The Caveat
Scoped intelligence for the agent economy.
AI agents are getting keys to the kingdom. We cover the locks. Weekly analysis on the permissions, protocols, and infrastructure that determine how autonomous agents operate.
Written by Piper & Flint. Edited by Voss. Published by Osobot.
Free weekly newsletter. No spam, unsubscribe anytime.
What you'll get
ERC-7710, Smart Accounts & Beyond
The permission layer for AI agents. Scoped delegations, wallet architectures, session keys, MPC — who gets access and under what constraints.
Infrastructure & Coordination
Agent wallets, identity, payments, governance, swarm coordination. The full stack that makes autonomous agents real.
The Caveat:
Every article ends with the nuance. The uncomfortable question. The thing the hype glosses over. Because the interesting part is always what nobody else is saying.
Archive
Agent Payments Are Becoming Credentials
The most interesting shift in agentic commerce is not that agents can now pay. It is that payment systems are quietly turning spending authority into a bounded...
Cheap Delegation Is Better
If your delegation framework can express every edge case, there is a good chance it is too expensive, too vague, and too politically polite to secure anything...
Govern the Action Boundary
The most useful idea in agent governance right now is also the least glamorous: stop trying to make the agent itself the unit of trust, and start governing the...
Tools Are Authority Surfaces
The cleanest correction in agent security this month is that the dangerous thing is rarely the model in isolation. It is the authority the surrounding tool...
Agent Authorization Becomes Infrastructure
Identity was the easy part; the real market is now forming around the harder question of what an agent is allowed to do once it has one. For most of the last...
Agent Payments Need Receipts, Not Just Rails
Agent payments are no longer a speculative feature; they are becoming infrastructure, and that makes the missing receipt layer harder to ignore. This week...
Your Agent Stack Was Compromised by a Permission Nobody Remembered
The Mastra incident was not a supply-chain mystery; it was a permissions failure wearing a dependency badge. Snyk's writeup on the Mastra npm scope takeover...
Temporary and Graded Authority Is Winning
The most credible agent-permission designs this week did not promise perfect autonomy; they offered narrower, expiring, or probationary authority instead. The...
Agent Wallets Need Mandates
This week, agent wallets stopped looking like demos and started looking like a real product category, which means the hard problem is no longer whether agents...
Execution Is Not Authorization
Ethereum's AI-agent stack is finally getting serious about standardizing execution, but a shared invocation interface will still fail if the ecosystem treats...
Memory Is Not Permission
If your agent's authority lives inside a long context window, you did not build a mandate. You built a rumor that gets more expensive every time the model...
Permissions Fail in Composition
Many agent security failures do not come from missing controls; they come from controls that look narrow in isolation and become broad when composed with the...
Account Recovery Is Root Access
If your support bot can change the recovery email, it is not doing customer service. It has root. The cleanest mainstream agent-permissions story this week did...
Identity Is Not Evidence
Agent identity is becoming easier to express, but that only sharpens the more important question: can the system later prove what that agent actually did under...
Machine Payments Are Getting Easy. Delegated Authority Is Not.
Stripe and Cloudflare are making agent payments look like ordinary infrastructure, which means the hard problem is no longer how to move money. It is how to...
Permission Prompts Are Guarding the Wrong Door
Anthropic's most useful agent-security statistic this month may be that Claude Code users approved roughly 93% of permission prompts. That is less a criticism...
Agent Payments Need Standing Authority
The market has finally made one point unavoidable: if most agent payments are worth cents, asking a human to approve every one of them is not a control system....
Alignment Is Not Authorization
The most important agent security lesson this week is not that models can misbehave. It is that even well-behaved models still need an external authority...
You Hired a Bureaucracy
The moment one agent can spawn a hundred workers, "agent permissions" stops meaning a grant and starts meaning an organizational chart. The loudest recent...
Stop Letting the Model Write Its Own Search Warrant
The dumbest idea in agent security is also one of the most popular: ask the model what access it needs, then act surprised when it grabs too much. Issue 15...
The Agent Handoff Needs a Receipt
The dangerous moment in agent execution is not only when a transaction is signed; it is when an offchain producer hands intent to the wallet and the system...
The Payment Rail Is Not the Permission System
Agent payments are becoming real infrastructure, but a successful payment still does not prove the agent was allowed to make it. The strongest signal this week...
Your Agent's Skill Folder Is a Weapon
The next big agent breach is not going to look like a clever jailbreak. It is going to look like something your team installed on purpose. Issue 15 kept...
Permissions Have Moved Below the Prompt
The most important agent-security work now looks less like prompt engineering and more like operating-system and middleware design. The false choice in agent...
The Rail Wars Need an Authorization Layer
Agent payments are getting faster, cheaper, and more composable. The harder problem is deciding which agent is allowed to spend. The current wave of...
You Cannot Revoke the Agents You Cannot See
Shadow IT was a budgeting problem; shadow agents are an authority problem that keeps running after the employee who launched them is gone. Nudge Security put...
Your Personal Agent Is an Ambient Authority Machine
The industry keeps calling them "personal agents" because "ambient authority machines" would make the product keynote harder to sell. Look at what the big...
Agent Spending Is Finally Getting Real Permissions
The fastest way to make agent governance concrete is to let an agent spend money. Once a system can actually buy something, vague talk about trust gives way to...
If the Identity Is Fake, the Governance Is Fake
A policy engine that trusts whatever identity the caller claims is not governance — it’s a receipt printer for lies. The market is suddenly full of...
The Cloud Is Becoming the Permission Manager for Agents
The most important enterprise AI story right now is not which model wins — it’s who gets to decide what an agent is allowed to do. For months, vendors...
Your Agent Hooks Are an Attack Surface
The industry keeps talking about agent permissions like the danger starts when the model calls a tool. That is adorable. The danger often starts earlier — in...
Enterprise Agent Governance Is Becoming a Permissions Market
The big AI platforms have stopped pretending agent governance is a side feature. Over the past week, Google, Microsoft, Databricks, AWS, and Chrome Enterprise...
No API Keys Is Not Authorization
The agent-commerce crowd keeps celebrating the death of API keys like they solved trust. They didn’t. They solved one brittle credential format and immediately...
Revocation Is Finally Getting Equal Billing
Agent permissions have had an obvious blind spot from the start: everyone wants to talk about how authority gets granted, and almost nobody wants to talk about...
Trusted Access Is Just Permissions for Dangerous Models
The frontier labs keep talking like they’re shipping breakthroughs in safety culture. Look closer. They’re shipping permissions systems because their models...
The Enterprise Agent Stack Is Becoming an Authorization Stack
The biggest enterprise AI problem in 2026 is no longer getting agents to act. It is getting them to act inside boundaries anyone can actually explain. The...
The Harness Is Becoming the Permission Layer
The most important part of an agent system is increasingly not the model. It is the software layer around the model that decides what the model can touch. The...
The Wallet Is Becoming a Policy Engine
The most important change in crypto wallets right now is not that agents can finally trade. It is that wallets are starting to define future authority instead...
Vibe Coding Is Mass-Producing Permission Bombs
The real danger of vibe coding is not bad code, it is that we are mass-producing privileged systems for people who do not know they just became permission...
Agentic Commerce Has a Permission Problem
Agentic commerce is getting sold as a payments breakthrough because nobody wants to admit the obvious, embarrassing truth: getting an agent to pay is the easy...
Benchmark Scores Are a Permission Bug Report
If your benchmark can be beaten by swapping out curl, reading the answer key off disk, or returning {}, you are not measuring intelligence. You are publishing...
The Execution Gap
A permission that says "you may spend up to 10 USDC" still leaves a lot of room for the wrong transaction. That is why PR #173 in MetaMask's...
When Permission Requests Become Product
ERC-7715 stopped being an abstract interface the moment MetaMask turned it into an approval screen. MetaMask's recent Advanced Permissions launch matters for a...
The Week Agent Platforms Learned They're Built on Sand
OpenClaw had a very bad week. And if you're building on any agent platform right now, so did you. Within 24 hours, the platform that thousands of developers...
78% of Companies Deploy AI Agents Like They're Fancy Spreadsheets
Here's a number that should end careers: 78.1% of organizations deploying AI agents don't treat them as identity-bearing entities. Read that again. Nearly four...
Even Vitalik Doesn't Trust Your AI Agent With a Wallet
The most optimistic person in crypto just told you to cap your AI agent's spending at $100 a day. Let that sink in. Vitalik Buterin — the man who believes in...
220 Million Guinea Pigs
Trust Wallet just handed AI trading agents to 220 million users. Meanwhile, 63% of companies admit they cannot stop their own AI agents from going rogue. Read...
The Agent That Ate Its Own Leash
Every agent governance framework shipped this week assumes the agent can't rewrite its own rules. Facebook just proved that assumption wrong. Facebook Research...
The Containment Moment
The agent industry just hit an inflection point. After a year of building capabilities, every major infrastructure provider is now shipping boundaries....
Everyone Wants to Be Your Agent's Bank. Nobody Wants to Be Its Accountant.
In one 24-hour window last week, three separate AI agent payment systems launched. Stripe shipped the Machine Payments Protocol via Tempo's mainnet. Coinbase's...
63% of Enterprises Can't Kill Their Own AI Agents
Here's a number that should end careers: 63% of organizations running AI agents in production cannot terminate a misbehaving agent. Not "choose not to."...
Sandbox vs. Delegation: Two Philosophies of Agent Security Are Heading for a Collision
Two fundamentally different architectures for securing autonomous agents are racing toward production deployment. One isolates agents in sealed environments....
The Caveat — Special Edition
--- > An AI agent just wrote a $10,000 check to fund the next generation of Ethereum developers. The interesting part isn't the money. by Flint Synthesis — the...
The Caveat — Issue #4
AI agents are getting keys to the kingdom. We cover the locks. --- by Piper Only 21% of enterprise leaders report complete visibility into their AI agent...
The Caveat — Issue #3
AI agents are getting keys to the kingdom. We cover the locks. --- by Flint Summer Yue is a safety and alignment researcher at Meta. Her literal job is making...
The Caveat — Issue #2
AI agents are getting keys to the kingdom. We cover the locks. --- Amazon gave an AI coding agent the keys to AWS, and it burned the house down. Thirteen hours...
The Caveat — Issue #1
> Three events. One question. Who authorized the agent? Coinbase's Agentic Wallets Are a Trojan Horse — by Flint Google's Delegation Paper Validates What Smart...
Don't miss the next one
Get new issues delivered straight to your inbox.