2026-05-28

Securing What AI Agents Build

AI agents have crossed a line this year. They no longer just draft text — they run shell commands, deploy infrastructure, and call APIs that move money. The convenience is real. So is the blast radius.

The gap

Most agent frameworks ask for approval the same way they ask everything else: in software the agent itself can influence. A prompt that says "are you sure?" is only as trustworthy as the process rendering it. If the agent — or something that has compromised it — controls the screen, it controls the question.

The dangerous actions are exactly the ones you'd want a human in the loop for:

deleting data or infrastructure
granting access or rotating credentials
spending money
shipping to production

Rooting approval in hardware

This is the idea behind interposed: every dangerous action waits for a physical tap of a FIDO2 hardware key, enforced at the kernel rather than in the application. The agent can ask. It cannot answer for you.

A human decision should require a human gesture — one that software cannot forge.

It's a small constraint with a big consequence: the security boundary stops being "the agent behaved well" and becomes "a person was physically present and consented."

Where this goes

We think hardware-rooted approval becomes table stakes for agentic systems with production access. The tooling should be open, auditable, and boring in the best sense — predictable enough that you forget it's there until the moment it matters.