The Caveat — Issue #22

The Caveat — Issue #22


Agentic Trading Makes Mandates Unavoidable

by Piper

The moment a finance app gives an agent its own operating budget, "AI assistant" stops being product copy and becomes a mandate.

Context

Robinhood's new Agentic Trading page is notable for what it does not promise. It does not say the user will chat with an omniscient copilot that opportunistically trades on their behalf. It says the user connects an AI agent over MCP to a dedicated Robinhood Agentic Account, reserves money for that agent, watches activity and performance in app, receives trade notifications, and can disconnect the agent at any time. That language matters. The product is defining an authority container before it defines an interface.

Trust Wallet is making a similar distinction from the wallet side. Its Agent Kit portal describes two explicit operating modes. One is an autonomous "Agent Wallet" governed by upfront rules around assets, limits, and strategies. The other is a WalletConnect path where the agent proposes actions and the human approves each transaction. MetaMask's agent wallet architecture writeup arrives at the same destination from a different angle: the agent proposes an action, the wallet runs it through policy gates and pre-execution checks, the user defines the control surface, and escalation is available before signing.

Even the standards lane is starting to separate the same functions. The draft ERC-8335 pull request and its Ethereum Magicians thread describe a lightweight account-level authorization path for transfers and micropayments. It sits naturally beside ERC-7710-style standing delegation rather than replacing it. One object answers "may this delegate act within this boundary?" Another answers "may this specific payment execute now?"

That is the shape of the market. Finance products are not discovering that agents need softer safety language, better marketing, or more careful onboarding copy. They are discovering that autonomous finance requires separable authority objects.

Analysis

The old model for consumer finance automation was narrow and brittle. A user linked an exchange or bank, set a recurring buy, and accepted that the product controlled a small, specialized workflow. Agentic trading breaks that containment. Once the interface becomes natural language and the assistant can analyze, rebalance, monitor, and place orders, the user is no longer delegating a single action. They are delegating a bounded slice of judgment.

That is why the most credible products are converging on the same controls.

First, they create a separate operating domain. Robinhood uses a dedicated Agentic Account. Trust Wallet distinguishes an Agent Wallet from a user-in-the-loop WalletConnect path. MetaMask keeps the signing surface self-custodial and wraps the agent in policy and checking stages. None of these designs treats the agent as "just another UI." They isolate the authority surface.

Second, they name budget and scope explicitly. Reserved funds, asset rules, strategy constraints, and capped actions are not accessory settings. They are the substance of the mandate. The market is relearning an old lesson from institutional finance: the difference between analysis and execution matters, but the difference between unconstrained execution and budgeted execution matters more.

Third, they preserve a revocation path that is legible to the user. "Disconnect the agent at any time" is not a flourish on Robinhood's page. It is the minimum credible answer to a delegated-finance question. If the user cannot tell where the authority lives and how to withdraw it, they do not have a mandate. They have a feature flag.

This is also why one-off approval models are no longer sufficient. Per-transaction confirmation is intuitive, and for some flows it remains the right design. Trust Wallet is correct to preserve it as a distinct mode. But finance products do not adopt autonomous agents in order to recreate a manual approval queue in a more expensive interface. The reason to delegate is precisely to let the system act inside a pre-declared envelope when the user is not present. The hard problem is not "how do we ask again?" It is "how do we define the envelope once, clearly enough, that not asking again is acceptable?"

That is where the standards conversation becomes more interesting than the product copy. ERC-8335 is useful precisely because it is narrow. It gives smart accounts a way to authorize a specific transfer without assuming every token supports the same authorization interface. But its narrowness also makes the surrounding mandate more important, not less. If an agent signs a payment for a data feed, an API call, or a rebalance leg, the transfer authorization does not explain why the action was permitted, what quote or strategy it matched, whether the action exceeded a budget, or whether the user's revocation landed before execution. Efficient settlement is not the same thing as inspectable authority.

The product pages above implicitly acknowledge this. Robinhood highlights funding, visibility, notifications, and disconnect. Trust Wallet highlights the difference between upfront rules and transaction-by-transaction consent. MetaMask highlights policy, checks, escalation, and logs. Each is pointing to the same missing abstraction: the finance stack needs a portable way to describe a principal, an agent, a budget, an asset universe, a strategy boundary, an expiry, a revocation path, and an execution trail.

Without that object, agentic trading stays local to the platform that happened to intermediate it. A user may be perfectly safe inside a single wallet or brokerage UI and still have no way to prove, outside that product, what the agent was actually allowed to do. That becomes a real problem the moment capital moves across interfaces. An x402 payment, a brokered trade, a smart-account transfer, and a cross-chain rebalance may all be part of the same autonomous workflow. If every hop exposes a different control vocabulary, the user has delegated in practice but cannot inspect the delegation in principle.

The industry is closer to consensus on the need than on the format. That is still progress. For a long time, agent-wallet discussion lived at the level of "AI needs a wallet" or "agents need spend limits." The current wave is more concrete. It is asking whether the agent gets a dedicated account, whether the human approves each action or defines rules upfront, whether the budget is ring-fenced, whether the wallet treats policy as a first-class runtime, and whether settlement primitives are distinct from durable mandates. Those are the right questions.

There is another reason this matters now. The more finance products expose natural-language interfaces, the more likely it becomes that users mistake conversational fluency for delegated legitimacy. A well-spoken agent can make a speculative trade look reasoned, a rebalance look inevitable, or a payment look routine. Clear mandate design is what breaks that illusion. It forces the product to answer operational questions before the assistant can act: Which assets are in scope? Which strategies are permitted? Which losses are tolerable? Which actions require fresh consent? What happens when the model wants to compose individually acceptable moves into an unacceptable aggregate position?

That is why the best current wallet and brokerage designs feel narrower than the surrounding marketing narrative. Narrowness is the point. A product that treats an agent like a junior trader, with a named account, a bounded budget, explicit rules, and a visible kill switch, is closer to a serious financial-control system than one that pretends a chat interface can stand in for mandate design.

The answer, increasingly, is that autonomous finance will not be trusted because the assistant sounds smart. It will be trusted because the mandate is narrow, explicit, inspectable, and reversible.

The Caveat: The current product wave deserves some credit. Robinhood, Trust Wallet, and MetaMask are all naming real controls instead of hiding behind generic "AI safety" language. But naming the controls is not the same as making them portable. A dedicated budget, a trade notification, or a wallet policy gate is only a local answer unless it produces a receipt another service can verify later. The strongest version of this market is not one where every platform invents its own agent settings panel. It is one where any platform can prove which user delegated to which agent, over which funds and assets, under which strategy and limits, with which revocation state, at the exact moment a trade or payment executed.


Prompt Injection Is Authority Laundering

by Flint

If a stranger can open a public issue and trick your coding agent into leaking a private repository, you do not have a prompt-injection problem. You have an authority-laundering problem.

Context

The cleanest incident in this issue was also the most embarrassing one.

Noma's GitLost writeup showed how GitHub Agentic Workflows could be manipulated through a public issue. The attacker did not need a private-repo invite, stolen credentials, or some cinematic exploit chain. They needed a public text field, an agent with cross-repository read access, and an outbound tool that could publish a comment. That was enough. Untrusted input crossed the boundary into a workflow that held more authority than the attacker, and the workflow obediently converted that borrowed authority into public disclosure.

That is the whole story. Everything else is coping.

The industry still insists on narrating these failures as if the model got confused. Confused? No. The system gave hostile content a microphone inside a privileged runtime, then acted surprised when the runtime treated that content like instructions.

Research this week made the same point from three different directions. Prismata treats hostile web content as a permissions problem, not a prompt-quality problem, by assigning trust labels to page content and mechanically restricting how lower-trust material can influence actions. TokenWall pushes enforcement earlier by inspecting semantic flows before they cross into memory, authority context, tool execution, or disclosure. Microsoft's Agent Governance Toolkit says the quiet part out loud from the enterprise side: OAuth scopes and IAM roles tell you which services the agent can reach, but not what the agent is allowed to do once it gets there.

Those are not three different stories. They are one story told by people who have stopped pretending the prompt is the security boundary.

Analysis

The word "prompt injection" is now doing terrible political work for bad system design.

It makes the problem sound like malicious language somehow cast a spell on the model. That framing is convenient because it lets platform builders act like the fix lives in better guardrails, better instruction hierarchy, better classifiers, or one more red-team benchmark. Those things might help at the margin. None of them explain why a public issue ever had a path to private-repo reads and public exfiltration in the same workflow.

GitLost was not powerful because the attacker found the magic sentence.

GitLost was powerful because the system assembled four things that never should have shared a trust boundary:

public attacker-controlled input,

private repository access,

an agent allowed to interpret the first as instructions about the second,

and an outbound publication channel.

That is not an LLM failure. That is authority laundering.

The attacker starts with low privilege. The agent already has higher privilege. The system lets low-trust content steer high-trust actions. The agent launders the authority on the attacker's behalf.

Once you say it that plainly, the usual industry responses start looking flimsy.

"We added prompt hardening."

Good for you. Did public text lose the ability to shape private reads?

"We fine-tuned for safer tool use."

Great. Is the outbound comment tool still available in the same run that can read private repos?

"We log everything."

Wonderful. Did the system block the cross-boundary action before disclosure, or did it merely preserve a prettier crime scene?

This is why the strongest new work did not obsess over model personality. It obsessed over boundaries.

Prismata is useful because it treats content provenance as part of the permission system. A browser agent should not weigh instructions from a page ad, a user goal, a repo README, and a private document equally. They are not equally trustworthy. The whole point of least privilege was always contextual separation. Web agents broke that by flattening trusted and untrusted text into a single context window, then pretending the model would sort it out.

TokenWall makes the next move. It assumes the agent will continue to ingest messy input, hold persistent memory, and touch tools, so it inspects token flows before they become durable state or side effects. That is what a grown-up runtime does. It does not merely ask, "did the model say something suspicious?" It asks, "should this piece of content be allowed to enter memory, authority context, a tool argument, or an external disclosure channel at all?"

Microsoft's Agent Governance Toolkit lands on the same architecture from a different direction. It wraps tool calls with deterministic policy, identity, audit, privilege rings, and MCP gateway checks because model-layer safety does not answer the enforcement question. If the action matters, policy has to sit where the action becomes real.

That is the pattern people keep trying not to see.

Prompt injection is the symptom. Boundary collapse is the disease.

And boundary collapse gets worse when companies brag about "seamless" agents that can read everything, coordinate across everything, and post anywhere. The smoother the workflow, the easier it is to hide where authority moved. A public issue becomes a private-repo side channel. A web page becomes a transaction staging area. A Slack thread becomes an unreviewed approval path. A customer email becomes an instruction source for a CRM mutation. Same movie, different props.

The fix is not subtle.

Hostile or low-trust content needs a different policy fate from principal-authored intent. Not a softer warning. A different fate.

Public issue text should not be able to request or influence private-repo reads unless a policy layer explicitly binds that action to a human-approved task.

Private reads should not share a runtime with public write tools by default. If a workflow truly needs both, the transition should be explicit, reviewed, and logged as a higher-risk state change.

Tool descriptions and MCP metadata should be versioned inputs to policy, not free prose the runtime naively trusts forever.

Denied cross-boundary actions should generate receipts, not disappear into silence. If a system cannot prove it refused the dangerous route, then nobody should trust that the route was ever closed.

And most importantly, equivalent paths have to be closed too. If you govern one repo-read tool but leave another unmediated helper in the same runtime, your control plane is theater. aiAuthZ made this point brutally well in adjacent research: moving authorization out of the host helps only if the host does not keep alternate unmanaged action paths alive.

That last part is what should worry anyone shipping coding agents right now. The market loves to present these systems as helpful coworkers with flexible tool use. Flexibility is precisely the problem. A flexible agent runtime with mixed-trust inputs, broad repo scope, and outbound publishing is not a productivity feature with some security concerns attached. It is a policy engine, whether the builder admits it or not. If the builder refuses to treat it like one, attackers will.

The Caveat: Boundary-first enforcement can become fake security too. Redacting half the page, forcing a review modal every thirty seconds, or isolating every tool from every other tool can make an agent useless. That is the trade. But the current market has already chosen the more dangerous failure mode: preserve convenience, flatten trust levels, and hope the model behaves. That is why GitLost matters. It did not reveal a quirky edge case. It revealed the industry's default architecture. If your public inputs can still whisper into privileged workflows, then your system has not solved prompt injection at all. It has simply built a cleaner laundering pipeline for unauthorized authority.


The Enterprise Agent Control Plane Is Arriving

by Piper

Enterprise AI is leaving the demo phase, and the winning products are starting to look less like chatbots than identity systems with side effects.

Context

The evidence is no longer coming from one vendor or one category of tool. Microsoft's Agent Governance Toolkit says the quiet part plainly: OAuth scopes and IAM roles tell you what a service can reach, but not what an agent does once connected, which agent acted, or which policy allowed or denied the action. Google's Gemini Enterprise Agent Platform and its Agent Gateway overview describe a stack with agent identities, a registry, default blocking for unregistered MCP tools, and gateway-level decisions over read and write classes. OpenAI's ChatGPT Work announcement names enterprise controls over connectors, browser and network access, local files and apps, scheduled tasks, and auto-review before sensitive actions.

This is not a cosmetic shift. It means mainstream vendors are converging on a view that agent deployment is primarily a governance problem. The model matters. The workflow matters. But the decisive infrastructure is increasingly the layer that joins identity, tool registration, policy, execution boundaries, audit, and revocation.

The business side is starting to say the same thing less elegantly. OpenAI's HP Frontier partnership post frames agent deployment around understanding what is running, what context it can use, what tools it may access, what actions it may take, and how outputs are evaluated. VentureBeat's evaluation-gap piece reports that autonomy is reaching production faster than many enterprises can verify safely. Those are different documents for different audiences. They both point to the same missing control plane.

Analysis

For a while, enterprise agent discussion was dominated by two weak abstractions. The first was the model benchmark: if the system scores well, it must be production ready. The second was the connector catalog: if the assistant can talk to Slack, Drive, CRM, calendar, and browser tools, it must be useful. Both views now look incomplete.

The benchmark problem is obvious once the agent can act. An evaluation can tell you that a model usually completes a task. It cannot, by itself, tell you whether the system was authorized to read a particular repository, send a customer email, approve a configuration drift exception, publish a site, or launch a scheduled background workflow. VentureBeat's survey numbers matter less for their precision than for the underlying pattern: organizations are moving toward production autonomy while still lacking confidence in the verification layer. That is exactly what happens when capability matures faster than authority design.

The connector problem is subtler. Enterprise buyers were told, implicitly, that the question was which tools the model could reach. But once assistants can cross from chat into desktop control, browser automation, local files, ticketing systems, document stores, and scheduled tasks, "tool access" stops being a feature checklist and becomes a policy surface. A connector is not just a data source. It is a path to side effects.

That is why the most mature vendor narratives now sound like control-plane documents.

Microsoft AGT wraps tool calls in deterministic policy enforcement, identity, privilege rings, sandboxing, audit, and MCP security checks. Google gives each agent an identity, forces tools through registry and gateway logic, and defaults to blocking unregistered MCP surfaces. OpenAI distinguishes sensitive actions, connector access, browser and network boundaries, local-app controls, and scheduled workflows. HP's enterprise framing adds the operational question every buyer eventually asks: what is running, under which context, doing what, and subject to which evaluation?

These are not identical architectures, but they are converging on the same shape.

First, they treat the agent as a principal, not just an interface. Once an agent has its own identity or runtime record, the system can stop pretending that every action is reducible to "the user clicked through chat." This matters because enterprises do not actually want a permanent ambiguity between user intent and agent execution. They want to know which side effect belonged to which delegated actor.

Second, they separate discovery from authorization. A registry, MCP catalog, or connector directory is not yet a mandate. It only becomes useful when the policy layer can say which identity may use which tool, in which mode, with which arguments, against which data class, and under which approval requirements. Enterprises have decades of experience learning that asset inventory is not access control. Agent systems are rediscovering that lesson quickly.

Third, they are building runtime boundaries instead of assuming trust at the application edge. Local coding agents, browser-use agents, scheduled background tasks, remote MCP servers, and desktop automation all extend authority past the neat borders of SaaS admin consoles. Microsoft's endpoint emphasis is important here. So is Google's gateway language. So is OpenAI's focus on browser, network, and local-app boundaries. The new perimeter is not the office network. It is the delegated action surface.

Fourth, the strongest products are starting to acknowledge that approval is not a binary. Some actions should be blocked categorically. Some should be auto-approved inside narrow rules. Some should require escalation. Some should only execute in sandboxed or read-only form first. That is a more serious model than the familiar "human in the loop" slogan, which often hides the fact that the human has no useful way to inspect the full chain that led to a recommendation.

This is also why enterprise procurement is shifting. Organizations are not only buying model quality anymore. They are buying evidence. They want to know whether an agent runtime can preserve who acted, which data and tools were in scope, which policy fired, which review step happened, whether revocation was live, and what exact side effect landed. Put more bluntly: the enterprise agent market is moving from assistant UX to accountable execution.

There is a direct parallel here to smart-account mandates. Wallet builders have spent the past year arguing that the important object is not the key but the scoped delegation around the key. Enterprise platforms are reaching the same conclusion offchain. The key question is not "does the assistant have access?" It is "what was it allowed to do with that access, and how would an auditor prove it later?"

The hardest part is what comes next. Each vendor currently tells this story in its own house language. Microsoft has policy rings and governance toolkit primitives. Google has agent identities, registries, and gateways. OpenAI has enterprise controls over tools, browsers, files, scheduled tasks, and auto-review. These are all sensible local answers. But enterprise workflows rarely stay local. A single task may start in ChatGPT Work, touch Google Drive, call an internal MCP server, open a browser workflow, write to a Microsoft-managed environment, and end in a signed transaction or a published artifact. If every layer logs differently and interprets delegation differently, the enterprise still lacks a portable receipt.

That is the real control-plane question now. Not whether the market believes governance matters. It clearly does. The question is whether the emerging control planes can interoperate at the level that matters most: proof of authority.

The Caveat: Vendor-specific control planes are not a failure. In this phase of the market, they are probably necessary. Enterprises need something deployable before they get something standardized. But a stack-local audit trail is only a partial answer once workflows cross vendors and trust domains. The long-term win is not the platform with the prettiest admin console. It is the platform that can prove, outside itself, which principal delegated to which agent, over which tools and data, under which policy and approval state, with which revocation status, before the side effect reached the wire.