AI Agents and Sarbanes-Oxley Internal Control: Six Structural Gaps in Financial Reporting

Sarbanes-Oxley Sections 302 and 404 rest on assumptions that humans design, operate, and monitor internal controls; that control operators are identifiable; and that audit evidence can be reconstructed. Using assumption-violation mapping, this paper identifies six structural gaps that arise when Tier 2 or Tier 3 AI agents participate in financial reporting, drawing on SOX 302/404, PCAOB standards, and the COSO Internal Control - Integrated Framework. The central finding is epistemic opacity in the certification chain: the CEO's "reasonable assurance" certification may be attenuated when material reporting processes depend on decision logic that is opaque, non-deterministic, or not auditably reconstructable. The paper maps COSO components to agent behaviors, presents three potential material-weakness scenarios, and proposes agent-specific COSO extensions. Unlike literature examining AI as a compliance tool, this paper analyzes AI as an autonomous participant within the financial reporting chain.