AI Agent Portfolio (Case Study)
A sanitized case study of designing an AI agent portfolio for a second-line risk function at a regulated Luxembourg fund services firm — seven agents, five flows, one governance layer — with the part most write-ups skip: the full genericized prompt pack, the 13-risk control matrix, and the deployment probes. The prompts are copy-ready.
This is a sanitized reconstruction of a real deployment: an AI agent portfolio built for a second-line risk function at a regulated Luxembourg fund services firm, on an enterprise agent platform, with SharePoint, Outlook and Teams as the plumbing. Seven conversational agents — a memory vault, a DDQ responder, an outsourcing assessment agent, a committee-pack builder, an SOP builder, an ERM support agent and an incident reporter — plus five flows and one governance layer, all maintained by one person. The case study is unusual in showing the controls, not just the capability. Each system carries its controls in the design rather than in good intentions: the DDQ responder has no send capability; the audit chaser can only create drafts; the shared ERM agent's knowledge space structurally contains no entity data to leak. Eight design lessons distil what survived contact with reality — rules go in reference documents, not persona text; structural controls beat behavioural ones; facts and suspicion never share a sentence. It then hands over the material: a full genericized prompt pack (a persona and a verbatim rules document for every agent, copy-ready), a 13-risk control matrix with control tiers, and a set of adversarial deployment probes to run at go-live and re-run annually.
- A worked seven-agent, five-flow portfolio for a second-line risk function
- Eight design lessons that survived contact with a real deployment
- A copy-ready prompt pack — persona plus verbatim rules document per agent
- A 13-risk control matrix with structural / automated / manual control tiers
- Six adversarial deployment probes — fabrication, consistency, gate, cross-entity, speculation, empty-day
- Genericized and sanitized — all prompts generic, all examples fictional, no employer data
There is no shortage of demonstrations that an AI agent can draft a deliverable. There is very little published on what a risk-and-control framework looks like when it does — which controls change, which are enforced by design, and how the whole portfolio is governed and evidenced. Practitioners are left to reinvent both the prompts and the controls from scratch. This case study closes that gap with a concrete, sanitized example and the reusable material behind it: the prompt pack, the control matrix and the deployment probes. It is a portfolio piece and a starting kit at once — showing not just that agents can do second-line work, but how to make that work defensible.
Status
LiveRegulation
AI Model RiskFormat