← Back to Speaking

Bridging AI Governance and Cloud Infrastructure

Event: FINOS OSFF NY 2025
Location: New York, USA
Date: October 21, 2025

AI models are rapidly approaching human expert-level performance in finance and insurance, with GPT-5 high expected to reach 48% win rate (parity with industry experts). This talk explores how to bridge AI governance frameworks with cloud infrastructure to deploy AI agents securely in financial services.

FINOS Contributions

My work with FINOS focuses on two key areas:

  • AI Governance Framework (AIGF): Developing agentic reference architectures with associated risks and mitigations
  • CALM: Building a new visualizer for architecture-as-code

Understanding AI Agents

Modern AI agents consist of four key components:

  • Memory: Persistent storage for context and learning
  • Communication: Interfaces for text, audio, images, and agent-to-agent communication
  • Tools: RAG, search, APIs, and MCP servers
  • Intelligence: Natural language processing, reasoning, and planning capabilities

FINOS CALM (Common Architecture Language Model)

CALM provides an industry-standard approach to architecture-as-code with:

  • Core Model: Structured architecture definitions in JSON
  • CLI Tools: Command-line utilities for working with architectures
  • Patterns: Reusable architectural patterns

CALM Workflow

The typical CALM workflow enables:

  1. C4 Design and Review
  2. Publishing to CALM Hub
  3. Generating Infrastructure as Code, Configuration, and Documentation
  4. Validation and storage

Visualizing AI Architectures

The CALM Visualizer and Explorer tools provide:

  • Interactive architecture visualization
  • Architecture Decision Records tracking
  • Support for visualizing agent+MCP server architectures
  • Export capabilities for documentation

MCP Risks & Mitigations

When deploying AI agents with Model Context Protocol (MCP) servers, three key risks emerge:

  1. Unknown, untrusted servers: Agents may connect to any MCP server → Mitigate with centralized proxy
  2. Unbound tool access: Agents may use any tool on MCP servers → Mitigate with tool filtering
  3. Incomplete logging: Logging left to agents themselves → Mitigate with network-level logging

AI Gateway Architecture

Using Envoy AI Gateway, we can implement:

  • HTTPRoutes: Central control for which MCP servers are accessible
  • Network Policy: Lock down MCP servers to only be addressable through the gateway
  • MCPRoute: Filter tools to only allow pre-approved functions, improving security and reducing cost

Architecture to Deployment

CALM enables a streamlined path from architecture to deployment:

  • Define CALM Architecture
  • Bundle with CALM Template
  • Generate Deployment YAML for Kubernetes

Key Takeaways

  • We can improve time to value AND reduce risk simultaneously using open-source tools
  • Upfront architectural homework saves significant time in subsequent changes
  • Where gaps exist in tooling, you can help drive improvements since everything is open source
  • Financial services organizations can leverage FINOS CALM and AI Governance Framework to deploy AI responsibly

Resources