What is state machines in AI Agents? A Guide for compliance officers in wealth management
State machines are a way to model an AI agent as a set of defined states, with rules that control how it moves from one state to another. In an AI agent, a state machine keeps the agent’s behavior predictable by limiting what it can do next based on the current situation.
How It Works
Think of a state machine like a client onboarding checklist in wealth management.
A new client does not jump straight from “interested” to “fully approved.” They move through stages:
- •Lead captured
- •KYC documents requested
- •Documents received
- •Screening in progress
- •Compliance review
- •Approved or rejected
An AI agent built with a state machine works the same way. It is not making random decisions on every turn. It is operating inside a controlled workflow where each step has a clear purpose, allowed inputs, and permitted next actions.
For compliance teams, this matters because the agent’s behavior becomes easier to explain and audit. If the agent is in Awaiting KYC, it should only be allowed to:
- •ask for missing identity documents
- •check whether documents are complete
- •escalate if something looks suspicious
- •move to
Under Reviewwhen requirements are satisfied
It should not suddenly recommend an investment product, send a trade instruction, or close the case.
A simple state machine for an AI onboarding assistant might look like this:
Start -> Collect Client Data -> Validate Documents -> Run Screening -> Compliance Review -> Decision
Each arrow has conditions attached. For example:
- •If documents are incomplete, stay in
Validate Documents - •If sanctions screening flags a match, move to
Escalated Review - •If all checks pass, move to
Approved
This is the key idea: the agent is not “thinking freely” across the whole process. It is following a controlled path with guardrails.
That structure is useful in regulated environments because it reduces ambiguity. You can define what the agent may do at each step, what evidence it needs before moving forward, and when human approval is mandatory.
Why It Matters
Compliance officers should care because state machines make AI agents easier to govern.
- •
Predictable behavior
- •The agent can only take approved actions from approved states.
- •That makes reviews, testing, and sign-off much simpler.
- •
Clear audit trail
- •Every transition can be logged: what state the agent was in, what triggered the change, and who approved it.
- •That supports internal audit and regulatory inquiries.
- •
Policy enforcement
- •You can encode controls directly into the workflow.
- •Example: no account opening until sanctions screening and identity verification are complete.
- •
Human escalation points
- •State machines make it easy to force handoffs at specific risk points.
- •That matters when the AI encounters ambiguous identity data or potential AML issues.
A useful mental model is a bank approval matrix. A junior analyst cannot approve everything; they can only act within their delegated authority. A state machine gives an AI agent similar boundaries.
Real Example
Consider an AI assistant used in a wealth management firm to support new client onboarding for high-net-worth clients.
The firm wants faster intake, but compliance requires strict controls around KYC, AML screening, source-of-funds checks, and suitability review.
The state machine could be designed like this:
| State | Allowed Actions | Exit Condition |
|---|---|---|
| Intake | Collect basic client details | Required fields completed |
| KYC Check | Request ID and proof of address | Documents verified or flagged |
| AML Screening | Run sanctions/PEP/adverse media checks | No match or escalation triggered |
| Source of Funds Review | Ask for supporting evidence | Evidence accepted by compliance |
| Suitability Review | Gather risk profile inputs | Profile completed |
| Human Approval | Compliance officer reviews case | Approved or rejected |
Here is how it plays out:
- •The client submits an application through a digital channel.
- •The AI agent enters
Intakeand asks for missing information. - •Once complete, it moves to
KYC Checkand validates documents. - •It then enters
AML Screeningand checks against watchlists. - •If there is a potential sanctions hit, it does not continue automatically.
- •Instead, it transitions to
Human Approvalwith an alert for manual review.
That last point is important. The state machine does not replace compliance judgment. It enforces when judgment must happen.
In practice, this reduces operational risk in two ways:
- •The agent cannot skip required controls.
- •The team can prove which checks were completed before any decision was made.
For regulators and internal reviewers, that is far better than relying on free-form chatbot logs or loosely scripted automation.
Related Concepts
- •
Workflow orchestration
- •Broader coordination layer that manages tasks across systems and teams.
- •State machines often sit inside workflows as the decision logic for one process step.
- •
Finite state machines
- •The classic computer science version of state machines.
- •Useful when you want strict control over allowed transitions.
- •
Guardrails
- •Rules that prevent unsafe or non-compliant actions.
- •State machines are one way to implement them in AI agents.
- •
Human-in-the-loop review
- •A control pattern where humans approve high-risk decisions.
- •Common in onboarding, AML alerts, suitability checks, and exception handling.
- •
Agent memory
- •What the AI remembers about prior steps or user context.
- •State tells you where the process is; memory tells you what happened along the way.
Keep learning
- •The complete AI Agents Roadmap — my full 8-step breakdown
- •Free: The AI Agent Starter Kit — PDF checklist + starter code
- •Work with me — I build AI for banks and insurance companies
By Cyprian Aarons, AI Consultant at Topiax.
Want the complete 8-step roadmap?
Grab the free AI Agent Starter Kit — architecture templates, compliance checklists, and a 7-email deep-dive course.
Get the Starter Kit