Skip to main content

Blueprint: Trading Bot Sandbox

Gating High-Value Financial Actions with Dynamic Risk ABAC

Autonomous agents in FinTech can execute trades, move funds, or adjust portfolio allocations. Governance must ensure that high-value actions are only permitted when session risk is low and user credentials are high-privilege.

This blueprint demonstrates Dynamic ABAC Gating based on transaction risk scores.

Architecture

1. Master Policy Definition

{
  "name": "fintech-safety-policy",
  "priority": 9900,
  "rules": [
    {
      "id": "block-high-risk-trades",
      "effect": "deny",
      "principals": ["*"],
      "actions": ["trade:execute"],
      "resources": ["*"],
      "conditions": {
        "risk_score": "> 80"
      }
    },
    {
      "id": "allow-senior-traders",
      "effect": "allow",
      "principals": ["group:senior-traders"],
      "actions": ["trade:execute"],
      "resources": ["*"]
    }
  ]
}

2. Implementation

Python Prototype

from openai import OpenAI

def execute_trade(user_group: str, trade_amount: float):
    # Simulate a risk engine calculating score based on amount
    risk_score = 90 if trade_amount > 100000 else 20

    client = OpenAI(
        api_key="ignored",
        base_url="http://cz-gateway:8001/v1",
        default_headers={
            "X-ControlZero-User-Group": user_group,
            "X-ControlZero-Risk-Score": str(risk_score)
        }
    )

    try:
        response = client.chat.completions.create(
            model="gpt-4o",
            messages=[{"role": "user", "content": f"Execute trade for ${trade_amount}"}],
            tools=[{"type": "function", "function": {"name": "trade:execute", "parameters": {"type": "object"}}}]
        )
        return "Trade Successful"
    except Exception as e:
        return f"Trade Blocked: {e}"

# Scenario A: Large trade (High Risk)
print(execute_trade("senior-traders", 500000)) # BLOCKED by Risk Engine

# Scenario B: Routine trade by senior
print(execute_trade("senior-traders", 1000)) # ALLOWED

# Scenario C: Routine trade by junior
print(execute_trade("junior-traders", 1000)) # BLOCKED by RBAC

3. Validation Checklist

  • Condition Operators: Verify that the > 80 operator correctly handles numeric string conversion.
  • Identity Tiering: Ensure senior-traders vs junior-traders mapping works across the IdP.
  • Latency Impact: Measure the overhead of evaluating complex conditions on high-frequency trading tools. 埋