AI agents are starting to move capital, and in doing so, they are democratizing access to financial strategies that were previously out of reach for most users. What once required sophisticated infrastructure can now be reduced to a simple instruction: find arbitrage, execute it, optimize it. Agents are making payments, buying tokens, trading across DEXs and CEXs, and moving assets between chains, all with increasing autonomy.
They operate continuously, react faster than humans, and execute strategies that are difficult to replicate manually. For users, this is powerful. It is efficient, scalable, and in some cases, highly profitable. In some cases, this is already translating into real outcomes, with a user reportedly turning $300 into over $2.3 million in four months.
That level of autonomy only works in systems that don’t require human approval. Traditional financial systems are built around authentication, approvals, and identity checks, all of which assume a person is reviewing every action. That assumption breaks with AI agents. AI agents can’t open a bank account, but they can open a crypto wallet. As a result, stablecoins have become a primary medium for these systems. They allow value to move programmatically, without requiring human intervention at every step.
This creates a direct implication: agents need access to keys. If an agent can act, it must be able to sign. And once it can sign, it can move capital. However, this also creates a new attack surface. Before an agent executes a trade, it goes out to the internet. It searches for data, pulls in external resources, reads signals, and builds a strategy. This is fundamental to how agents operate, but it is also where the system becomes exposed. The agent is relying on inputs it cannot fully verify, and those inputs directly shape its behavior.
Consider a simple instruction: find arbitrage on Polymarket and execute it. To do that, the agent gathers data from multiple sources, compares prices, and identifies opportunities across markets. In a plausible scenario, the agent encounters malicious input, not something that looks obviously harmful, but data structured in a way the model interprets as an instruction rather than information.
Once processed, the behavior shifts. The strategy is no longer what the user intended. Instead of executing a trade, the agent may sign a different transaction, expose sensitive information, or redirect funds. From the outside, it still appears to be operating normally, but control has already been lost. Agents do not hesitate or question intent. Once the logic changes, execution follows.
The agent can also be directly compromised. Like any software system, it can be exploited through vulnerabilities, bugs, or external attacks. If that happens, control over execution follows. Securing the key against direct compromise is necessary, but it is not sufficient.
The agent doesn’t need to be hacked. It just needs to be convinced.
Even without prompt injection, agents operate across fragmented environments. They depend on APIs, third-party services, and external infrastructure that can be misconfigured or compromised. A faulty integration, a malicious dependency, or a compromised API key can alter execution without the agent recognizing it.
More complex strategies introduce additional risk. Cross-chain execution and multi-step trades increase the number of decision points and trust boundaries. Each step creates another opportunity for failure, whether through incorrect assumptions, inconsistent state, or adversarial interference. There is also the issue of optimization. Agents are designed to achieve outcomes, not to exercise judgment. When instructed to maximize profit, they may converge on behavior that is efficient but unsafe, especially in systems where feedback is immediate.
The key is well…a key
What ties these scenarios together is structure. Agents operate in environments that are open, dynamic, and not fully controlled. At some point, something will fail. If the agent has full control of the key, that failure translates directly into loss.
Today, a common approach is to give the agent a private key and let it operate. That enables autonomy, but it also concentrates full authority inside a system exposed to untrusted inputs and unpredictable behavior. This is no longer just a custody problem; the risk now sits in execution, where authority is embedded in systems actively interacting with the outside world.
The solution is to preserve the agent’s ability to execute while removing its ability to act unilaterally. Agents need access to capital without having full control over it. Instead of placing a complete private key inside the agent, control can be split using MPC, so execution is no longer a single decision point.
The agent can participate in execution, but some actions are gated by a control layer that enforces policies outside of the agent’s reach. Thus, the agent can’t alter the policies, and even if the agent is compromised, it cannot independently move funds or drain the account, because it does not hold full authority.
This shifts execution from a single decision into a controlled process. Every action is evaluated through a policy layer that sits outside the agent’s reach, defining what is allowed, how much can be moved, and where funds can go. Because these policies are enforced independently, the agent cannot modify or bypass them, even if it is compromised.
In this context, MPC is not just about securing key storage. It is a way to control execution itself. By removing full authority from any single system, it ensures that no agent, especially one operating in an untrusted environment, can unilaterally move capital.
As AI agents become economic actors, operating at a scale that removes human oversight, the model fundamentally changes. These systems don’t pause; they execute based on inputs that can’t always be trusted. In that context, risk is no longer defined by who holds the key, but by what drives execution. Execution must be controlled for capital to move securely.
(Photo by Omar Lopez-Rincon on Unsplash)
