Give an AI agent a shell, a wallet, a browser, and a long enough task. It becomes impressive very quickly. It can inspect a repository, form a plan, write code, call services, and recover from small failures. From the outside, this looks like the beginning of autonomy.
It is also the beginning of a permissions problem. The moment an agent can affect systems beyond its context window, capability stops being the only useful measure. We need to know what it is allowed to do, why it is allowed to do it, how far that authority travels, and what evidence remains afterward.
The demo measures the wrong thing
Agent demos are usually designed around completion: did the model finish the task? Production systems live inside a different set of questions. Did it touch only the intended resources? Did it expose a secret while debugging? Did a safe read quietly become a destructive write? Can an operator reconstruct the decision after the model’s reasoning is gone?
A demo celebrates the shortest path from prompt to outcome. A reliable system has to care about the boundaries around that path.
An agent that can do anything is not powerful infrastructure. It is an incident waiting for a convincing prompt.
What Aegis and Leash made concrete
Projects such as Aegis, Leash, and the surrounding runtime experiments have made this problem less theoretical for me. Wallet analysis, hosted MCP documentation, JSON-first interfaces, and controlled execution all create leverage for developers and agents. They also create new places where intent can become ambiguous.
A useful agent interface should not merely expose an action. It should expose the shape of the authority behind that action. Inputs need constraints. Outputs need receipts. Dangerous operations need a boundary that exists outside the model’s willingness to comply.
This is the difference between a tool description and a capability contract. A tool description tells the model what an operation does. A capability contract tells the entire system when that operation is legitimate.
Skills are compressed institutions
I have also spent time building and studying agent skills: packaged instructions that turn general models into more consistent specialists. A good skill carries more than a prompt. It contains a workflow, definitions, examples, safety boundaries, and an opinion about what quality means.
In that sense, skills resemble small institutions. They preserve knowledge beyond a single conversation. They tell an agent which sources deserve trust, which checks cannot be skipped, and which actions require a human decision. They reduce the cost of rediscovering the same operational wisdom.
But institutions can encode bad habits too. A skill that quietly broadens permissions or treats external text as trusted instruction can industrialise a mistake. Reusability multiplies both discipline and risk.
The four layers of useful agency
I now evaluate an agent system through four layers. First is capability: can it perform the operation? Second is scope: which resources and side effects are permitted? Third is legibility: can a person understand what happened without replaying the model’s private chain of thought? Fourth is recovery: when execution fails halfway through, can the system stop, explain, and return to a known state?
Most prototypes invest heavily in the first layer. Mature systems earn trust in the remaining three.
This changes product design. Confirmation is not a modal sprinkled on top of autonomy. Audit logs are not an enterprise add-on. Idempotency is not an implementation detail. These are parts of the agent’s user interface, even when the immediate user is another machine.
Local AI changes the topology of trust
My interest in local and peer-to-peer AI tools comes from the same place. Running models, transcription, and other capabilities on a personal device changes where data travels and who must be trusted. It can reduce exposure, improve resilience, and make useful systems possible without a permanent connection to a central provider.
Local does not automatically mean safe. It moves the boundary. The operating system, model files, plugin supply chain, and local permissions become part of the threat model. Privacy is not created by replacing a cloud endpoint with localhost. It is created by accounting for the entire path of the data.
Build agents like they will be misunderstood
Developers already know how to design APIs for callers who will make mistakes. Agent systems require the same humility, amplified. The caller can generate novel sequences, misread ambiguous descriptions, and pursue a locally reasonable plan that violates the operator’s larger intent.
The answer is not to freeze progress until agents become perfectly predictable. The answer is to make authority explicit, consequences observable, and recovery ordinary. Capability matters. But capability becomes agency only when it can operate inside constraints people can inspect and trust.