Revenge of the Atoms | 07/01/2026
Don’t Give the Agent the Keys
AI agents can search, plan, negotiate, and execute at a speed no human can match. But speed without a security boundary is just a faster way to lose control. This is the architectural problem the financial industry has already solved once before, and Ledger Agent Stack is how it gets solved again.
<TL;DR>
This is not a condemnation of agents. It is a division of labor. Agents are useful because they are probabilistic: they can search, plan, negotiate, and see around corners. But the security boundary has to be deterministic. Ledger Agent Stack separates agent work from secure approval: identity helps inventory and provision agents, policies decide what can happen automatically, and humans approve high-risk or out-of-policy actions on Ledger secure hardware with secure screens. Agents propose. Humans sign. Hardware enforces. Your Agent can start at Developers.Ledger.com.
</TL;DR>
In the early web, the strangest act of trust on the internet was typing your credit card number into a blank box on a website.
Your card number was not magic. It was not even very secret. It was printed on plastic, handed to waiters, read over the phone, stored in databases, copied into forms. It was a bearer token. Whoever held the digits could spend the money.
If someone else had your number, they could use it, and the transaction looked like it came from you. That was the problem. The number identified the account. It did not prove who was actually using it.
We did not fix that by making card numbers more official. We fixed it by adding a check at the moment of purchase. Prove you are the real cardholder, right now, and that this is the transaction you want to make. Is this you, doing exactly this, right now?
That idea became 3-D Secure. The early versions were clumsy (actually, downright dumb), and even the (much improved) current version is not the end of the story, but the architectural move was correct:
Security moved to the moment of the act.
Agent Identity Alone Is Not Enough
This week, at Point Zero in Zurich, I watched the financial industry and regulators have the same conversation again, this time about AI agents.
A recurring theme of the conference was Agent Identity. Identity is useful, but it is not security. Identity without transaction-time security is worse than useless; it creates an untrustable transaction record.
We are moving toward a world where most enterprises will have multiple agents per person. Inventorying and provisioning these agents will be an important business function. We will need to know which agents exist across the organization, who owns them, what resources they have access to, and which humans are allowed to instruct them. It is important that an agent knows who its owner is, and that it only takes instructions from that owner or from someone the owner has authorized. The agent can be linked to a human, a company, a role, or some other accountable principal. Some systems will refuse to interact with an agent unless that agent can prove who it belongs to.
All of that matters. None of it is enough.
At best, identity tells you which agent was used to make a request. By itself, it does not tell you who instructed the agent to make that request.
That distinction is everything.
An agent can be owned by me but controlled by you. If that happens, the audit trail is not useful truth. It says “Ian’s agent did this,” when the relevant fact is that someone else caused Ian’s agent to do it.
This is the credit card problem again. The card number identified the account, but not the person using it. Agent identity identifies the agent, but not necessarily the human who initiated a given action.
Without transaction-time security, identity gives you a false sense of accountability. It can make a bad audit trail look official. That is worse than no audit trail, because it lets bad data pass as proof.
The crucial moment is not when the agent introduces itself. The moment that matters is when an agent tries to move money, change permissions, disclose a secret, sign a contract, execute a trade, or commit to something real.
At that moment, the question is not only “which agent is this?” The question is “who authorized this exact action?”
That is where security has to live.
How To Keep Agents Autonomous and Secure
The second mistake is trying to put determinism inside the model.
People want to teach the model governance. They want to pour policy into it. “The model must contain compliance guardrails.” They want it to promise it will follow the rules. This sounds reasonable until you remember what the model is for.
An AI agent is valuable because it is probabilistic. It can reason around corners. It can synthesize, search, plan, write, compare, summarize, negotiate with tools, and find paths a deterministic system would never find. That is the point.
You do not hire a creative coworker and then ask him to behave like a calculator. You do not buy a race car and then bolt it to the garage floor.
Let the agent do what agents do. Let it plan, research, draft, and go a little crazy. It can think. It can suggest. But when it wants to act, take the decision out of the probabilistic layer and hand it to a deterministic one.
The agent proposes. Something else decides whether the proposal can become an action.
My friend Leonard Lin at Shisa.ai says this very cleanly: Agents can do an enormous amount of work, but in the end, “The question is, is the agent doing what the user is asking it to do? I only allow the agent to suggest, not act.”
That is the clean division of labor.
The model is allowed to be probabilistic. The authorization layer is not.
This is already how serious financial security works. In Ledger Enterprise (born seven years ago), a human uses secure Ledger hardware to set policy in an HSM. When an action arrives, the HSM asks a simple question: “Do I have everything I need for this to be allowed?”
Perhaps the answer requires one signature. Maybe it requires two-of-three. Maybe it requires three-of-five, and one of them must be the CFO. Maybe it depends on the amount, the counterparty, the asset, the time of day, or any other condition that can be attested.
When the policy is satisfied, the HSM signs. When it is not, the action stops, and a human has to approve it on hardware.
Point that architecture at agents and the false trade-off between autonomy and security is alleviated.
Today people talk as if we have to choose between autonomy and security. Either the agent is useful and dangerous, or safe and useless. This doesn’t need to be the case.
Inside policy, the agent can be autonomous. Outside policy, a human steps in. Autonomy lives inside the boundary. Security is the boundary.
This also changes what regulators should ask.
Auditability via Human Control
Another surprising question I heard this week: “Can your secure screen show me how the model arrived at its answer?”
I understand the instinct. Finance is used to audit trails. Regulators want reasons. Executives want explanations. When a machine does something consequential, everyone wants to walk backward through the decision and find the moment where it became inevitable.
But with AI agents, that question has a limit. The engineers often cannot tell you with audit-grade precision why a model produced a specific answer. Even when a model shows its reasoning, research on chain-of-thought faithfulness has shown that the explanation is not always a faithful record of how the answer was reached. In other words: don’t ask, it’s gonna lie.
So do not build the control system around the model’s autobiography.
Build it around the act.
What did the agent propose? Who was allowed to instruct that agent? What policy applied? Who set that policy? On what hardware? What was displayed to the human? Who signed? When? For which exact action? Was the policy satisfied, or was the action blocked?
That is an audit trail finance actually knows how to live with.
The point is not to make the model explain itself better. The point is to make sure the model never holds the keys, and that no consequential action can be attributed to a human unless that human, or a policy that human approved, actually authorized it.
This requires a stack:
- First, Agent Identity. Know which agent you are talking to.
- Second, a secure channel between the owner and the agent, so the agent can verify that the instruction is really coming from the right human or organization, not from someone who has gained control of the session.
- Third, Agent Intents. Let the agent put proposed actions into a queue. Do not pretend the proposal is the same thing as permission.
- Fourth, policies set on secure hardware. Let the deterministic layer decide which actions can happen automatically.
- Fifth, human signatures on secure hardware when the action falls outside the boundary.
This is where identity becomes useful again. Identity alone is not security. But identity plus secure control, agent intent, hardware-set policy, transaction-time approval, and Proof of Human starts to become a real system.
- Proof of human, or Proof of You, does not have to mean dumping personal information into every system an agent touches. With zero-knowledge proofs, you can prove what needs to be true without exposing everything else. Age. Citizenship. Membership. Funds. Authority over a resource. The fact that there is a real accountable person behind the agent.
That stack is not a slower version of the agentic future. It is the version that can survive contact with money.
No True Security Without Secure Hardware
You are going to see a lot of agent security products over the next six months. Some will be serious. Many will be theater. The tests are simple.
- If there is agent identity but no secure way to prove who instructed the agent and who approved the action, you are looking at a card number with a better logo.
- If the plan is to put determinism inside the model, the architecture has been chosen incorrectly.
- If the approval happens on a smartphone or laptop where messaging apps, browsers, malware, poisoned documents, etc might live, then this is not a device capable of securely signing an important transaction.
A separate piece of secure hardware is not a nicer button. It is a different boundary. It gives the human a place to see what is being signed and approve it from somewhere the agent cannot rewrite.
That difference is not marketing. It is physics.
We fixed the card by checking at the register.
We fix the agent by checking at the moment of the act.
Agents propose. Humans set policies and approve on secure Ledger signers with secure screens. Hardware enforces.
Ledger Agent Stack
The above is the idea behind Ledger Agent Stack: a security architecture for the agentic economy, built on the same principles Ledger has spent the last decade proving in digital assets and enterprise finance. Hand Developers.Ledger.com to your agent and ask them to take it for a test spin. Currently, we offer CLIs for our flagship products, Ledger Wallet, Ledger Enterprise, and Ledger Multisig.
If you would like to inquire about being the first to use Agent Intents, Policies, and Proof of Human, please drop us a line at [email protected].
ian c rogers,
Chief Human Agency Officer, Ledger