Agentic risk insight for regulated institutions.

Every bank is now an AI company. Very few can yet explain what their agents are doing, why, or whether they remain in control. Subtextly RiskLabs closes that gap — with a platform that makes controls executable, and practitioners who help you ship governance that actually holds.

Start a conversation → How we help
The Gap

The distance between the agents you've deployed and the agents you can explain is widening every quarter.

Your business is already shipping agents. Regulators are already asking sharper questions. Your second line hasn't yet agreed on who owns this. Sound familiar?

You have an agent inventory — or you don't

Most institutions cannot produce a single-page list of every AI agent in production, who owns it, and which obligations apply.

Your control library is a PDF

Policies live in documents. Controls live in GRC tools. Neither runs in real time against the systems they're meant to govern.

Your three lines disagree quietly

First line ships. Second line maps frameworks. Third line audits findings that are already stale. No one can yet show the regulator a live picture.

Your board is asking harder questions

"What agents do we have? What can they do? What's changed this quarter?" — and the answers require a week of manual work to assemble.

How we think about it

Agentic risk is not a new category of risk. It's every existing risk — moving faster, documented worse, and accelerating.

Subtextly RiskLabs approaches agentic risk from three non-negotiables:

01

Controls should execute, not sit in documents

Every material control should be runnable code — observing the system it's meant to govern, producing evidence continuously, and flagging drift the moment it occurs.

02

Second line needs its own agents

If the first line is shipping AI at speed, the second line cannot govern it with spreadsheets. Risk and compliance functions need agentic tooling of their own — purpose-built for oversight, not delivery.

03

Explainability is a design choice, not a report

"Why did this agent do that?" should be answerable in minutes, not quarters. Audit trails, decision provenance, and version history must be first-class from day one — not bolted on under pressure.

How we help

One practice, two paths. Start where you're ready.

Whether you need a platform to make controls executable, or practitioners to help you design and ship the first one — RiskLabs delivers both.

Product

Subtextly Codex

The agentic risk platform

Turn your control library into executable agents. Codex converts policy and regulatory obligations into runtime monitors — watching the systems they govern, producing continuous evidence, and surfacing drift in real time.

  • Control-as-code library synced to your GRC taxonomy
  • Runtime monitors over Confluence, Jira, SDLC, and cloud
  • Continuous audit trail and agent inventory
  • Built on AWS Singapore with Bedrock-hosted models

In development · Design partners wanted

Become a design partner →
Services

Subtextly Advisory

Practitioners who ship

Agentic risk and AI governance engagements for financial services. We help you move from "what's our agentic strategy?" to "we shipped the first monitored agent last Tuesday."

  • Agentic strategy and governance assessments
  • Control-library design for AI and agent operations
  • Shipped pilots — governed agents in production
  • Fractional CRO/CTO support for scale-up risk programmes

Engagements open · Currently accepting 2 new engagements this quarter

Explore Advisory →

Built in Hong Kong. Designed for global regulated institutions.

Subtextly Limited is headquartered in Hong Kong — a jurisdiction where global capital, tier-one regulation, and information asymmetry meet in the open. RiskLabs is led by practitioners with direct line-of-sight into financial-services risk, technology, and regulatory change.

AWS Singapore infrastructure
Bedrock-hosted models
SOC-ready architecture
Data residency aware
Start a conversation

Tell us what you're wrestling with.

Whether you're exploring a Codex design-partnership, scoping an advisory engagement, or simply sense-checking an internal direction — drop us a note. We reply within two working days, usually faster.

risklabs@subtextly.io

Replies from risklabs@subtextly.io