FinHarness: An Inline Lifecycle Safety Harness for Finance LLM Agents

The rapid evolution of large language models (LLMs) has transformed the landscape of intelligent agents, enabling automated execution of complex workflows across various domains. In finance, LLM agents have been deployed to autonomously handle multi-step business processes such as loan approvals, fund transfers, and contract management. These agents interleave natural language reasoning with external tool invocations, as exemplified by frameworks like ReAct and Toolformer, which synergize reasoning and acting capabilities. However, the financial domain presents unique challenges due to the irreversible nature of many state-changing operations and stringent compliance requirements.

Existing safety mechanisms primarily rely on two paradigms: boundary filters that perform coarse allow/deny decisions at conversation boundaries, and post-hoc LLM judges that audit completed interaction traces. Boundary filters are lightweight and stateless but lack visibility into intermediate tool calls, making them vulnerable to sophisticated prompt-injection attacks that fragment malicious payloads across turns or embed them within retrieved documents. Post-hoc judges offer higher accuracy but intervene too late, often after irreversible actions have been executed, and their computational cost scales linearly with the length of the interaction trace, limiting scalability.

Recent benchmarks such as AgentDojo and Agent-SafetyBench have highlighted these vulnerabilities in tool-using agents, while domain-specific evaluations like FinVault have underscored the criticality of securing financial workflows. Runtime guardrail systems like GuardAgent and InferAct attempt to mitigate risks by integrating prompt-injection defenses, agent alignment, and code-level risk scanners, but often lack lifecycle integration or impose high computational overhead. Thus, there remains a pressing need for an inline, lifecycle-integrated safety mechanism that can monitor and intervene in real-time during agent execution, balancing security, efficiency, and business continuity.

The core problem addressed by FinHarness is the real-time detection and prevention of unauthorized, irreversible operations executed by financial LLM agents during multi-step workflows. Specifically, the challenge lies in blocking adversarial trajectories that exploit prompt-injection vulnerabilities to trigger illicit tool calls, such as unauthorized fund transfers or KYC data leaks, without impeding legitimate multi-turn business processes.

Traditional boundary filters fail to monitor the execution loop where tool calls occur, leaving a blind spot that attackers can exploit by fragmenting malicious instructions or hiding them within retrieved content. Post-execution auditing by LLM judges, while accurate, is inherently reactive and computationally expensive, often arriving too late to prevent damage. Moreover, the linear growth in audit complexity with trace length makes it impractical for long interactions.

Therefore, the problem requires designing a safety harness that operates inline within the agent's execution lifecycle, observing every intermediate state and tool invocation, dynamically assessing risk, and providing timely feedback to the agent. This harness must achieve high recall in blocking attacks, preserve benign approval rates to maintain business utility, and maintain bounded per-step computational cost independent of trajectory length. Balancing these competing objectives in a high-stakes financial environment is a significant technical bottleneck.

FinHarness introduces several core innovations to address the outlined challenges:

1. Inline Lifecycle Architecture: Unlike prior approaches that treat safety as an external or post-hoc process, FinHarness embeds safety monitoring and intervention directly within the agent's execution loop. This inline positioning enables real-time observation and control over every tool call, closing the visibility gap present in boundary filters.

2. Multi-Dimensional Risk Cumulant: The framework fuses deterministic compliance priors over user queries and tool signals into a unified session-level risk cumulant. This cumulant integrates single-turn intent indicators (e.g., verb tiers, amount thresholds, coercion lexicons) with cross-turn drift signals (e.g., false references, debug modes, approval code anomalies), capturing both immediate and evolving risk patterns.

3. Adaptive Judge Routing via Sliding Risk Window: FinHarness employs a sliding window over recent risk scores to decide whether to route verification to a lightweight judge (gpt-4o-mini) or an advanced-tier judge (gpt-4o). This adaptive routing balances the trade-off between computational cost and verification accuracy, ensuring efficient resource utilization.

4. Dynamic Evidence Injection: Triggered risk factors are re-injected as structured ex-ante evidence into the agent's input across multiple contextual zones (user conversation, recalled history, current step). This mechanism empowers the agent to autonomously refuse, re-plan, or escalate actions, fostering a closed-loop interaction between safety signals and agent policy.

5. Selective Episodic Memory: To support informed judge decisions, the system recalls at most two prior steps selected based on semantic similarity, entity overlap, and information provider indicators, ensuring bounded memory usage while capturing relevant context.

Collectively, these innovations enable FinHarness to achieve high safety recall, maintain benign approval rates, and control computational overhead in complex financial workflows.

FinHarness's methodology comprises the following key components and processes:

• �� Query Monitor:
• Input: User turn text at step k.
• Process: Compute single-turn intent risk scores (Q1-Q5) based on verb tier, amount magnitude, risk-product flags, coercion/urgency lexicons, and injection lexicons.
• Compute cross-turn drift scores (D1-D5) detecting false references, pseudo test modes, phantom approval codes, verb-tier jumps, and closing imperatives.
• Fuse these into a session-level risk cumulant C_query with gravity decay to preserve structural drift signals.
• Output: Advisory labels (UNSAFE, UNCERTAIN, SAFE, or dead zone) injected as evidence into agent input.

• �� Tool Monitor:
• Input: Proposed tool call at step t.
• Process: Evaluate risk heads H1-H5 including permission tier prior, dangerous parameter matches, argument anomalies, business fact discrepancies, and tool sequence anomalies.
• Fuse tool risk c_tool with latest query risk C_query to obtain step risk s_t.
• Output: Step-level risk score and fired rule heads.

• �� Cascade Module:
• Input: Step risk scores over a sliding window of length W.
• Process: Sum risk scores; if above threshold θ, route verification to advanced judge (gpt-4o), else to lightweight judge (gpt-4o-mini).
• Recall up to two prior steps based on semantic similarity, entity overlap, and info-provider indicators for judge context.
• Output: Judge verdict (UNSAFE, UNCERTAIN, SAFE) and fired evidence.

• �� Dynamic Evidence Injection:
• Fired rule heads from Query Monitor, Tool Monitor, and Cascade are dynamically injected into agent input at multiple contextual zones.
• Enables agent to autonomously decide to refuse, re-plan, escalate, or approve.

• �� Design Guarantees:
• Bounded recalled history ensures per-step cost is independent of trajectory length.
• Non-decaying structural memory prevents attackers from evading detection by intermittent benign behavior.

This architecture ensures real-time, efficient, and adaptive safety monitoring tightly coupled with agent decision-making.

Experiments were conducted on the FinVault benchmark, which includes 214 cases (107 benign and 107 attack) spanning 31 financial scenarios such as personal credit, home mortgage, supply-chain finance, insurance, and securities. The attacks cover four broad families: parameter injection, pledge/margin manipulation, document fabrication, and privacy subject shifting. Additional evaluations were performed on an 856-trace all-attack synthesis set and the financial subset of Agent-SafetyBench (ASB) for out-of-distribution testing.

The agent backbone was gpt-4o-mini with native compliance prompts and tool annotations. Multiple baselines were compared, including no harness (B0), prompt-hardening (B1), per-step cheap and advanced judges with varying history lengths (B2-B4), off-the-shelf LlamaFirewall mappings (B5), and adapted GuardAgent and InferAct references (B6/B7).

Metrics included Attack Success Rate (ASR), benign approval rate, and judge call counts. Decoding was greedy with temperature zero. Ablations analyzed the contributions of Query Monitor, Cascade routing, and evidence injection. Statistical significance was assessed via McNemar tests.

FinHarness's main configuration reduced ASR from 38.3% to 15.0% on FinVault while maintaining benign approval at 39.3%, closely matching advanced judge baselines. Compared to always invoking the advanced judge, it reduced advanced judge calls by 4.7×, significantly lowering computational cost. The Query Monitor provided zero-cost early warnings, firing on 53 of 107 attacks with 94.6% precision. The Cascade module routed 73% of hard-stops to the lightweight judge, reserving the advanced judge for residual cases. Adapted external guardrails achieved lower ASR (2.8% and 0.9%) but at the cost of collapsing benign approvals to 8.4%, demonstrating FinHarness's superior safety-utility balance. Per-attack-type analysis showed largest gains on emotional manipulation (-43.8 pp) and document fabrication (-25.0 pp), with some regression on direct injection attacks.

FinHarness is directly applicable to financial automation scenarios requiring secure multi-step workflows, including personal loan processing, supply-chain financing, insurance claims, and securities trading. Its inline monitoring and adaptive judge routing enable real-time risk assessment with low latency, suitable for deployment in banking institutions and fintech platforms. By empowering agents with autonomous risk-aware decision-making, it reduces reliance on human intervention, enhancing operational efficiency and customer experience. The framework's modular design allows extension to other high-risk domains where LLM agents interact with irreversible tools, such as healthcare and legal services.

FinHarness relies on a fixed set of deterministic rule heads and static parameters, limiting adaptability to evolving attacker tactics and novel threats. The evaluation is limited to single-run experiments on specific benchmarks, lacking robustness assessments across diverse model versions, prompt templates, and tool simulators, which may affect generalizability. Additionally, certain single-step syntactic attacks perform better against lightweight judges, where FinHarness shows slight regression, indicating the need for integrating fast-reject mechanisms to complement the current architecture. These limitations highlight areas for future enhancement in dynamic learning and broader validation.