity of an exported record without access to the platform that produced it. Persist the evidence before returning the disposition. If an action can execute while its record is still in flight, a crash can leave executed actions with no governance trace.

Build vs buy for the SAFR runtime layer

SAFR is a reference approach, and the software choice is left open. Disclosure before the analysis: KLA is a vendor in this category. KLA Control Plane implements the SAFR pattern, shipping today. Read what follows with that in mind.

Building in-house means standing up six subsystems:

The six subsystems together are a platform-scale build, and the realistic planning unit is team-quarters. The work also continues after launch: calibration is an operating activity, because thresholds move with transaction volumes, product changes, and reviewer capacity.

Building makes sense when you have a deep in-house platform team that will own the layer as a product, when your rails or settlement infrastructure are bespoke enough that an off-the-shelf checkpoint cannot sit in front of them, or when adjacent systems you already operate (entitlements, case management, policy tooling) cover real parts of the table above.

Buying makes sense when the priority is governed coverage and exportable evidence within a quarter, when there is no platform team available to own six subsystems, or when auditors will ask for independently verifiable records sooner than an in-house roadmap can deliver them.

The hybrid is often the honest answer: buy the runtime checkpoint — registry, disposition engine, escalation workflow, evidence store — and keep controls authoring in-house. The split matches SAFR itself: the framework standardizes the data structures and contracts, while rule configurations and governance arrangements remain the institution's. Under a hybrid, your risk and compliance teams own what the controls say, and the vendor operates the machinery that enforces and evidences them.

For the record on KLA specifically: KLA Control Plane maps component for component — Agent Registry, Policy Builder, KLA Policy Engine, Audit Trail — with the four dispositions expressed as allow, warn, require_approval, and block. Per-action authorization, fail-closed evaluation, and Sealed Evidence Bundles with offline verification are shipped. Aggregate exposure windows, per-window rate limits, confidence thresholds as a routing primitive, per-class escalation timeout defaults, and the standalone gateway are in development. The component-by-component map, with status flags on every requirement, is on our SAFR implementation page.

What an in-house SAFR implementation requires
SubsystemWhat it takes
Agent registryRegistered, versioned agent identities with named owners; resolution of the authoritative registry; verification on every proposed action
Controls repositoryMachine-readable, versioned policies; a governed publishing workflow with review and approval before a policy takes effect; coverage for regulatory, product, and mandate-derived rules
Disposition engineDeterministic evaluation producing the four outcomes with machine-readable reason codes; fail-closed semantics when the decision service is unreachable
Escalation workflowRouting to named reviewers with full action context; approve, modify, or decline with recorded rationale; timeout handling; queue and turnaround visibility
Evidence storeAppend-only, tamper-evident storage; export tooling; a verification path an external party can run independently
InstrumentationEnvelope emission in every agent for native integration, or an intercepting gateway for the existing estate, plus the latency work to keep per-action evaluation viable

A four-week SAFR pilot

A credible first implementation fits in four weeks on one scoped workflow, and the plan works whether the layer underneath is built, bought, or hybrid.

Before week one, score where you stand. The SAFR Readiness Checklist is an interactive gap assessment across eight sections, from agent identity through deployment pattern, with the evidence an assessor would ask for attached to every question.

Four-week SAFR pilot plan
WeekWork
1Scope one agent workflow. Register the agent, define its mandate, and author the controls: authorization scope, exposure limits, rate limits, evidence-quality thresholds, escalation conditions
2Run governed traffic in simulation. Evaluate replayed or historical actions against the controls and calibrate dispositions until escalation volume matches reviewer capacity
3Go live with escalations. Route real Escalate outcomes to named reviewers, measure turnaround against the timeout window, and tune thresholds on real behavior
4Export the evidence. Produce the audit records for the pilot period, run independent verification on the export, and hold a go/no-go readout with risk and compliance

Preguntas frecuentes

How do we retrofit an existing agent estate?

Put a gateway in front of it and give new builds native instrumentation from day one, the sequencing the white paper recommends. The engineering work concentrates in two places: the interception point, which should sit where the agent cannot forge the envelope, at the network boundary or inside the execution path; and the latency budget, because evaluation runs on every proposed action. Run the gateway against the same controls repository, disposition engine, and audit log as the native builds so the mixed estate produces one consistent governance record.

What does native integration require from our agent code?

The agent is instrumented to emit a Governance Envelope before each proposed action: the action type, scope, and parameters; the action trace; and context metadata. A validator evaluates the envelope against the controls repository and returns an outcome before the agent acts. The paper recommends native integration for new agent deployments; it gives the tightest integration, the most granular record, and the cleanest audit trail.

What does a SAFR pilot look like?

Four weeks on one scoped workflow: register the agent and author its controls; calibrate dispositions against simulated or replayed traffic; run live escalations with named reviewers and tune thresholds; then export the audit records, verify them independently, and hold a go/no-go readout with risk and compliance.

Does SAFR require specific technology or a specific vendor?

No. SAFR defines data structures, evaluation logic, and escalation contracts, and it "serves as an industry reference for institutions to implement within their own infrastructure, using their own rule configurations and governance arrangements." SAFR is not a managed service. Institutions can meet it by building, buying, or combining the two.

Who sets the thresholds in a SAFR implementation?

The institution does. SAFR "does not constitute regulatory guidance or supervisory expectations," and rule configurations and governance arrangements stay with the implementer. In practice: exposure limits come from your existing delegated authority framework, escalation thresholds are sized against actual reviewer capacity, and disposition calibration is set at design time using the five factors the paper names, from action reversibility through novelty. Each institution remains responsible for determining how its deployment aligns with applicable supervisory expectations and internal governance requirements.

Conclusiones clave

The implementation order that works: choose your deployment pattern (native for new builds, gateway across the existing estate), encode controls from your existing delegated authority framework, calibrate the four dispositions in simulation, design escalation operations against real reviewer capacity, and stand up an evidence layer an outsider can verify. Then prove it on one workflow in four weeks. Start by scoring your current state with the SAFR Readiness Checklist — an ungated, interactive gap assessment; the editable working sheet is available by email. If you want a second pair of eyes on the gap list, book a 30-minute SAFR gap review. And for the component-by-component view of implementing the SAFR framework on KLA Control Plane, including what is shipped and what is in development, see the pillar page. Source: Safeguards for Agentic Finance at Runtime, white paper v1.0, MAS BuildFin.ai, July 2026. Quoted passages © Monetary Authority of Singapore. SAFR is an industry reference and does not constitute regulatory guidance. KLA is independent of and not affiliated with, endorsed by, or certified by MAS or BuildFin.ai.

Véalo en acción

¿Listo para automatizar su evidencia de cumplimiento normativo?

Reserve una demostración de 20 minutos para ver cómo KLA le ayuda a demostrar la supervisión humana y exportar documentación de Annex IV lista para auditoría.

How to Implement SAFR: Architecture, Patterns, and Build vs Buy | KLA Blog