The shift from manual controls to agentic action is arguably the most profound transformation the Office of the CFO will see in the next decade. For years, finance transformation has been about digitising paper processes or using Generative AI to draft reports.
Agentic AI is fundamentally different. It does not just analyse data or generate text; it takes autonomous action. It executes reconciliations, routes approvals, flags anomalies, and even initiates remediation workflows without human intervention.
For the ASEAN CFO in 2026 and 2027, this transition is a double-edged sword. On one side lies unprecedented operational efficiency and real-time risk mitigation.
On the other hand, lies the “black box” risk: if an AI agent takes an autonomous action that results in a financial misstatement or a compliance breach, who is accountable? Furthermore, the regulatory landscape across ASEAN—from Singapore’s mature AI governance frameworks to the rapidly evolving guidelines in Indonesia, Thailand, and Malaysia—remains fragmented.
To navigate this, finance leaders must fundamentally redefine their operating model.
From point-in-time to continuous, agentic GRC
Industry forecasts underscore the urgency for this redefinition. According to Gartner, by 2028, 33% of enterprise software applications will include agentic AI, up from less than 1% in 2024. For Governance, Risk, and Compliance (GRC), this necessitates a paradigm shift from historical, reactive models to continuous, autonomous monitoring.
Justin Greenberger, chief customer officer at Optro and former risk and audit executive at GE, notes that the traditional GRC playbook is no longer sufficient. “Historically, GRC has been more of a reactive aspect,” he opines, explaining: “It used to be a very point-in-time measurement, you did your audits x amount of cycles, and now it’s more of a continuous process today.”
To meet this demand, platforms like Optro are competing against legacy players by adopting an “agentic first” approach. This allows finance and risk teams to move beyond merely storing policies to proactively forecasting supply chain disruptions or compliance breaches in real time, transforming GRC from a back-office function into a strategic engine.
Navigating ASEAN’s fragmented regulatory maze
Operating across Southeast Asia requires balancing global corporate standards with hyper-local regulatory nuances. While the ASEAN Guide on AI Governance and Ethics provides a regional baseline, local mandates—such as those emerging from Indonesia or the Monetary Authority of Singapore (MAS)—demand specific operational details.
Greenberger advocates for a “global with local concepts” strategy. “What’s the highest-level requirement is pretty understood, right? Like have an inventory of AI,” he notes. However, local regulators may require granular detail in system configuration or audit trails.
The blueprint for ASEAN CFOs is to establish a robust global foundation—such as a comprehensive AI inventory and strict approval policies—and then layer on country-specific controls.
Furthermore, preparing for impending AI liability frameworks requires proactive collaboration.
“You have to have the discussion with the regulatory bodies… we have a lot of really good collaboration with external auditors around how we’re preparing for autonomous, and it’s good because it progresses the conversation forward,” Greenberger advises.
Guardrails for the ‘black box’
As agentic AI automates high-volume controls, the fear of the “black box” looms large. How do CFOs ensure autonomous agents operate within predefined risk appetites?
Greenberger warns against stifling AI with rigid, rules-based constraints. “I don’t think you can set up deterministic guardrails for an agent; that kind of ruins the whole point. We’ve had deterministic automation, which was called RPA for so long, you really want it to evolve,” he states.
Instead, the blueprint relies on three dynamic guardrails:
- Human/Auditor in the loop: Maintaining oversight and the ability to intervene post-action.
- Transparency: Requiring agents to cite sources, explain their logic, and detail their thought processes.
- Immutable audit trails: Capturing comprehensive data logs of where the agent went, why it went there, and how it secured approvals.
The rise of the ‘audit engineer’ and front-line controllership
The adoption of agentic AI is also reshaping the internal audit profession. Historically underfunded and overwhelmed by exponentially growing risk landscapes, audit teams are now embracing AI thoughtfully. Greenberger highlights that auditors are currently “saving 70% of time with agentic use cases”, freeing them to focus on strategic geopolitical risks and business process improvements.
This efficiency is driving the development of a new skill set: the “audit engineer“. Rather than just sampling data, auditors are now designing autonomous controls and agentic workflows, requiring an engineering mindset alongside traditional scepticism.
From periodic sampling to continuous, integrated assurance
Ultimately, how do organisations transition from periodic, sample-based auditing to continuous, AI-driven monitoring that repositions GRC from a cost centre into a strategic enabler of safe innovation?
According to Greenberger, the answer lies in deep ecosystem integration. “You have to have a true understanding of the systems that are around your audit frameworks,” he explains, whether that is an ERP or an HR system. Rather than restricting autonomous testing frameworks to isolated sample periods, finance and technology teams must develop a unified roadmap for integrating these ecosystems.
“Once you integrate it all together, continuous auditing becomes a real thing,” Greenberger notes. Instead of relying on manual data requests, CFOs and chief audit executives can simply look at a real-time dashboard to monitor anomalies—such as tracking exactly how many people have access to systems they shouldn’t.
This seamless integration transforms the audit function from a periodic checkpoint into a continuous, real-time pulse on enterprise health.
Purpose-driven adoption and change management
While many ASEAN businesses may appear to be behind the curve in AI adoption compared to global peers, Greenberger argues this could be a strategic advantage, given the rapidly evolving nature of both the technology and regional regulations. The key is to avoid deploying AI for its own sake.
“It’s important to fully understand what its purpose within your enterprise is,” he advises. “Is it to add productivity? Is it to give people time back, so that you can redeploy them into other areas?”
Successful deployment requires a strong change management strategy rooted in a clear mission statement with employees. Greenberger suggests starting by asking teams where they need the most help, rather than forcing top-down agentic workflows.
When employees realise that leveraging agentic AI gives them a massive advantage in executing tasks and generating insights, adoption accelerates naturally.
“People are quickly going to realise that an employee leveraging agentic is way ahead of the curve in terms of being able to execute, being able to have insights,” Greenberger observes.
“It’s more about how you enable them, how you get them on the right type of task or use case that’s going to bring benefits to the entire company.” Justin Greenberger
Final thoughts for Asia’s CFO
The transition from manual controls to agentic action is not merely a technology upgrade; it is a fundamental rewiring of corporate governance. For the ASEAN CFO, success in 2026 and 2027 will not be defined by how many AI agents you deploy, but by how effectively you govern, integrate, and humanise them.
By shifting the perception of GRC from a “cop or a police officer” to a strategic business partner, CFOs can turn risks into opportunities. The mandate is clear: bring auditors and compliance professionals along for the ride in real time and build an autonomous finance function that is as resilient as it is innovative.
