A login does not say what AI is allowed to do.
Financial institutions know how to authenticate users, services, and workloads. AI creates the next question: after login, what can it do, what must be blocked, and when does a person need to say yes?
Identity is not permission for every action.
AI can move across accounts, workflows, files, and systems. The risk is not only who it is. The risk is what it is about to do.
A vendor dashboard can help operations. It is not the same as a receipt that shows the action, the rule, the person if there was one, and the proof.
The receipt is the thing you can inspect after the action.
One action. One rule. One record.
What did the AI try to do?
The receipt starts with the specific action, not a broad system claim.
Was it allowed or blocked?
The rule can allow, block, or ask a named person before the action proceeds.
Can it be checked later?
Receipts and audit chains make the decision inspectable after the run.
Start away from core customer impact.
The right first conversation is a bounded internal workflow, a routed MCP or tool surface, or a non-customer-impacting action path where risk, compliance, and engineering can define allow, block, and ask together.
Next action
Bring one financial-services action class where the route, policy, accountable authority, receipt, refusal rule, and side doors can be named.
Boundary
- ZLAR governs routed/intercepted action surfaces only.
- Receipts support action-level review; they do not prove the action was correct, lawful, fair, or wise.
- ZLAR does not replace institution-owned controls, custody, retention, or supervisory judgment.
- A private-by-default non-Vincent verifier request has been sent; no public external attestation is claimed in this repo, and any private reply or later result remains bounded by verifier relationship, disclosure permission, and exact evidence returned.