three patterns · three case files · live demos by invite
Each case below is a category of failure that does not get fixed at the agent layer — because the gap is architectural, not behavioral. The substrate closes it.
A coding agent operates inside an IDE, a CI pipeline, or a production-touching workflow. Today, it inherits the developer's full credential surface. Recent industry incidents have repeatedly demonstrated the same category-level failure mode — an agent acting on natural-language instructions damages production state in ways that satisfy the literal instruction but violate operator intent.
The agent's authority is the developer's credential set. Constraints live in system prompts or middleware that the agent might or might not honor under adversarial input. Destructive commands execute as soon as the agent decides to run them. Failure is reviewable after the fact; not preventable.
The agent's authority is committed cryptographically before the session begins — which repositories it can touch, which environments it can deploy to, which command classes it can execute, time-windowed. Destructive actions outside the envelope cannot execute. The agent can be convinced to attempt anything; only actions satisfying the committed policy go through.
The recurring industry pattern — agents damaging production state, agents acting under prompt injection, agents executing commands outside intended scope — is not a problem you fix at the agent layer. The gap is architectural. The fix is to constrain what an agent can do, not just what it will do.
Atlas separates the two surfaces. The agent can reason, plan, narrate, and decide — that surface stays open. Authority to act sits behind a cryptographic gate that does not depend on agent reasoning to enforce. Compliance teams write the policy. The substrate enforces it.
SEE IT RUNNING → Atlas Treasury Demo · same enforcement pattern, 500K USDC treasury, 4 attack vectors (invite-only)
Treasury teams already author policy on paper — per-action caps, counterparty allowlists, settlement windows, balance floors, AML rate limits. The policy is enforceable in spreadsheets, in approval workflows, in internal procedure documents. When an autonomous agent is given treasury authority, the policy enforcement layer disappears.
The agent has vault access. Policy lives in a Notion doc and the agent is expected to respect it. Every transfer is a trust assertion: that the model interpreted the policy correctly, that the prompt was not injected, that the rate limit was actually counted. Failure mode: agent transfers $10M to an unauthorized address; the policy was a guideline.
The compliance team commits the policy as a cryptographic envelope — once. Six predicates AND-composed: per-action cap, recipient allowlist, settlement window, balance floor, rate limit, blackout period. The agent operates within it for the policy lifetime. Every transfer either satisfies all six predicates or does not exist on-chain. The audit chain records the exact receipt.
Compliance richness — adding rules — is the direction every institution moves over time. Every audit, every incident, every regulatory cycle adds policy. In runtime-evaluation systems, adding rules increases attack surface and between-model variance. In substrate systems, adding rules adds enforced policy with zero added attack surface. The gap widens with policy depth — in the direction institutions move.
The eight predicate primitives Atlas ships map one-to-one onto institutional policy primitives compliance teams already author: per-action cap, minimum, balance floor, recipient pinning, allowlist, settlement window, blackout period, rate limit. This is not a new ontology — it is the policy vocabulary institutions already write on paper, made cryptographically enforceable.
Tokenized real-world assets — equities, bonds, funds — already carry on-token compliance through ERC-3643 (T-REX): identity, jurisdiction, eligibility, enforced at every transfer. Adding autonomous agents to RWA flow requires a second compliance surface: bounded authority on the action itself.
ERC-3643 enforces who can hold the token. Atlas enforces what an agent can do with the holding. The two compose: token-level transfer rules plus action-level envelope. Both surfaces gate before settlement.
SEE IT RUNNING → Atlas Treasury Demo · live policy enforcement on Base Sepolia (invite-only)
A primary agent receives a high-level objective and decomposes it into sub-tasks. Each sub-task gets routed to a specialized sub-agent — a research agent, an analysis agent, an execution agent. In current systems, this means handing over the parent's credentials. The sub-agent inherits the full authority of the parent, and a buggy or compromised sub-agent multiplies blast radius across the system.
Sub-agent inherits parent's full authority. There is no architectural separation between what the parent can do and what the sub-agent is allowed to do on its behalf. Multi-agent composition is unsafe because authority does not narrow as it cascades down the delegation chain.
The parent issues a derived envelope to the sub-agent — strictly weaker than the parent's own. The sub-agent's authority is a verifiable subset: same or narrower predicates, never wider. Sub-agents cannot escalate. The delegation chain is auditable end-to-end; any compromise is contained to the bounds of the derived envelope.
Multi-agent systems are the obvious next step. They are also the obvious next failure mode if composition relies on credential sharing — a compromised or buggy sub-agent inherits the blast radius of every credential its parents passed down. The pattern does not generalize.
Bounded delegation is what makes the multi-agent future safe. The substrate is the layer where derivation is cryptographically verifiable: predicates can only narrow, never widen, and the verification is structural rather than procedural. Composition becomes safe by construction.
SEE IT RUNNING → Two Principals · One Agent · Helix Treasury × Aurora Strategy, shared substrate bounds (invite-only)
Four live demos on Base Sepolia. Invite-only — every run burns real LLM credits and on-chain gas.
For the curious. For the sceptical. For the empiricist.
3 real attacks · plain English · all preventable. Grok × Bankrbot · Windsurf · OpenClaw. Same root cause across three different surfaces.
16 attacks · 4 ERC layer categories · all live on-chain. Every layer of the agent stack has specific structural blind spots.
4 historical losses · $2.375B · all preventable by substrate-tier. Bybit · Ronin · Multichain · Wintermute.
The three cases above are the patterns the substrate enables today. The same envelope, gate, and audit-chain primitives apply wherever bounded authority and verifiable execution matter — bounded tool-use authorization, compliance attestation over private flows, principal-bound trading, cross-protocol delegation. Each variation is the same shape: policy committed cryptographically; agents operate inside it; the audit chain proves it.
If your team is working on agent infrastructure that touches real production state — capital, infrastructure, customer data, regulated flows — the pattern applies. Talk to us.
Bounded authority is not a new abstraction layered on top of agent infrastructure. It is the substrate beneath it.
What you build with it is the next question.
The agent can be wrong. The bound stays right.