AI Agents Are the New Privileged User

Every large finance organization has an AI mandate from the top: find ways to use AI to move faster, reduce cost, and free up capacity. Controllers, tax leaders, and FP&A teams are responding the way you would expect. They’re reaching for the tools already on their desks, like Claude, ChatGPT, and Microsoft Copilot, and pointing them at real work. Reconciliations, journal entries, sales-tax calculations, intercompany eliminations, the close… The output looks fine. In fact, in many cases, it looks great!

But looking great is not the same as being audit-ready. And right now, the vast majority of these deployments are not.

Audit is catching up to AI faster than most finance leaders realize. Segregation of Duties (SOD) testing has to change to keep up with a world of AI agents and automation. With that in mind, every CFO and controller needs to get comfortable with the idea that any AI agent or automation that can execute business processes is a privileged user, and internal audit needs to test it like one.

If your organization is already using LLMs inside a SOX-relevant process, you’re living in the very gap we’re focusing on.

The Maker-Checker Problem

Segregation of duties is one of the oldest internal control principles in finance. No single actor, whether human or machine, should be able to initiate a transaction, approve it, and conceal any errors, all without a second set of eyes on it.

Traditional SOD testing focused on role assignments inside a single ERP. Auditors would check whether the same person who creates a vendor can also approve payments to that vendor. The control was enforced by the roles assigned in the system. If your role did not grant you access to both functions, the SOD risk was mitigated. 

But the scope of what counts as an SOD event has expanded well beyond role assignments. Modern SaaS platforms and cloud ERPs give business administrators the ability to change approval workflows, validation rules, routing logic, and processing thresholds, all without any change to anyone’s formal role. That means the traditional test (does this person hold two conflicting roles?) misses an entire class of risk. 

Let’s take an example of an accounts payable administrator whose role does not permit her to approve invoices. But she can edit the approval workflow so that invoices under $50,000 skip approval entirely. She hasn’t changed her role, but she has changed the control. The effect is the same as if she had been granted approval authority, but no traditional SOD scan would catch it. Auditors are now being trained to treat these workflow and configuration changes as SOD events in their own right. The new test they are learning to apply: do workflow and configuration changes go through change management with author and approver separation?

Now apply that test to a general-purpose AI agent. An ungoverned agent operating inside a finance workflow is both maker and checker. It can draft a journal entry and assess whether the entry is correct. It can build a reconciliation and decide that the reconciliation is complete. It can modify the logic of the process it’s executing — adjusting thresholds, skipping validation steps, altering routing — without any change-management gate. That’s a control disaster.

From an auditor’s standpoint, there are only two architectures that survive scrutiny:

1. The agent completes a task, and a human reviews the output every single time.
2. The agent builds a deterministic, rule-based process. A human approves the process once, and it can be used repeatedly thereafter.

Option one works at low volume, but doesn’t scale. If every AI-generated output requires a human to review it before it can be trusted, you haven’t automated anything.

Option two is how modern finance automation should be built. The AI assists in designing and configuring the workflow. The workflow itself executes deterministically, under established controls, with a complete audit trail. The AI is governed, not autonomous.

5 Questions Your Auditor Is About To Ask You

If you’re deploying AI in SOX-relevant workflows (or plan to), prepare for these questions from your auditor:

1. Can you show me a complete audit trail of every input, prompt, output, and decision the AI made for this transaction? If the model is a black box with no logging layer, the answer is no.
2. Is the AI’s output deterministic? If I run the same inputs tomorrow, will I get the same result? Foundation models are probabilistic by design. Without a control layer that enforces deterministic execution, the answer is no.
3. Who approved this workflow, and is the approver separated from the executor? If an AI agent both built the workflow logic and executes it in production, you have a segregation of duties violation, even if no human role changed.
4. How do you control what the AI is allowed to do, and who can change that? If a business user or administrator can modify the AI’s scope, permissions, or workflow logic without formal change management, you have an ungoverned privileged user. Auditors will want to see who can change the AI’s behavior, how those changes are approved, and whether there is a log.
5. What happens when the model changes? How do you ensure a model update doesn’t silently change the behavior of a control-critical workflow? Without version controls and regression testing in your control layer, you have no answer.

3 Things To Do Now

You don’t need to stop using AI in finance. You do need to govern it. Here are three things you can do now to get started:

1. Inventory Every AI Touchpoint in SOX-Relevant Workflows

Map where Claude, ChatGPT, Copilot, or any other model touches your close, reconciliations, journal entries, tax provision, or reporting. For each touchpoint, document who uses it, what the model does, the controls around it, and whether the output feeds into a SOX-relevant process. If nobody owns this inventory today, that’s your first finding, and arguably your most urgent one.

2. Demand an AI Control Layer, Not Just an AI Tool

The control layer around the model must provide a complete audit trail that captures every input, output, and decision; deterministic execution so that the same inputs produce the same result every time; and role separation between the human approver and the AI executor. If your current AI tool cannot provide all three, it isn’t audit-ready, no matter how impressive the output looks.

3.Define Your Human-in-the-Loop Policy

For every AI-touched workflow, decide explicitly which outputs require human review before they are acted on, which can run autonomously, and who makes that determination. If the answer is “we haven’t decided” or “it depends on who’s using it,” you have a gap. Auditors will want to see a clear, written standard that maps each workflow to a defined level of human oversight, with an owner accountable for that decision.

Close the Gap Before Your Auditor Does

AI-driven transformation in finance is already underway, and the teams that move fastest will gain real advantages in speed, accuracy, cost, and more. But speed without governance is just liability, and in a SOX environment, that comes with painful consequences.

Claude, ChatGPT, Copilot, and their ilk are all powerful tools. They are not, however, audit-defensible on their own, and that matters enormously.

What makes AI audit-defensible is a control layer between the model and the workflow: the audit trail, deterministic execution, and role separation. Without that, you’re deploying a privileged user with no oversight into your most sensitive financial processes. 

This is the gap Savant was built to close. Our platform enforces the controls that make AI audit-ready. Every action is logged, every workflow executes deterministically, humans approve the process while AI executes within it. With all that in place, finance teams can move fast with AI without sacrificing control posture. 

Your auditor is going to notice the gap. Will you close it before they do?