FactSet and Google Cloud put finance agent audit trails at the center of KYA

The FactSet and Google Cloud partnership is not a Know Your Agent rule. It is still a strong market signal: when financial AI agents move from sourced research into portfolio operations, deal advisory, and corporate-finance workflows, the control question becomes whether every agent action is attributable, permissioned, observable, and defensible.

Daily signal: FactSet announced a strategic partnership with Google Cloud to build AI-powered financial intelligence, including FactSet data inside Gemini Enterprise through MCP and agent-sharing functionality, plus jointly developed agents for portfolio operations, deal advisory, and corporate finance. KYA implication: "fully sourced, auditable, and defensible" outputs need a practical evidence file for the agent, the operator, the data boundary, the tool call, the human intervention point, and the record-retention obligation.

Why this matters for KYA

Financial AI agents are crossing an important boundary. A research assistant that summarizes a filing creates one kind of record. A finance agent that calls MCP servers, uses proprietary data, shares context with another enterprise agent, drafts an investment workflow, updates a portfolio-operations task, or routes a deal-advisory step creates a different compliance problem. The institution must prove not only that the answer was sourced, but also which agent produced it, what data it used, what tools it called, which permissions constrained it, and whether a human approved any high-impact action.

Google Cloud's Gemini Enterprise materials make the KYA control stack more concrete. Agent Registry catalogs agents and custom MCP servers. Agent Identity gives agents granular permissions. Agent Gateway is described as a policy enforcement point for tool calls, authentication, and security policies. Observability provides metrics and traces. July 2026 release notes also added managed organization policy constraints for data connectors and regional support for Japan, the UK, India, and Singapore. For regulated finance, those pieces map directly to operator identity, mandate, tool access, audit trail, security, and jurisdiction fit.

Screenshot-ready KYA compliance comparison table

KYA dimensionWeak finance-agent postureProduction-grade KYA postureEvidence reviewers should expect
Operator identityThe user sees a branded finance assistant, but records do not separate the financial-data provider, cloud platform, model, MCP server, agent runtime, deployment owner, and accountable regulated firm.Every finance agent has a stable identity tied to the legal operator, client environment, runtime, model version, MCP server inventory, data provider, and accountable business owner.Agent ID, Agent Registry record, SPIFFE or fallback identity, regulated entity, data provider, cloud region, model/runtime version, owner, deployment date, change log, deactivation record.
Agent mandateThe agent is described broadly as research, productivity, or workflow automation, even when it can move into portfolio operations, corporate-finance tasks, or deal-advisory workflows.The mandate separates research, retrieval, synthesis, recommendation, workflow drafting, workflow execution, portfolio operation, external communication, and escalation.Mandate version, allowed use cases, prohibited actions, portfolio or deal scope, human-review threshold, approval role, customer or desk authorization, expiration, revocation record.
Wallet and custodyCapital movement and custody are treated as outside the AI layer, so the agent record does not show whether outputs can influence trades, payments, settlement, treasury, or account instructions.The KYA file states whether the agent can only inform a human decision or can initiate, draft, approve, route, or execute money movement through downstream systems.Trading or payment authority class, account scope, settlement-system link, treasury workflow link, custody boundary, order or payment pre-approval, value limit, exception and dispute path.
Tool and venue accessMCP servers, enterprise search, proprietary datasets, third-party connectors, and workflow tools are added as productivity integrations without a risk-tier map.Tools are classified by read, retrieve, enrich, recommend, draft, execute, export, and share, with allow and deny rules enforced through a gateway or equivalent control point.MCP server inventory, data-source allowlist, egress FQDN policy, tool-call permissions, connector scope, external-sharing rule, blocked action log, policy decision, venue or dataset eligibility.
Audit trailThe output includes citations, but the firm cannot reconstruct the full run, data snapshot, prompt context, model version, MCP call path, policy decision, and human intervention.The audit trail links the user, agent, task, data source, retrieved records, tool calls, model output, citation set, approval event, final workflow action, and retention rule.Run ID, prompt/context hash, data snapshot, source citations, MCP call log, policy decision, trace span, output version, approver ID, workflow action ID, retention and legal-hold status.
Security and abuseTrust is inferred from the vendor relationship, popularity of MCP tools, or enterprise authentication, with limited inspection for prompt injection, tool poisoning, data exfiltration, or overbroad egress.The agent uses least privilege, connector restrictions, egress controls, threat scanning, prompt and tool inspection, anomaly monitoring, incident response, and rapid revocation.Authentication result, permission review, connector policy, egress policy, threat finding, prompt/tool alert, anomaly event, blocked call, revocation record, incident ticket, remediation evidence.
Jurisdiction fitThe same agent path is used across markets without mapping securities supervision, recordkeeping, data residency, outsourcing, AI governance, privacy, and client-data restrictions.The agent checks jurisdiction, client segment, regulated activity, data location, model-processing region, record-retention period, outsourcing chain, and supervisory obligation before use.Jurisdiction matrix, data residency setting, ML processing region, regulated-activity assessment, outsourcing record, FINRA or local-rule mapping, privacy review, retention schedule, complaint route.

The compliance lesson

The phrase "auditable AI" is not enough for regulated finance. A cited answer can still be weak evidence if the organization cannot show the exact agent identity, data boundary, MCP call, permission rule, and human intervention step behind it. In securities, wealth, private markets, and corporate finance, the audit file must connect source quality with operational authority.

The FactSet and Google Cloud signal is important because it joins three layers that KYA teams usually review separately: trusted financial data, enterprise agent governance, and workflow automation. Once those layers converge, a finance agent becomes a controlled actor inside the institution. KYA is the file that proves what that actor was allowed to do.

Practical KYA checklist

Bottom line

Finance agents will not be judged only by whether their answers have citations. They will be judged by whether a reviewer can reconstruct who controlled the agent, what mandate applied, which data and tools were available, how policy was enforced, when a human intervened, where records were retained, and whether the workflow fit the jurisdiction. That is the KYA audit file.

Sources reviewed: FactSet, "FactSet Announces Strategic Partnership with Google Cloud to Bring Advanced AI to Financial Intelligence" (July 2026); Google Cloud Gemini Enterprise Agent Platform documentation; Google Cloud Gemini Enterprise release notes (June 24-July 7, 2026); TechInformed, "FactSet-Google Cloud deal tests audit trails for finance AI agents" (July 8, 2026). These are product, platform, and market-structure signals, not formal regulatory adoption of Know Your Agent.