A governed agentic architecture for PPA, GoO and route-to-market operations

CASE STUDY · POWER TRADING · AGENTIC WORKFLOWSA governed agentic architecture for PPA, GoO and route-to-market operations

Putting control first in energy trading workflows

Blackdown built and delivered an agentic system that ran complex renewable transactions end to end — yet could not move money, transfer certificates, submit to registries, or take a market position without sign-off from a named person.

Blackdown built and implemented a governed agentic workflow system for a German power trading firm. The system managed complex renewable energy transactions from start to finish, but it could not move money, transfer certificates, submit registry actions, or take market positions without approval from an authorised person.

Role

Architecture, build & delivery

Client

A German power trading firm

Domain

Renewables origination · Guarantees of Origin · route-to-market operations

Scope

Trading, certificate management, nominations, settlement and governance

Pattern

Agent orchestration with deterministic tools and human-in-the-loop approval

Delivered

2025, to production

The briefA single commercial request hides many regulated workflows underneath

A typical request was kept intentionally simple:

THE REQUEST“Place this 50 GWh corporate PPA and source matching Guarantees of Origin.”

In reality, that simple instruction starts a series of regulated and financially sensitive steps: contract interpretation, certificate sourcing, GoO matching, registry redemption, commercial pricing, nominations, balancing, settlement, and audit checks.

The main design question was not whether a language model could help. Instead, it was:

THE DESIGN QUESTIONHow can a trading desk use an intelligent assistant for complex renewable transactions without letting the system carry out any binding commercial, financial, or market actions on its own?

The problemEach transaction was fragmented, manual, and sensitive to risk

A single PPA-and-GoO transaction covers several business areas, each with its own data, systems, and possible failure points. The risks go beyond inefficiency: poorly managed workflows can lead to financial losses, misallocated certificates, inaccurate green claims, settlement errors, non-compliance, or unauthorised trading.

Contract intelligence

Extracting volume, delivery profile, GoO matching rules, optionality, penalties and settlement terms from long-form agreements.

GoO portfolio management

Matching demand to certificate supply across technology, geography, vintage, delivery period and registry constraints.

Deal and pricing

Structuring offers against forward curves, shape risk, imbalance assumptions, certificate availability and GoO market pricing.

Route-to-market operations

Preparing nominations, bidding assumptions, metering inputs, imbalance exposure and settlement workflows.

Audit and governance

Maintaining a reconstructable record of who approved what, when, using which source data, and on what basis.

Before orchestration, the process depended mostly on email, with commercial, legal, operations, settlement, and registry specialists each holding their own piece of the information. The system turned that fragmented process into a governed workflow — without handing business-critical calculations or external submissions to the LLM.

Blackdown’s contributionThe whole operating model, not just how agents interact

Blackdown designed, built and delivered the production agentic workflow — the orchestration model, tool boundaries, approval controls and audit processes used in live operations. The goal was to support complex renewable energy operations while keeping the control standards a trading environment demands.

Workflow decomposition

Broke the high-level PPA-and-GoO request into auditable business capabilities and operational steps.

Agent architecture

Defined specialist agents for contract intelligence, GoO portfolio matching, deal/pricing support and route-to-market operations.

Orchestration model

Designed the planner/router pattern that decomposes requests, routes tasks and manages workflow state.

Control design

Introduced the human approval gate for any action involving money movement, certificate transfer, market exposure or external submission.

Tool boundaries

Separated LLM reasoning from deterministic execution so calculations, registry actions, position updates and settlement logic stayed testable.

Audit model

Designed the traceability pattern across source data, agent outputs, tool calls, approvals and final actions.

Integration thinking

Mapped integration boundaries to market data, registry APIs, metering, operational stores, document systems and settlement processes.

Agents give reasoning and recommendations, deterministic tools carry out the actions, and humans approve every binding step.

The architectureKeeping reasoning, execution and approval separate

The architecture separated reasoning, execution and approval into distinct layers. The orchestration layer acted as both planner and router: it interpreted requests, broke them into auditable sub-tasks, and assigned each to the right specialist agent.

Specialist agents decided the next steps, but they did not directly change trading systems, transfer certificates, create external submissions, or perform settlement calculations. Deterministic tools handled those actions through set interfaces, validation rules, access controls, and audit logs. Any financially or legally binding action required approval from a designated person before reaching an external system, market process, or registry.

Six layers, one rule: agents make proposals, deterministic tools carry them out, and any action involving money, certificates, or markets needs approval from a named person. Observability, guardrails, and identity checks apply to every layer.

The system did not use a language model for business logic such as position updates, certificate transfers, or settlement calculations. These were handled in the tool layer, where they could be tested, monitored, controlled, and audited — making the architecture strong enough for real trading operations, not just a proof of concept.

The agent modelSpecialist agents matched to business capabilities

Contract intelligence

Reads and monitors PPA and GoO terms: delivery period, contracted volume, eligibility, penalties, optionality and settlement terms.

GoO portfolio

Matches demand to certificate inventory across technology, country, vintage and registry constraints.

Deal and pricing

Supports commercial structuring against curves, margin, shape risk, imbalance assumptions and certificate cost.

Route-to-market operations

Prepares nominations, bidding assumptions, imbalance analysis and settlement workflows.

Each agent was built to decide the next step, while deterministic tools carried out the action — avoiding the common failure where one model handles both reasoning and execution, an unacceptable control weakness in trading.

How a request flowsBreaking down the 50 GWh request into auditable steps

01 · Contract intelligenceInterpret contract terms

Delivery window, volume profile, GoO eligibility, matching rules, penalties, settlement terms.

02 · GoO portfolioCheck certificate availability

Matched / unmatched MWh by technology, country, vintage and registry.

03 · Deal and pricingPrice the commercial offer

Indicative price, curve assumptions, margin, risk adjustments, GoO cost.

04 · RtM operationsPrepare the operational plan

Nomination schedule, balancing assumptions, metering requirements, settlement workflow.

05 · Approval gateRoute for approval

Human review before any external, financial or legally binding action.

06 · Tool layerPrepare or execute via controlled tools

Registry / market / ERP / settlement action, only through approved deterministic interfaces after sign-off.

07 · Audit layerRecord the evidence

Trace log, approval ID, timestamp, source data, decision record, action outcome.

At every stage, the system surfaced its interpretation, uncertainties, source data, proposed actions, and approval requirements — because a silent or unchecked error in trading can be very costly.

The control modelA copilot, not a fully autonomous trading engine

The system could suggest and prepare actions, but it could not carry out any financially or legally binding step on its own. Moving money, transferring certificates, submitting to registries, placing bids and trades, and taking market exposure all required approval from a named person and followed a set execution path.

This was a strict rule, not a preference. The project carried significant legal and governance requirements, so there was always at least one human check of the AI’s output before any binding action. The goal was not to remove human responsibility, but to make the review step clear, informed, and easy to audit.

Unauthorised certificate transfer

Human approval required before any registry action.

Incorrect GoO redemption

Contract, eligibility and inventory checks before execution.

Unauthorised market position

Approval required before any bid, trade or market submission.

Incorrect commercial pricing

Assumptions surfaced for review; deterministic calculations owned by controlled tools.

Settlement discrepancy

Traceable link from source data to decision, approval and action.

Regulatory audit failure

Immutable action-and-approval log, reconstructable on demand.

Model error in business logic

Deterministic tools own calculations and state changes, not the LLM.

Permission leakage

Identity and access controls applied at tool and action level, not just at the chat interface.

ResultsMeasured in production during the final handover

The figures below come from production data during the final two-week handover, when the system managed hundreds of live processes.

≈92%

less time from request to a review-ready action plan

100%

of binding actions routed through human approval

Hundreds

of live processes handled during the two-week handover

≈4h → ≈20min

Time from request triage to a review-ready action plan — about a 92% reduction. (Production data, final two-week handover.)

Hundreds

Live processes handled during the two-week handover. (Production telemetry.)

100%

Binding actions routed through human approval. (Mandatory legal and governance control.)

Beyond the measured results, the architecture delivered:

Fewer manual handoffs

People shifted from routine coordination to focused review and approval. The reduction depended on deal type — GoO matching was simpler than a full PPA, which needed more coordination across commercial, legal, operations and settlement teams.

End-to-end transaction visibility

Interpretation, assumptions, source data, proposed actions and approval status were shown at every step.

Simpler audit reconstruction

Requests, agent outputs, tool calls, approvals and actions were all recorded in a central trace log.

Testable business logic

Deterministic rules stayed in controlled tools rather than being hidden inside model prompts.

ReusabilityCapabilities mapped to business functions, not single transactions

Because the agents matched business capabilities, the same orchestration core could support similar transaction types without a system redesign.

Contract intelligence

PPAs, GoO agreements, REGOs, tolling agreements, supply and structured energy contracts.

Portfolio matching

GoOs, REGOs, green claims, certificate inventory, customer demand and compliance reporting.

Pricing support

Corporate PPAs, structured renewable offers, GoO-linked products and route-to-market pricing.

RtM operations

Nominations, bidding, imbalance analysis, metering workflows and settlement preparation.

Audit and governance

Compliance reviews, approval workflows, model governance and operational traceability.

The result was a reusable operating pattern for intelligent assistance across renewable energy workflows — not a one-off automation.

Control comes before autonomy.

Energy trading workflows are not fit for unchecked autonomy. A model that can read contracts, suggest hedges, find matching certificates or prepare nominations is valuable — but if that same model can move funds, submit bids or transfer certificates without approval, it brings unacceptable risk.

This architecture solved that by using the LLM for reasoning and orchestration, never as the system of record or execution engine. It broke complex transactions into auditable tasks, routed them to specialist agents, kept LLM reasoning separate from deterministic execution, and required human approval for every binding action. During the handover it cut per-request triage from about four hours to around twenty minutes while handling hundreds of live processes — with the control standards a trading environment demands built in from the start, not added later.

Need a governed AI workflow?

For energy trading or renewables operations — let’s talk about where agentic systems can safely cut manual work without giving up control.

This case study describes work delivered for an anonymised German power trading firm. Commercially sensitive details, internal systems, pricing methods, and confidential information have been omitted or generalised.

Location:
London
Year:
2017
Practice:
Employment

Leave a Reply

Your email address will not be published. Required fields are marked *