xxx
Most agent frameworks treat policy as an application-layer concern. The AI decides whether a transaction should happen, checks some rules in code, hopefully works within prescribed guardrails, and proceeds. This is fine for demos. It is not fine for real money.
The problem is straightforward: application-layer policy is only as secure as the application. If someone compromises the server, jailbreaks the model, or finds a bug in your policy-checking code or guardrails framework, the money moves. You’ve built a lock out of suggestions.
What agents actually need are two layers:
Layer 1 is intelligence. This is the application layer — the part that answers the questions you’d want answered before any money moves. Who controls this agent? Are they a verified entity? What’s their track record? You can see this in the demo: before the treasury agent pays another agent for research services, it resolves their identity, checks their reputation score, and evaluates whether they meet the policy threshold. An agent with a verified owner, a score of 87/100, and 142 attestations clears. An unverified agent with a dispute flag doesn’t. This is the kind of automated standards-based trust infrastructure that the agentic economy needs — not platform-specific API keys, but portable, verifiable identity that works across any agent framework.
Layer 2 is enforcement. In this example, this part runs in Turnkey’s secure enclave. Has the required approval been obtained? The enclave signs the transaction only if every policy condition is met. This isn’t running in our application code. It’s running in hardware that neither we nor Turnkey can tamper with after deployment.
Intelligence without enforcement is just prompt suggestions. Enforcement without intelligence is just a dumb access list. You need both.
Even if our entire backend is compromised, the enclave won’t sign transactions that violate policy. That’s not a promise — it’s math.
From: What Agents Need Before They Handle Real Money – Catena Labs.
xxx
Snippings 