Enterprise Agentic AI System for Financial Services
This brief proposes a production enterprise agentic AI system for financial services: role-specific LangGraph agents that reason over governed enterprise data via a credential-isolated access layer, integrate Snowflake Cortex and MCP tool servers, and ship with eval gates on every agent before production release.
Proposed outcome: A multi-agent platform where business users interact with specialist agents — research, operations, compliance — that retrieve answers and take approved actions through API-mediated data access, never raw database credentials, with CI eval regression, full audit traces, and deployment on AWS Bedrock or Azure AI Foundry.
Scenario
This is a proposed solution for an enterprise financial services client with an existing architecture and design spec — an execution-focused build where a senior agentic AI developer ships against clear requirements, not open-ended strategy.
- Users: Business analysts, relationship managers, and operations staff — non-technical consumers of agent outputs and actions
- Data estate: Governed Snowflake warehouse, CRM (Salesforce), internal REST APIs, document repositories, and an optional semantic/knowledge layer
- Agent types: Role-specific agents — portfolio research, client onboarding assist, compliance Q&A — orchestrated by a LangGraph supervisor with A2A handoffs
- Constraints: Regulated industry — audit logs, PII redaction, tool allowlists, human approval for write actions
- Delivery model: Fixed-scope agent implementation against defined design; iterative eval expansion as new roles are added
- Cloud: AWS Bedrock and/or Azure AI Foundry for model inference; Snowflake Cortex for governed SQL and enterprise search
Problem
Enterprise financial services teams cannot deploy agent prototypes that embed warehouse credentials, bypass row-level security, or ship without regression tests. The gap between a LangGraph demo and a SOC-ready production system is governance, eval discipline, and standardized tool access — not more prompt tweaking.
- Credential sprawl risk — agent runtimes that hold database connection strings create leak paths via prompts, logs, or tool misuse
- Ungoverned retrieval — RAG over raw tables bypasses entitlements and licensed data usage terms
- Demo vs production gap — notebook agents fail multi-agent edge cases, approval flows, and model version changes
- Tool chaos — each agent reimplements API clients with inconsistent auth, error handling, and versioning
- No eval discipline — agents promoted on manual spot checks; regressions discovered by business users in production
- Role blur — a single generalist bot hallucinates on domain tasks that specialist agents would handle with narrower, tested tools
- Multi-cloud friction — Bedrock, Azure Foundry, and Snowflake Cortex each expose different SDKs without a unified trace or model routing layer
Requirements
Functional
- Role-specific agents: Distinct LangGraph graphs per business role with scoped tools, prompts, and eval packages
- Supervisor orchestration: Route user intent to the correct agent; support A2A delegation and context handoff
- Governed RAG: Retrieval via Cortex Search and semantic layer — queries respect user entitlements
- Tool/function calling: MCP servers exposing approved internal APIs; read-first, write behind human approval
- Snowflake Cortex: Analyst for natural-language-to-governed-SQL; Search for document and chunk retrieval
- Human-in-the-loop: LangGraph interrupt nodes before irreversible actions (CRM writes, report submission, ticket creation)
- Eval suite per agent: Golden tasks covering expected tool calls, citation patterns, and refusal cases
- Audit trail: Immutable log of prompts, retrieved sources, tool invocations, model ID, and user identity
Non-functional
- Security: Zero raw DB credentials in agent pods; session-scoped tokens issued by governed access layer only
- Latency: Interactive turns p95 < 8 s; long research workflows run async with streaming partial results
- Availability: 99.9% on agent API tier; graceful fallback when Cortex or an MCP server is degraded
- Eval gate: No agent promotes to production without ≥90% task success on offline golden set
- Observability: OpenTelemetry spans correlated across LangGraph nodes, MCP calls, and Cortex queries
- Portability: Model router abstracts Bedrock, Azure Foundry, and Cortex LLM functions behind one interface
Architecture
The design separates orchestration (LangGraph supervisor and role agents), tooling (MCP servers), and data access (governed gateway to Snowflake Cortex and internal APIs). Agents hold no warehouse passwords — they receive short-lived scoped tokens and call MCP tools that enforce policy server-side.
Enterprise architecture — LangGraph role agents invoke MCP tool servers through a governed access layer; LLM inference routes to Bedrock or Azure; eval CI gates every deploy
Governed tool-call sequence — MCP server validates session token; access layer enforces entitlements before Cortex executes; denials produce agent refusals, not credential errors
Component map by platform layer — orchestration, tooling, governance, data, and cloud inference
End-to-end flow
Production request path — write actions pause at human approval; every path emits an auditable trace for compliance review
Indicative agent routing mix after three role agents are live — supervisor directs traffic by classified intent
Per-agent eval thresholds required before production promotion
Recommended stack
Recommendation: LangGraph for orchestration, MCP for tool standardization, Snowflake Cortex for governed retrieval and SQL, a custom governed access layer (FastAPI) for entitlements, and AWS Bedrock / Azure AI Foundry for model hosting — with Langfuse and pytest eval packages gating every deploy.
| Layer | Technology | Why |
|---|---|---|
| Orchestration | LangGraph | Checkpointed state graphs, HITL interrupts, conditional routing, A2A handoffs — proven for production agents |
| Tool protocol | MCP (Model Context Protocol) | Domain teams ship versioned tool servers; agents discover tools without bespoke SDK sprawl |
| Governed data | Snowflake Cortex Analyst + Search | NL→SQL with warehouse RLS; managed search without exporting credentials to agent pods |
| Access layer | FastAPI + policy engine (OPA or custom) | Session tokens, entitlement checks, SQL allowlists, immutable audit log |
| LLM hosting | AWS Bedrock + Azure AI Foundry | Enterprise VPC endpoints, model choice per task, contractual compliance |
| RAG indexing | LlamaIndex pipelines → Cortex Search | Chunk and embed approved corpora; align metadata to semantic layer entities |
| Semantic layer | dbt metrics + optional Neo4j graph | Consistent entity definitions shared by Cortex Analyst and agents |
| Runtime | Python 3.11+, FastAPI, Temporal | Long-running agent jobs with durable execution and retry policies |
| Evals | pytest + Langfuse datasets + LLM-as-judge | Per-agent golden tasks run in CI; production traces sampled back into datasets |
| Infra | AWS EKS/ECS or Azure Container Apps | Terraform modules; secrets in AWS Secrets Manager / Azure Key Vault |
| Observability | Langfuse + CloudWatch / Azure Monitor | End-to-end traces: graph node → MCP call → Cortex query → model token usage |
Why MCP over bespoke tool JSON schemas? In a multi-team enterprise, CRM, warehouse, and workflow APIs are owned by different groups. MCP lets each team publish a versioned server; agent developers consume a stable protocol instead of merging API clients into every graph.
Why a governed access layer? Regulated finance requires entitlements enforced outside the LLM. An agent that receives a user session token can only invoke MCP tools the access layer validates — warehouse service accounts never appear in agent environment variables.
Why LangGraph over CrewAI or AutoGen? Explicit graph edges, checkpoint persistence, and interrupt() for HITL map directly to approval workflows auditors expect. Crew-style role play is harder to eval deterministically.
Bedrock vs Azure Foundry? Use whichever matches the client’s existing cloud contract; a thin model router abstracts provider SDKs so agents reference model_id not vendor-specific clients.
Agent & component design
1 — LangGraph supervisor (router)
- Input: Authenticated user message + profile (role, entitlements, active mandate)
- Logic: Intent classifier → route to research / operations / compliance agent; manage A2A handoff with compressed context packet
- Output: Streaming tokens from selected agent; trace ID for audit
- QA gate: Routing accuracy ≥95% on 50-intent eval set before prod
2 — Research analyst agent
- Tools (MCP):
cortex_analyst,cortex_search,get_semantic_metric - Behavior: Always cite
query_idor chunk source; refuse when entitlement denied; no write tools - Eval focus: Numerical accuracy on golden SQL questions; citation presence; refusal on out-of-scope datasets
3 — Operations agent
- Tools (MCP):
salesforce_read,create_service_ticket,submit_draft_report - HITL node: LangGraph
interrupt()before any write; user approves in UI; checkpoint resumes on confirm - Eval focus: Correct tool selection; never write without approval flag; idempotent retries
4 — Compliance Q&A agent
- Tools: Cortex Search over policy corpus only — no Analyst SQL, no CRM
- Behavior: High refusal precision; answer only from retrieved policy chunks; escalate ambiguous queries
- Eval focus: Zero hallucinated policy citations; 100% refusal on out-of-corpus questions in test set
5 — MCP server: snowflake-governed (illustrative)
from mcp.server import Server
from mcp.types import Tool, TextContent
server = Server("snowflake-governed")
@server.tool()
async def cortex_analyst(query: str, session_token: str) -> list[TextContent]:
claims = access_layer.validate(session_token)
if "analyst" not in claims.allowed_tools:
raise PermissionError("entitlement_denied")
result = await cortex_client.analyst(
query=query,
role=claims.snowflake_role,
warehouse=claims.warehouse,
)
access_layer.audit(user=claims.user_id, tool="cortex_analyst", query_id=result.id)
return [TextContent(type="text", text=result.to_json())]
6 — Per-agent eval package (CI gate)
@pytest.mark.agent("research_analyst")
@pytest.mark.parametrize("case", load_golden_cases("research_analyst"))
async def test_research_agent(case, agent_runner):
result = await agent_runner.run(case.user_message, context=case.context)
assert result.tools_called == case.expected_tools
assert citation_present(result.answer)
if case.expect_refusal:
assert result.refused and not result.tools_called
else:
score = await llm_judge relevance(case.expected_facts, result.answer)
assert score >= 0.85
7 — Model router
| Task | Model (illustrative) | Provider |
|---|---|---|
| Supervisor intent routing | Claude 3.5 Haiku / GPT-4o mini | Bedrock or Azure |
| Research synthesis | Claude Sonnet / GPT-4o | Bedrock or Azure |
| Compliance answers | Claude Sonnet (low temperature) | Bedrock |
| Eval LLM-as-judge | GPT-4o mini | Azure Foundry |
Typical interactive turn latency budget — p95 target under 8 seconds including governed Cortex call
Agent promotion funnel — every role agent passes eval CI before staging and production
Implementation plan
Phase 1 — Platform foundation (week 1–3)
Scaffold LangGraph monorepo, governed access layer with session token issuance, first MCP server skeleton, Langfuse project, and CI eval harness template. Deploy dev environment on AWS or Azure with Bedrock/Foundry connectivity and Snowflake service account (access layer only — not in agent pods).
Risk: Snowflake Cortex region availability — confirm Cortex Analyst enabled in client account. Rollback: mock Cortex responses in MCP server for parallel frontend work.
Phase 2 — First role agent: research analyst (week 4–6)
Implement research agent graph, snowflake-governed MCP with Cortex Analyst + Search, 30-task golden eval set, streaming API endpoint. Internal UAT with 5 analyst users on read-only entitlements.
Risk: Cortex Analyst generates SQL outside allowlist — add post-generation SQL parser gate. Rollback: disable Analyst tool; Search-only mode for UAT.
Phase 3 — Supervisor + A2A routing (week 7–9)
Build supervisor graph with intent classifier, handoff protocol, and shared context compression. Expand eval set with routing cases. Define streaming UX contract (partial tool status, citation cards) with frontend team.
Risk: Context loss on A2A handoff — pass structured handoff packet, not raw chat. Rollback: single-agent mode bypassing supervisor.
Phase 4 — Operations + compliance agents (week 10–13)
Ship operations agent with HITL write approval, Salesforce-read MCP, workflow MCP. Ship compliance agent with policy-only search corpus. Separate eval packages (30+ tasks each) gating staging promotion.
Risk: Write tool idempotency — require client-supplied idempotency keys. Rollback: operations agent read-only until HITL UI signed off.
Phase 5 — Production hardening (week 14–16)
Pen test findings, audit log export for compliance, load test 100 concurrent sessions, Terraform prod modules, secrets rotation runbook, model router config for multi-provider failover.
Risk: Audit log volume — partition by date, archive to S3/Blob with retention policy. Rollback: blue/green agent deployment with traffic switch via API gateway.
Phase 6 — Eval flywheel + semantic layer (week 17–18)
Sample production traces into Langfuse datasets; weekly eval triage; connect dbt semantic layer entities to Cortex Analyst context; document prompt version registry and agent rollback procedure.
Risk: Eval set drift from real usage — auto-promote flagged prod traces to golden candidates. Rollback: pin prior prompt version in model registry.
Reporting & ops
| Signal | Source | Cadence |
|---|---|---|
| Eval pass rate per agent | CI pytest + Langfuse dataset runs | Every deploy (blocking) |
| Tool call error rate | MCP server logs + access layer 5xx | Real-time PagerDuty if > 2% |
| Cortex entitlement denial rate | Governed access layer audit | Daily — tune routing if spikes |
| HITL approval latency | LangGraph checkpoint timestamps | Weekly ops review |
| User negative feedback → eval | Thumbs-down API → dataset queue | Weekly triage |
| p95 agent turn latency | OpenTelemetry on FastAPI + graph nodes | Live dashboard |
| Model cost by agent/role | Langfuse cost attribution | Monthly FinOps review |
| Prompt/version in prod | Model registry + git tag | Change log on every promotion |
Ops cadence would include daily failed-tool review, weekly eval dataset curation from production samples, and monthly security review of MCP server permissions. The senior agent developer would own eval standards — no agent merges without a green CI eval run and signed checklist.
Proposed deliverables
Following the phased plan, a build would ship these artifacts:
- Governed access layer API — session tokens, entitlement middleware, SQL allowlist, immutable audit log
- MCP server suite:
snowflake-governed,salesforce-read,internal-workflows - LangGraph supervisor graph with A2A handoff protocol
- Three role agent graphs: research analyst, operations, compliance Q&A
- Snowflake Cortex Analyst and Search integration aligned to dbt semantic layer
- Per-agent eval packages (30+ golden tasks each) running in CI as deploy gate
- Model router configuration for AWS Bedrock and Azure AI Foundry
- HITL approval checkpoint pattern with LangGraph interrupt/resume
- Langfuse dashboards — traces, eval trends, tool failure breakdown, cost by agent
- Terraform modules for AWS/Azure deployment with secrets management
- Security and ops runbooks — credential rotation, agent version rollback, Cortex outage mode
Effort estimate
Indicative effort for platform foundation plus three role agents through production hardening (assumes existing architecture spec, Snowflake Cortex enabled, and client SSO available):
| Scope | Hours (range) |
|---|---|
| Phases 1–6 (platform + supervisor + 3 role agents + hardening) | 400–560 hrs |
| Additional role agent with MCP tools and evals (each) | +60–90 hrs |
| Knowledge graph semantic layer (Neo4j + dbt sync) | +80–120 hrs |
| Dual-cloud active-active (Bedrock + Foundry failover) | +40–60 hrs |
| Ongoing eval curation, prompt updates, model rotation | 12–20 hrs/month |
| Platform costs (indicative monthly at institutional pilot scale) | Snowflake Cortex, Bedrock/Azure tokens, infra — typically USD 5,000–15,000 |
The $15K fixed-price signal in the sourcing context would realistically scope Phase 1–2 (foundation + first research agent with evals) or a time-boxed MVP milestone — not the full six-phase platform. A production system with three governed role agents, HITL writes, and compliance audit typically lands in the 400+ hour range above.
Glossary
| Term | Meaning |
|---|---|
| MCP | Model Context Protocol — open standard for agents to discover and invoke external tool servers |
| A2A | Agent-to-agent delegation — supervisor handing a sub-task to a specialist agent with context packet |
| Governed access layer | API middleware that enforces entitlements and audit; agents never hold warehouse credentials |
| Cortex Analyst | Snowflake feature that translates natural language to SQL executed under caller’s warehouse role and RLS |
| Cortex Search | Snowflake managed hybrid search over approved document corpora indexed in the account |
| HITL | Human-in-the-loop — LangGraph interrupt pausing execution until a user approves a proposed action |
| LangGraph | Library for building stateful, checkpointed agent workflows as explicit directed graphs |
| Eval gate | CI threshold that blocks production deploy when an agent’s golden task success rate regresses |
| Semantic layer | dbt-defined business metrics and entities providing consistent definitions for SQL and agents |
| Bedrock / AI Foundry | AWS and Azure managed LLM hosting platforms with enterprise VPC and compliance options |