Technical Assumptions in SOX Section 302/404 and the Autonomous Agent Challenge

SOX Sections 302 and 404 rest on technical assumptions about the financial reporting environment: that humans design, operate, and monitor control processes; that control operators can be identified and held accountable; and that control activities are deterministic, observable, and reproducible. Using assumption–violation mapping, we identify six structural gaps where autonomous AI agent properties violate these assumptions, drawing on SOX 302/404 and the COSO Internal Control—Integrated Framework (2013). The central finding is that autonomous agents create epistemic opacity in the certification chain: when AI agents make decisions affecting financial reporting, the CEO's "reasonable assurance" certification becomes epistemically attenuated because the certifier cannot meaningfully evaluate processes whose decision logic is neither transparent nor reproducible. We map all five COSO components to agent behaviors, present three material weakness scenarios under PCAOB AS 2201, and propose COSO extensions with implementation recommendations.