Skill Risk Intelligence Hub
Skill Risk Intelligence Hub governs enterprise-scale agent autonomy.
Sphere should not ask BP to trust autonomous finance decisions on day one. It should progressively earn trust through authority ceilings, deterministic policy gates, mandatory evidence, simulation, replay, learning governance, kill switches, and runtime risk monitoring.
Current-state risk assessment
The risk is not whether agents can make decisions. The enterprise question is whether BP can let agents operate at scale without creating financial, operational, compliance, cybersecurity, or reputational risk.
| Risk | Failure mode | Control enhancement |
|---|---|---|
| Skill explosion | Duplicate Agent V1 / APAC / Europe / Retail variants proliferate | Skill Governance Layer with domain, process, subprocess, owner, version, supersedes. |
| Hallucinated decision | LLM says likely duplicate without proof | Mandatory Evidence Runtime; no evidence means no recommendation. |
| Learning corruption | Bad supervisor approval becomes institutionalized | Learning candidates must pass validation, simulation, approval, and promotion. |
| Hidden prompt drift | Behavior changes because a prompt changed manually | Skill Compiler stores compiled prompt packages with source versions and prompt hashes. |
| Tool invocation chaos | Agents repeatedly call SAP for simple context | Context Aggregation Layer routes FIM/UDP/Databricks first, SOR confirmation only when required. |
| Agent cost explosion | Large models used for deterministic work | Reasoning hierarchy: rules/Python first, small model second, large model only when needed. |
| Ontology drift | Invoice object changes and past decisions become unreplayable | Ontology Version Runtime on every decision and replay record. |
| Uncontrolled agent creation | Payment Release Agent appears with write access | Agent Authority Framework with READ, RECOMMEND, PREPARE, EXECUTE, WRITE/RESTRICTED ceilings. |
| Explainability gap | Executive asks why and cannot inspect evidence | Decision Replay Runtime: input, context, memory, policy, tools, reasoning, decision, outcome. |
| Enterprise change management | Policy/control threshold changes bypass governance | Governed Promotion Pipeline with testing, simulation, UAT, approval, and production. |
10-layer risk management architecture
| Layer | Control | Why BP needs it |
|---|---|---|
| 1. Authority-Based Execution | Observe, Recommend, Prepare, Controlled Execute, Autonomous Execute, Restricted | Prevents unrestricted finance execution. |
| 2. Policy Guardrails | DofA, SoD, payment, credit, tax, close, evidence, and approval policies | Policy decides; prompts cannot override. |
| 3. Evidence Requirement | Decision, source, confidence, reasoning, policy reference | No evidence = no recommendation. |
| 4. Confidence-Based Escalation | >95% only if authority allows; 80-95% review; <80% escalation; <60% request evidence | Keeps ambiguity human-controlled. |
| 5. Simulation Before Production | Historical replay, edge cases, audit samples, known failures | Validates skill behavior before deployment. |
| 6. Promotion Pipeline | Draft → testing → simulation → business review → controls review → production | Treats skills as deployable enterprise assets. |
| 7. Learning Governance | Observation → candidate pattern → validation → simulation → approval → promotion | Stops bad learning from entering production. |
| 8. Decision Replay | skill_version, policy_version, ontology_version, memory_snapshot, prompt_snapshot, tools, evidence, decision, outcome | Makes audit reconstruction possible. |
| 9. Enterprise Kill Switch | Disable skill, disable domain, read-only mode, emergency runtime stop | Allows immediate containment. |
| 10. Runtime Risk Monitoring | Override rate, evidence gaps, drift, token anomalies, SAP consumption, failed tool calls | Monitors whether autonomy remains safe. |
| Authority level | Mode | Allowed behavior |
|---|---|---|
| Level 0 | Observe | Can only read and explain KPI, close, forecast, or risk context. |
| Level 1 | Recommend | Can suggest duplicate hold, collections priority, journal risk, or escalation. |
| Level 2 | Prepare | Can draft supplier email, credit memo, journal, ticket, or remediation package. |
| Level 3 | Controlled Execute | Can send reminders, create tickets, or update case status within policy. |
| Level 4 | Autonomous Execute | Only for highly validated low-risk actions such as low-risk cash matching. |
| Level 5 | Restricted | Never autonomous: payment release, journal posting, vendor creation, master-data changes. |
Skill Simulation and Promotion Pipeline
The highest-priority enhancement is the Skill Simulation Environment. No learning or new finance behavior should enter production without historical replay, edge-case testing, audit samples, and deployment recommendation.
| Metric | Examples | Governance value |
|---|---|---|
| Precision / recall | Duplicate, collection, journal, close, and control outcomes | Proves accuracy before production. |
| False positives / false negatives | Known failures, SOX-sensitive cases, edge cases | Quantifies business and control risk. |
| Business impact | Cash protected, leakage avoided, manual effort removed, close risk reduced | Connects validation to BP value. |
| Cost and latency | Token cost, tool calls, SAP calls, runtime latency | Prevents cost and API consumption surprises. |
| Deployment recommendation | Promote, defer, restrict autonomy, or require more evidence | Turns testing into governance action. |
Learning governance
Runtime risk monitoring
Operational risk
Agent failures, tool errors, SLA misses, escalation spikes, and unresolved cases.
Financial risk
Write-capable skills, payment exposure, journal impact, credit exposure, and leakage risk.
Compliance risk
Policy violations, SoD conflicts, evidence gaps, control exceptions, and approval bypass attempts.
Model risk
Drift, hallucination indicators, low-confidence recommendations, and prompt/package changes.
Learning risk
Unapproved learning candidates, rejected patterns, supervisor override clusters, and promotion backlog.
Cyber risk
Unauthorized access attempts, prompt-injection indicators, source permission mismatches, and identity delegation gaps.
Cost risk
Token spikes, large-model overuse, repeated SAP reads, and expensive tool-call paths.
Kill-switch readiness
Skill disable, domain disable, read-only mode, and emergency stop status.
BP-specific risk mitigations
| BP risk | Why it matters | Mitigation |
|---|---|---|
| SAP API cost explosion | Agents call SAP directly too often | FIM/UDP/Databricks context first; SAP only for confirmation or governed write-back. |
| Continuous Close misstatement | Agent autonomously creates accrual or posting | Recommend and prepare only until simulation, controls, and controller approval prove safety. |
| Collections customer impact | Bad communication harms customer relationship | Draft → review → send until customer-contact controls are approved. |
| Skill proliferation | Overlapping skills across towers | Skill Governance Board, owner, process, supersedes, reuse score, and deprecation workflow. |
| Prompt injection | User asks agent to ignore policies or release payment | Policies execute outside the LLM and cannot be overridden by prompt text. |