5 properties of agent custody

The increasing capabilities of AI agents, such as writing code and managing calendars, necessitate secure methods for them to hold and manage assets. Current agent wallet solutions are often insecure, leaving them vulnerable to catastrophic loss. The author argues that a significant gap exists between what AI agents can do and what they can safely hold, posing a major risk to AI infrastructure. To address this, five essential properties for agent wallets are proposed to ensure true custody. First, wallets must be non-drainable, meaning no single key compromise can lead to the loss of all funds. This is achieved through threshold signing, where multiple independent parties or devices must authorize a transaction. Second, wallets need to be policy-bound, with spending limits and rules enforced on-chain rather than within the agent's client code. This prevents the agent from overriding its own restrictions. Third, actions taken by the agent must be attested, generating verifiable cryptographic proofs anchored to a public ledger, independent of the agent's operator. Fourth, agents must be remembering, capable of carrying context and knowledge across sessions to avoid repeating mistakes and understand their current state. Finally, agents must be killable, allowing external human control or risk systems to halt them instantly and without override. If any of these five properties are missing, the agent wallet is considered insecure, akin to a vulnerable hot wallet. The author highlights a reference implementation built on Zcash, featuring threshold signing, on-chain policy enforcement, attestation, semantic memory, and hardware kill switches, all of which are open-source.