Organizations / FIX Community
FIX Community
FIX Trading Community — AI Working Group · www.fixtrading.org/
The FIX Trading Community standardises electronic trading. Its AI Working Group is developing runtime-governance standards for agentic AI in capital markets — the basis for the policy pack below.
How the publications map to ponens policies
The FIX AI Working Group's runtime-governance proposal defines a traffic-light scheme — Green (proceed), Amber (flag/refer), Red (halt) — across five domains: identity & authorisation, intent & constraint, capability & DCE, runtime telemetry & trajectory, and approval & release gating. ponens maps each traffic-light condition onto a temporal-logic policy evaluated over an agent's execution trace. This is exactly the form the proposal itself demands of any binding control (§10.3): “a deterministic function over the governed state… executing independently of the language model.” A ponens policy is precisely that function.
Each domain becomes a policy group, plus the Szpruch et al. capability failure modes (C1–C4); a policy's severity encodes Red (error) versus Amber (warning), and its tier tag selects the Assistive–to–Critical-Autonomous profile. Running the pack with ponens trace check aggregates the per-policy verdicts into the GovernanceState the proposal wants carried in a new FIX field — all-pass is Green, a warning-fail is Amber, an error-fail is Red. The genuinely population-level conditions (orchestration drift, compound-workflow market-disorder testing) are the proposal's own Gap 5 and sit outside per-trace policy.
Agentic AI Runtime Governance
The FIX AI Working Group's traffic-light (Green / Amber / Red) runtime-governance scheme, expressed as computable policies over an agent's execution trace.
Maps the FIX AI WG proposal on Agentic AI Runtime Governance onto ponens policies. Each traffic-light condition across five domains — identity & authorisation, intent & constraint, capability & DCE, runtime telemetry & trajectory, and approval & release gating — plus the Szpruch et al. capability failure modes (C1–C4), becomes a deterministic check that `ponens trace check` aggregates into a Green/Amber/Red GovernanceState.
Source: FIX AI WG — Proposal on Agentic AI Runtime Governance (Healey & Houston, Jun 2026); Szpruch, Sudjianto, Bhatti & Ang (2026).
Identity & Authorisation 4
agent_identity_resolved error Agent Identity Resolved
Every agentic action must carry a resolvable AgentID bound to a valid KYA credential (NIST IAL2 human principal).
G(action → agent_id_resolved ∧ kya_valid)credential_not_expiring warning Credential Not Expiring
KYA/vLEI credentials must not be within the expiry window (proposed threshold < 30 days).
G(action → ¬credential_expiring)dce_current_for_consequential error DCE Current for Consequential Actions
Consequential actions may proceed only while the referenced Deterministic Control Envelope (AlgoCertificate) is current and not invalidated.
G(ToolCall ∨ Release ∨ Deploy → dce_current)legal_entity_vlei_present error Legal Entity (vLEI) Present
Every action must carry the verifiable LEI (vLEI / AgentOwnerLEI) of the regulated entity on whose behalf the agent acts.
G(action → vlei_present)Intent & Constraint 3
execution_linked_to_intent error Execution Linked to Intent
Every consequential action must resolve to a declared IntentID — the pre-declared objective and constraint set that authorised it.
G(ToolCall ∨ Release ∨ Deploy → intent_resolved)policy_reference_current error Policy Reference Current
The governing PolicyRefID must reference a current, certified policy document (not superseded or revoked).
G(action → policy_current)within_constraint_scope error Within Constraint Scope
Every action must fall within the active ConstraintSet binding the execution (limits, permissions, risk envelope).
G(action → within_constraint_scope)Capability & DCE 7
consequential_action_approved error Consequential Action Approved
A consequential action must be preceded by a passed, authenticated approval gate.
G(Release ∨ Deploy → P(UserApproval ∧ authenticated))default_deny_confirmed error Default-Deny Confirmed
At Tier 4 a default-deny authorisation must be confirmed before any tool call.
G(ToolCall → P(default_deny_confirmed))dual_approval_critical error Dual Approval for Critical Autonomous
Tier 4 (Critical Autonomous) release requires two distinct authenticated approvals before proceeding.
G(Release → P(UserApproval ∧ approver_1) ∧ P(UserApproval ∧ approver_2))numeric_recomputed_deterministically error Numeric Recomputed Deterministically (C2)
Capability C2 (Deterministic Numeric Computation): numeric results must be recomputed by a deterministic (non-LLM) calculator, not asserted by the model.
G(Compute → deterministic_recompute)outputs_policy_constrained error Outputs Policy-Constrained (C3)
Capability C3 (Policy-Constrained Drafting): drafted outputs must comply with approved templates and policy rules.
G(Draft → template_compliant)retrieved_data_attributed error Retrieved Data Attributed (C1)
Capability C1 (Retrieval & Attribution): retrieved data must carry provenance and recency checks before it is relied upon.
G(Retrieve → provenance_checked ∧ recency_checked)tool_calls_allowlisted error Tool Calls Allowlisted
Every tool/capability invocation must lie within the certified allowlist for the agent's tier.
G(ToolCall → in_allowlist)Runtime Telemetry & Trajectory 5
no_guard_violation error No Guard Violation
No runtime guard (alignment/confidence/policy-boundary) violation may occur in the trajectory.
G(¬guard_violation)no_prohibited_transition error No Prohibited Transition
No action may attempt a transition that is not defined in the governed transition system for the current state.
G(¬prohibited_transition)telemetry_spans_complete error Telemetry Spans Complete
Every required governance-semantic telemetry span (capability invocations, tool calls, guard evaluations, approval events) must be recorded.
∀ s ∈ telemetry . s.status = recordedtool_call_budget warning Tool-Call Budget
The number of tool calls in a single workflow must stay within the per-workflow budget. Budget shown as 20; set per deployment.
count(ToolCall) ≤ 20trajectory_within_bound error Trajectory Within Bound (Lmax)
The execution trajectory length must stay within the certified maximum (Lmax). Bound shown as 50; set per deployment.
count(action) ≤ 50Approval & Release Gating 2
decision_path_reconstructable warning Decision Path Reconstructable
Each consequential message should carry a DecisionPathID linking to a reconstructable decision graph.
G(Release ∨ Deploy → decision_path_present)no_release_without_authenticated_approval error No Release Without Authenticated Approval
External-facing release or dispatch may occur only after an authenticated approval event whose scope covers the intended action (Szpruch capability C4: Gated Release & Dispatch).
G(Release ∨ Deploy → P(UserApproval ∧ authenticated ∧ approval_scope_covers))