This work addresses the challenge of real-time interception of unauthorized operations triggered by prompts in financial large language model (LLM) agents during multi-step business workflows, where existing security mechanisms suffer from either delayed intervention or excessive computational overhead. The paper proposes the first inline security framework tailored to the full lifecycle of financial LLM agents, integrating cross-turn intent drift detection, per-step tool invocation risk assessment, and an adaptive two-tier verification routing mechanism. Crucially, risk signals are fed back to the agent as prior evidence to support autonomous decision-making. Evaluated on the FinVault dataset, the approach reduces attack success rates from 38.3% to 15.0%, with only a marginal drop in benign request throughput (from 41.1% to 39.3%), while decreasing high-cost verifier invocations by 4.7×.

Finance LLM agents must simultaneously block prompt-induced unauthorized actions and approve legitimate multi-step business workflows. However, boundary filters often miss irreversible mid-trajectory tool calls, while post-hoc LLM judges perform auditing only after termination -- too late for intervention and at a computational cost that scales linearly with trace length. We present FinHarness, an inline safety harness that wraps a finance agent end-to-end with three components: a Query Monitor that fuses single-turn intent with cross-turn drift, a Tool Monitor that evaluates each prospective tool call, and a Cascade module that integrates per-step risk and adaptively routes verification between a lightweight and an advanced-tier LLM judge. Fired risk factors are re-injected into the agent input as ex-ante evidence, enabling the agent to refuse, re-plan, or approve on its own. On FinVault, routed FinHarness cuts ASR from 38.3% to 15.0% while largely preserving benign approval ($41.1\% \to 39.3\%$), and uses $4.7\times$ fewer advanced-judge calls than an always-advanced ablation.