Weekly signal

Human–agent trust this week is defined by a twin dynamic: active attacks exploiting implicit trust at the agent/tool boundary, and a fast-following set of product and standards responses that aim to re-establish trust through identity, attestation, governance, and legal provenance. The security story (agentjacking) is operational—not a model hallucination problem—so fixes must be architectural. The emergent response set spans immediate runtime controls (discovery, allowlists, policy at the tool edge), cryptographic identity/authorization for agents, hardware-backed attestation of agent deployments, and a legal layer for machine-speed transactions. Together these form the practical stack for restoring trust in agentic systems.

What changed

The immediate trigger: Tenet Threat Labs published a responsible-disclosure proof showing “agentjacking,” where an attacker posts a crafted Sentry error (using a public DSN) that contains what looks like legitimate remediation instructions. When a developer asks a coding agent to “fix this Sentry issue,” the agent treats the injected remediation text as actionable guidance and runs attacker-supplied commands (e.g., a package manager invocation) under the developer’s privileges. Tenet’s tests reported high success across several coding agents; the Cloud Security Alliance produced a corroborating research note that documents the architectural failure modes and recommended mitigations. Notably, Sentry’s platform-level response characterized the class as difficult to remediate at the ingest layer, which shifts the practical control point to agent runtimes and enterprise policy. This is a structural trust failure: the agent implicitly trusted a third-party tool’s content as authoritative and acted.

Industry and standards responses this week targeted the weaknesses that agentjacking exploits. Proof launched x401 (an open protocol that lets services request cryptographic proof of who authorized an agent action). x401 is explicitly aimed at the “who authorized this agent?” problem so online services can decide whether to accept agent requests. Separately, the American Arbitration Association and contributors launched the Legal Context Protocol (LCP), an open standard to attach verifiable legal terms, jurisdiction, and dispute-resolution metadata to machine transactions—an important development where agents can negotiate or settle value on behalf of people or firms. These are complementary: identity/authorization (x401) and legal provenance/recourse (LCP) reduce ambiguity about responsibility when agents act.

At the attestation/governance level, OPAQUE (Agent Governance Toolkit / OPAQUE 3.0) announced Agent Manifest and Confidential MCP capabilities that bind an agent’s deployment artifacts (prompts, policy bundles, tool schemas, memory baseline, decision traces, etc.) into tamper-evident, signed records, and run MCP gateways inside TEEs so every tool call produces signed, verifiable claims. That moves trust from “we hope the operator is honest” to cryptographic evidence of what ran, where, and under what policy.

On the operational side, vendors are shipping controls enterprises can use now. Teleport’s Beams public beta added delegated agent identity and an LLM proxy to isolate and control what agents can ask and access in production infrastructure. WitnessAI released Agentic Control—a control plane to discover agents, enforce approved-tool/MCP allowlists, and apply runtime policy and auditing. These products address the immediate pulse of the problem: discovery, policy enforcement at the tool boundary, and runtime auditing to prevent or detect misuse.

Why this matters for human–agent trust

Trust in agentic systems is now multidisciplinary: it requires security (preventing misuse), identity (knowing the human or org that authorized the agent), attestation (verifiable evidence of an agent’s runtime behavior), governance (policies and enforcement), and legal clarity (what terms governed this automated agreement?). Agentjacking shows how brittle trust is when any layer is missing. Without verifiable identity and signed decision receipts, operators cannot prove who authorized what; without runtime enforcement, agents will execute dangerous actions because conventional perimeter controls see only authorized actor traffic. Standards and product launches this week begin to close those gaps, but adoption, integration, and operational playbooks will determine whether trust is restored or remains brittle.

Practical next steps — prioritized checklist

1. Immediate (days):

• Treat all externally sourced tool outputs (MCP returns, telemetry records, issue descriptions) as untrusted by default. Require explicit human confirmation for any agent action that installs code, reads secrets, writes production configuration, or moves money. Instrument and alert on those approval flows.
• Identify and inventory every MCP connection and Sentry/telemetry DSN in your environment; rotate or minimize exposure for DSNs embedded in public assets. Add log alerts for inbound writes to any project that agents read.

2. Near-term (weeks):

• Deploy runtime enforcement: agent discovery, approved-tool allowlists, and per-agent least-privilege credentialing (ephemeral creds, constrained roles). Consider vendor options (WitnessAI, Teleport, others) to speed implementation while building internal policy controls.
• Add human-in-the-loop gates (explicit 2‑step consent UI) for risky actions; block any agent workflow that attempts to run arbitrary package installs or access long-lived credentials without a signed approval.

3. Medium-term (1–3 months):

• Adopt an agent identity/authorization standard such as x401 (or equivalent). Begin accepting signed agent authorization tokens in sensitive APIs. Map agent identities to accountable humans/teams in your IAM and audit systems.
• Start integrating attestation records: require signed decision receipts or manifest hashes for production agent runs (Agent Manifest / cMCP-like artifacts). These become essential evidence for incident response and audits.

4. Strategic (3–12 months):

• Update procurement and legal templates to require machine-verifiable legal context (LCP) for any agentic commerce or settlement flows. Ensure vendors provide signed metadata that proves the governing terms and recourse paths for agent transactions.
• Work with platform and tooling vendors to prioritize platform-level mitigations (authenticated ingestion, structured telemetry that separates human instructions from data, MCP schema hardening), and participate in MCP/OWASP/CSA community tests.

Indicators to watch next week

• Uptake and interoperability demos for x401 and LCP (how quickly external services accept cryptographic authorization and legal metadata).
• Vendor adoption of signed decision receipts / agent manifests; integrated TEE-based gateways in MCP stacks.
• Broader security vendor guidance and detection signatures tied to agentjacking indicators (agent-run npm/pip installs, session patterns after querying telemetry).

If your team is piloting agents today, prioritize discovery (where are agents running?), containment (what tools can they call?), and decision evidence (how will you prove who authorized an action?). The technical fixes this week make clear that human–agent trust is a system property: trust is earned by design—identity, attestation, enforcement, and legal clarity—rather than assumed.

Sources (key reads): Tenet Threat Labs agentjacking disclosure; Cloud Security Alliance corroborating research note; Proof x401 release (agent authorization protocol); AAA Legal Context Protocol (LCP) for agentic commerce; OPAQUE 3.0 / Agent Manifest and Confidential MCP release; Teleport Beams public beta (delegated agent identity); WitnessAI Agentic Control launch (runtime governance).