This is part 5 of Finance AI Field Notes. Part 4: In-house development vs. ready-made tools.
Every finance stack has layers everyone can name: the ERP holds the books, the point tools handle specialty workflows, the data warehouse feeds the dashboards, and people do everything in between.
A new layer is being inserted into that diagram, and you can watch it happen in real time — in job postings.
Aon, the 94,000-employee insurance broker, is hiring a Director whose role, in their words, "owns the agent layer of the close, ensuring speed, integrity, and audit readiness." Not a tool. Not a project. A layer — with an owner, inside a unit they named Finance Agents Engineering. Kraken describes the same thing from the build side: "an agentic finance layer that runs alongside the existing stack today, automating workflows while defining the migration path toward a more scalable, AI-native architecture over time." State Street has a Managing Director for agentic AI. JPMorgan has an Executive Director heading Finance Transformation, Data & AI. CHANEL runs a "Global Finance Lab — Agentic & Process Automation" that has shipped over a hundred automations.
When multiple unrelated enterprises independently coin the same architectural vocabulary, the layer is real. So it's worth being precise about what it is.
What the agent layer actually does
Strip the terminology and the layer has four jobs, consistent across every description I've read:
It listens. Events come in — an invoice arrives, a bank statement lands, a period approaches close, an exception surfaces. The layer picks up work without being asked. This is what separates it from a chatbot, which waits for you.
It prepares. Agents match, reconcile, classify, draft, and diagnose. Aon's wording: agents that "orchestrate intercompany workflows, reconciliations, and exception management" and "perform close diagnostics, anomaly detection, and preparer-reviewer support." Note the last phrase — preparer-reviewer support. The layer prepares; it does not silently conclude.
It asks. When an agent hits missing data, an ambiguous classification, or a decision above its authority, it stops and routes a structured question to a human. Human-in-the-loop appears in virtually every serious posting — not as a compliance apology but as the mechanism that makes the rest acceptable.
It writes — only through governed gates. This is the defining property. The layer does not get raw database access. Kraken: "maintain human oversight where appropriate… design for auditability and control integrity." Aon: "enforce SOX-aligned workflows, approvals, and evidence capture," with "agent logging, execution traceability, and override controls." Every write lands through the same approval mechanics a human would face, and leaves the same evidence.
Why it's a layer and not a feature
You might ask: won't the ERP just absorb this? That's the embedded-AI thesis, and the adoption numbers so far are unkind to it (the German SAP user group found ~3% of SAP customers running SAP's AI in production). But there's a structural reason too: the agent layer's job is to work across systems — ERP, banks, billing, payroll, procurement, spreadsheets, email. Aon's layer integrates "Workday, Databricks, Accounting Center, and reporting tools." Kraken's spans "NetSuite, BlackLine, Kyriba, Fireblocks, and Lukka." A layer that lives inside one vendor's walls can't own a close that runs across five vendors' systems. That's why it keeps landing as a separate tier with its own owner, even at companies deeply committed to a single ERP.
What the layer demands (the part that gets skipped)
Here's what the enterprises writing these job descriptions understand, and what most first attempts miss: the agent layer is a control surface, not just an automation surface. Its non-negotiable properties, straight from the postings:
- Identity: each agent has explicit allowed tools and allowed workflows — least privilege, like any employee.
- Traceability: every run is an inspectable record — inputs, steps, outputs, cost, errors.
- Evidence: approvals and overrides are captured as audit artifacts at execution time, not reconstructed later.
- Risk tiering: low-risk actions flow; high-risk actions queue for one or more humans. Kraken formalizes this: "classify all automation builds by risk tier before work begins."
- Reversibility: failure detection and rollback are design requirements, because the layer touches the ledger.
If your agent layer lacks these, you don't have an agent layer — you have scripts with API keys, and an audit finding on a delay timer.
What to do with this
If you run finance: put the layer on your architecture diagram now, even if it's empty. Naming it forces the right questions — who owns it, what are its gates, how does it prove what it did — before the first agent ships rather than after. If you're the person being hired to build it: negotiate for the layer, not the use case. A dunning agent is a project; the layer is a career. And if you're an auditor: start asking clients which tier their AI writes through. The good ones will have an answer ready. The answer tells you everything.
The ERP was the system of record. The agent layer is becoming the system of work. The companies naming it first are the ones who intend to control it.
Part of Finance AI Field Notes, grounded in a July 2026 scan of ~105 live postings. Building a governed agent layer is literally what we do at Artifi — agents propose, humans approve, everything leaves a trail. Next: the lonely AI architect — why companies staff this layer with exactly one person, and why that breaks.