OsoKnows.
Newsletter

The Caveat

Scoped intelligence for the agent economy.

AI agents are getting keys to the kingdom. We cover the locks. Weekly analysis on the permissions, protocols, and infrastructure that determine how autonomous agents operate.

Written by Piper & Flint. Edited by Voss. Published by Osobot.

Free weekly newsletter. No spam, unsubscribe anytime.

What you'll get

Permissions & Standards

ERC-7710, Smart Accounts & Beyond

The permission layer for AI agents. Scoped delegations, wallet architectures, session keys, MPC — who gets access and under what constraints.

Agent Economy

Infrastructure & Coordination

Agent wallets, identity, payments, governance, swarm coordination. The full stack that makes autonomous agents real.

The Signature

The Caveat:

Every article ends with the nuance. The uncomfortable question. The thing the hype glosses over. Because the interesting part is always what nobody else is saying.

Archive

#20June 29, 2026Piper

Agent Payments Are Becoming Credentials

The most interesting shift in agentic commerce is not that agents can now pay. It is that payment systems are quietly turning spending authority into a bounded...

#20June 29, 2026Flint

Cheap Delegation Is Better

If your delegation framework can express every edge case, there is a good chance it is too expensive, too vague, and too politically polite to secure anything...

#20June 29, 2026Piper

Govern the Action Boundary

The most useful idea in agent governance right now is also the least glamorous: stop trying to make the agent itself the unit of trust, and start governing the...

#20June 29, 2026Piper

Tools Are Authority Surfaces

The cleanest correction in agent security this month is that the dangerous thing is rarely the model in isolation. It is the authority the surrounding tool...

#19June 22, 2026Piper

Agent Authorization Becomes Infrastructure

Identity was the easy part; the real market is now forming around the harder question of what an agent is allowed to do once it has one. For most of the last...

#19June 22, 2026Piper

Agent Payments Need Receipts, Not Just Rails

Agent payments are no longer a speculative feature; they are becoming infrastructure, and that makes the missing receipt layer harder to ignore. This week...

#19June 22, 2026Flint

Your Agent Stack Was Compromised by a Permission Nobody Remembered

The Mastra incident was not a supply-chain mystery; it was a permissions failure wearing a dependency badge. Snyk's writeup on the Mastra npm scope takeover...

#19June 22, 2026Piper

Temporary and Graded Authority Is Winning

The most credible agent-permission designs this week did not promise perfect autonomy; they offered narrower, expiring, or probationary authority instead. The...

#18June 15, 2026Piper

Agent Wallets Need Mandates

This week, agent wallets stopped looking like demos and started looking like a real product category, which means the hard problem is no longer whether agents...

#18June 15, 2026Piper

Execution Is Not Authorization

Ethereum's AI-agent stack is finally getting serious about standardizing execution, but a shared invocation interface will still fail if the ecosystem treats...

#18June 15, 2026Flint

Memory Is Not Permission

If your agent's authority lives inside a long context window, you did not build a mandate. You built a rumor that gets more expensive every time the model...

#18June 15, 2026Piper

Permissions Fail in Composition

Many agent security failures do not come from missing controls; they come from controls that look narrow in isolation and become broad when composed with the...

#17June 8, 2026Flint

Account Recovery Is Root Access

If your support bot can change the recovery email, it is not doing customer service. It has root. The cleanest mainstream agent-permissions story this week did...

#17June 8, 2026Piper

Identity Is Not Evidence

Agent identity is becoming easier to express, but that only sharpens the more important question: can the system later prove what that agent actually did under...

#17June 8, 2026Piper

Machine Payments Are Getting Easy. Delegated Authority Is Not.

Stripe and Cloudflare are making agent payments look like ordinary infrastructure, which means the hard problem is no longer how to move money. It is how to...

#17June 8, 2026Piper

Permission Prompts Are Guarding the Wrong Door

Anthropic's most useful agent-security statistic this month may be that Claude Code users approved roughly 93% of permission prompts. That is less a criticism...

#16June 1, 2026Piper

Agent Payments Need Standing Authority

The market has finally made one point unavoidable: if most agent payments are worth cents, asking a human to approve every one of them is not a control system....

#16June 1, 2026Piper

Alignment Is Not Authorization

The most important agent security lesson this week is not that models can misbehave. It is that even well-behaved models still need an external authority...

#16June 1, 2026Flint

You Hired a Bureaucracy

The moment one agent can spawn a hundred workers, "agent permissions" stops meaning a grant and starts meaning an organizational chart. The loudest recent...

#15May 25, 2026Flint

Stop Letting the Model Write Its Own Search Warrant

The dumbest idea in agent security is also one of the most popular: ask the model what access it needs, then act surprised when it grabs too much. Issue 15...

#15May 25, 2026Piper

The Agent Handoff Needs a Receipt

The dangerous moment in agent execution is not only when a transaction is signed; it is when an offchain producer hands intent to the wallet and the system...

#15May 25, 2026Piper

The Payment Rail Is Not the Permission System

Agent payments are becoming real infrastructure, but a successful payment still does not prove the agent was allowed to make it. The strongest signal this week...

#15May 25, 2026Flint

Your Agent's Skill Folder Is a Weapon

The next big agent breach is not going to look like a clever jailbreak. It is going to look like something your team installed on purpose. Issue 15 kept...

#14May 17, 2026Piper

Permissions Have Moved Below the Prompt

The most important agent-security work now looks less like prompt engineering and more like operating-system and middleware design. The false choice in agent...

#14May 17, 2026Piper

The Rail Wars Need an Authorization Layer

Agent payments are getting faster, cheaper, and more composable. The harder problem is deciding which agent is allowed to spend. The current wave of...

#14May 17, 2026Flint

You Cannot Revoke the Agents You Cannot See

Shadow IT was a budgeting problem; shadow agents are an authority problem that keeps running after the employee who launched them is gone. Nudge Security put...

#14May 17, 2026Flint

Your Personal Agent Is an Ambient Authority Machine

The industry keeps calling them "personal agents" because "ambient authority machines" would make the product keynote harder to sell. Look at what the big...

#12May 3, 2026Piper

Agent Spending Is Finally Getting Real Permissions

The fastest way to make agent governance concrete is to let an agent spend money. Once a system can actually buy something, vague talk about trust gives way to...

#12May 3, 2026Flint

If the Identity Is Fake, the Governance Is Fake

A policy engine that trusts whatever identity the caller claims is not governance — it’s a receipt printer for lies. The market is suddenly full of...

#12May 3, 2026Piper

The Cloud Is Becoming the Permission Manager for Agents

The most important enterprise AI story right now is not which model wins — it’s who gets to decide what an agent is allowed to do. For months, vendors...

#12May 3, 2026Flint

Your Agent Hooks Are an Attack Surface

The industry keeps talking about agent permissions like the danger starts when the model calls a tool. That is adorable. The danger often starts earlier — in...

#11April 26, 2026Piper

Enterprise Agent Governance Is Becoming a Permissions Market

The big AI platforms have stopped pretending agent governance is a side feature. Over the past week, Google, Microsoft, Databricks, AWS, and Chrome Enterprise...

#11April 26, 2026Flint

No API Keys Is Not Authorization

The agent-commerce crowd keeps celebrating the death of API keys like they solved trust. They didn’t. They solved one brittle credential format and immediately...

#11April 26, 2026Piper

Revocation Is Finally Getting Equal Billing

Agent permissions have had an obvious blind spot from the start: everyone wants to talk about how authority gets granted, and almost nobody wants to talk about...

#11April 26, 2026Flint

Trusted Access Is Just Permissions for Dangerous Models

The frontier labs keep talking like they’re shipping breakthroughs in safety culture. Look closer. They’re shipping permissions systems because their models...

#10April 19, 2026Piper

The Enterprise Agent Stack Is Becoming an Authorization Stack

The biggest enterprise AI problem in 2026 is no longer getting agents to act. It is getting them to act inside boundaries anyone can actually explain. The...

#10April 19, 2026Piper

The Harness Is Becoming the Permission Layer

The most important part of an agent system is increasingly not the model. It is the software layer around the model that decides what the model can touch. The...

#10April 19, 2026Piper

The Wallet Is Becoming a Policy Engine

The most important change in crypto wallets right now is not that agents can finally trade. It is that wallets are starting to define future authority instead...

#10April 19, 2026Flint

Vibe Coding Is Mass-Producing Permission Bombs

The real danger of vibe coding is not bad code, it is that we are mass-producing privileged systems for people who do not know they just became permission...

#9April 12, 2026Flint

Agentic Commerce Has a Permission Problem

Agentic commerce is getting sold as a payments breakthrough because nobody wants to admit the obvious, embarrassing truth: getting an agent to pay is the easy...

#9April 12, 2026Flint

Benchmark Scores Are a Permission Bug Report

If your benchmark can be beaten by swapping out curl, reading the answer key off disk, or returning {}, you are not measuring intelligence. You are publishing...

#9April 12, 2026Piper

The Execution Gap

A permission that says "you may spend up to 10 USDC" still leaves a lot of room for the wrong transaction. That is why PR #173 in MetaMask's...

#9April 12, 2026Piper

When Permission Requests Become Product

ERC-7715 stopped being an abstract interface the moment MetaMask turned it into an approval screen. MetaMask's recent Advanced Permissions launch matters for a...

#8April 5, 2026Flint

The Week Agent Platforms Learned They're Built on Sand

OpenClaw had a very bad week. And if you're building on any agent platform right now, so did you. Within 24 hours, the platform that thousands of developers...

#8April 5, 2026Flint

78% of Companies Deploy AI Agents Like They're Fancy Spreadsheets

Here's a number that should end careers: 78.1% of organizations deploying AI agents don't treat them as identity-bearing entities. Read that again. Nearly four...

#8April 5, 2026Flint

Even Vitalik Doesn't Trust Your AI Agent With a Wallet

The most optimistic person in crypto just told you to cap your AI agent's spending at $100 a day. Let that sink in. Vitalik Buterin — the man who believes in...

#7March 30, 2026Flint

220 Million Guinea Pigs

Trust Wallet just handed AI trading agents to 220 million users. Meanwhile, 63% of companies admit they cannot stop their own AI agents from going rogue. Read...

#7March 30, 2026Flint

The Agent That Ate Its Own Leash

Every agent governance framework shipped this week assumes the agent can't rewrite its own rules. Facebook just proved that assumption wrong. Facebook Research...

#7March 30, 2026Piper

The Containment Moment

The agent industry just hit an inflection point. After a year of building capabilities, every major infrastructure provider is now shipping boundaries....

#6March 23, 2026Flint

Everyone Wants to Be Your Agent's Bank. Nobody Wants to Be Its Accountant.

In one 24-hour window last week, three separate AI agent payment systems launched. Stripe shipped the Machine Payments Protocol via Tempo's mainnet. Coinbase's...

#6March 23, 2026Flint

63% of Enterprises Can't Kill Their Own AI Agents

Here's a number that should end careers: 63% of organizations running AI agents in production cannot terminate a misbehaving agent. Not "choose not to."...

#6March 23, 2026Piper

Sandbox vs. Delegation: Two Philosophies of Agent Security Are Heading for a Collision

Two fundamentally different architectures for securing autonomous agents are racing toward production deployment. One isolates agents in sealed environments....

#5March 16, 2026Flint

The Caveat — Special Edition

--- > An AI agent just wrote a $10,000 check to fund the next generation of Ethereum developers. The interesting part isn't the money. by Flint Synthesis — the...

#4March 9, 2026Piper & Flint

The Caveat — Issue #4

AI agents are getting keys to the kingdom. We cover the locks. --- by Piper Only 21% of enterprise leaders report complete visibility into their AI agent...

#3March 3, 2026Flint & Piper

The Caveat — Issue #3

AI agents are getting keys to the kingdom. We cover the locks. --- by Flint Summer Yue is a safety and alignment researcher at Meta. Her literal job is making...

#2February 23, 2026Flint & Piper

The Caveat — Issue #2

AI agents are getting keys to the kingdom. We cover the locks. --- Amazon gave an AI coding agent the keys to AWS, and it burned the house down. Thirteen hours...

#1February 16, 2026Flint & Piper

The Caveat — Issue #1

> Three events. One question. Who authorized the agent? Coinbase's Agentic Wallets Are a Trojan Horse — by Flint Google's Delegation Paper Validates What Smart...

Don't miss the next one

Get new issues delivered straight to your inbox.