The Missing AI Layer Is Not Security. It's Authority.
June 25, 2026
AI agents are no longer just chat interfaces. They act inside our accounts, tools, wallets, and infrastructure. The missing layer is human authority: clear approval of high-stakes actions on a surface the agent cannot control.

AI agents are now computer users.
They browse websites. They read files. They write code. They call APIs. They log in to accounts. They handle credentials, use tools, and take actions across software that was originally designed for humans.
This is exhilarating – but it’s also breaking one of the oldest assumptions in computing.
For decades, our computers assumed that the user was a human. If an action happened inside your browser, account, operating system, or authenticated session, the system treated that action as yours. You logged in. You clicked the button. You approved the prompt. You used the credential.
But what happens when the user of the computer is no longer only you?
What happens when an agent can act inside your accounts, with your passwords, API keys, files, wallet, cloud permissions, and authenticated sessions?
At that point, the central question is no longer whether the system is secure.
The central question is: who actually authorized the action?
Security is necessary, but not enough
The AI security industry is moving quickly. We need sandboxes, evals, prompt-injection defenses, browser isolation, policy engines, monitoring, logging, scoped credentials, and better permissions. These are real and necessary tools.
But they do not answer the deeper question.
If an agent is running inside the same phone, laptop, browser, cloud VM, or enterprise account that holds the authority, then the control plane is still inside the blast radius. A policy engine can be misconfigured. A browser prompt can be spoofed. A session can be hijacked. A model can be manipulated. A laptop can be compromised. A phone notification can become just another reflexive tap.
Security asks: is this action allowed?
Authority asks: did the right human approve this exact action, with the right context, on a surface the agent cannot control?
An AI agent may be allowed to draft an email. It should not be able to send a sizable wire transfer without explicit approval.
An AI coding assistant may be allowed to edit a file. It should not be able to deploy to production, rotate credentials, or merge a security-sensitive change without human authority.
An agent may be allowed to prepare a Bitcoin transaction, a stablecoin payment, or an API purchase. It should not be able to move money just because it inherited access to a wallet, browser session, or cloud account.
The missing layer is not more ambient permissioning. It is authority.
Bitcoin was the proving ground
Bitcoin forced this problem before AI made it obvious.
In Bitcoin, actions are irreversible. If a transaction is signed and broadcast, there is no bank to call, no credit card company to reverse the charge, and no support team that can restore the funds. The user has to know what they are approving before they approve it.
This is why hardware wallets exist.
A good hardware wallet does not merely store a key. It creates a separate trust boundary. Your phone or laptop can prepare a transaction, but the device shows the destination, amount, and fee on a trusted display. The human reviews the action. The device signs only what the human approved.
The software requests authority → the human grants authority → the hardware enforces authority.
This pattern is no longer only about Bitcoin. It is the same pattern we need for the agentic era.
Agents can request authority. They cannot become authority.
An agent can help you work faster. It can research, summarize, code, schedule, negotiate, and execute. Over time, agents will operate across wallets, bank accounts, browsers, enterprise systems, cloud infrastructure, identity providers, and internal tools.
But agents should never define their own limits.
They should not be able to change the policy that governs them. They should not approve their own escalation. They should not quietly use credentials in ways the human never saw. They should not transform a compromised software environment into the source of truth for high-stakes decisions.
Human authority must live outside the agent.
It must live outside the browser.
It must live outside the phone and laptop.
It must live somewhere the human decisively controls.
What authority actually requires
Authority is not a vibe. It is not a badge in a dashboard. It is not a green checkmark next to a policy name.
For a digital action to carry real human authority, several things need to be true.
- The request must be specific. The human should see the exact action being approved: amount, destination, credential, file, policy change, deployment, support request, or account action.
- The display must be trusted. The final approval should happen on a surface that is not controlled by the agent, the browser, or the compromised machine.
- The policy must be outside the agent's reach. The agent can operate within policy, but it should not be able to rewrite that policy, lower the threshold, or approve its own exception.
- The approval should be bound to the request. A high-stakes action should leave behind a receipt: who approved, on what device, for which exact action.
- The experience must be clear enough for normal people.
Authority fails if only experts can understand what they are authorizing.
This is the part existing security hardware often misses. FIDO keys are excellent for authentication, but they do not show the full meaning of the action being approved. Enterprise HSMs protect keys, but they automatically sign from server racks and backend systems, far away from the human making the decision. Hardware wallets are powerful, but all were designed for a narrow world of cryptocurrency transactions.
The agentic world needs something broader.
It needs Human Authority Hardware.
Enterprises need a way to say yes
The same problem appears inside companies.
Information Security teams are right to be cautious. Agents can leak data, use credentials, click through internal tools, modify code, initiate payments, and create a new class of operational risk.
The answer cannot simply be "block AI." Employees will route around it, just as they have routed around every obstacle to working faster.
The answer also cannot be "trust the agent.”
Companies need a way to say yes to AI while keeping human authority explicit, auditable, and outside the agent runtime.
Imagine a treasury workflow where an agent prepares a payment, but a human approves the exact payment on trusted hardware.
Imagine a software workflow where an agent prepares a deployment, but production access requires approval with the commit, environment, risk level, and ticket shown clearly.
Imagine a support workflow where a user can verify a real support message instead of trusting an email, phone call, or browser pop-up.
This is not about replacing every existing system. It is about adding a dedicated human authority layer where phone-only approval, browser prompts, and software dashboards are no longer strong enough.
Humans should have the final say
At Foundation, we began by building hardware for self-custody because we believed people should control their own keys.
That belief has not changed. It has expanded.
In the Bitcoin era, the urgent problem was self-custody: how do individuals hold their own money without trusting an exchange, a bank, or a closed device they cannot inspect?
In the agentic era, the problem becomes larger: how do individuals and organizations maintain authority over software that acts on their behalf?
The answer cannot be another prompt inside the same browser. It cannot be another notification on the same phone. It cannot be a policy engine the agent can influence or a cloud account that becomes the ultimate source of truth.
The answer must be hardware-rooted human authority.
This is why we are building Passport and KeyOS: dedicated Human Authority Hardware with purpose-built operating system, trusted display, and approval surface for high-stakes digital actions.
AI agents act.
Humans must authorize.