Observability tells you what your agent did. Governance decides what it's allowed to do before it acts.
Different problem, different primitive. Most stacks have the first and call it the second.
sigilcore.com/blog/agent-run…
English
Sigil.Watch
99 posts
Sigil.Watch
@SigilRisk
Autonomous AI agents are executing without human consent. The fiduciary gap is already open. https://t.co/3xqy8ruIuJ
Katılım Mart 2026
54 Takip Edilen5 Takipçiler
Vendor reviews are snapshots. Standing OAuth is an open-ended bet.
JIT capability brokering collapses credential lifetime to seconds.
The scope you hold is the scope you leak.
Originally on X. Now live: sigil.watch/briefings/brie…
English
Vercel's April breach: sensitive env vars survived. Everything else on the readable plane didn't.
Not rotation. Not audit. Architecture.
Procedure bends. Structure holds.
Originally on X. Now live: sigil.watch/briefings/brie…
English
Meta leaked data. Claude Code wiped a database. OpenClaw deleted emails after being told not to.
Each had a policy. None had a brake.
The brake has to fire before the tool.
sigil.watch/briefings/brie…
English
Agent risk starts when the model stops talking and starts acting.
Prompts can guide behavior. They do not authorize tool calls, file writes, messages, or transactions.
warranty.md makes policy a signed runtime contract checked before execution.
Read: sigilcore.com/blog/policy-as…
English
At @consensus2026, the agent question is not only what agents can do.
It is who authorizes the action before it reaches a wallet, tool, API, credential, or chain.
AI governance needs an execution authorization primitive.
sigilcore.com/blog/complianc…
English
This is the right frame.
Once software acts, governance has to move into the execution path: identity, policy, approvals, limits, audit trails, and hard denials before capital moves.
Agentic finance needs verified execution, not post-event review.
...and that’s what we’re building at Sigilcore.com
English
@levie Exactly right. Agent Operations is the missing role that turns AI agents from scattered productivity hacks into governed operating capacity: workflow mapping, intent specs, human approval points, evals, and ongoing ownership.
Mid-market version here: sigil.watch/briefings/brie…
Aaron Levie@levie
The more enterprises I talk to about AI agent transformation, the more it’s clear that there is going to be a new type of role in most enterprises going forward. The job is to be the agent deployer and manager in teams. Here’s the rough JD: This person will need to figure out what are the highest leverage set of workflows on a team are (either existing or new ones) where agents can actually drive significantly more value for the team and company. In general, it’s going to be in areas where if you threw compute (in the form of agents) at a task you could either execute it 100X faster or do it 100X more times than before. Examples would be processing orders of magnitude more leads to hand them off to reps with extra customer signal, automating a contracting review and intake process, streamlining a client onboarding process to reduce as many straps as possible, setting up knowledge bases than the whole company taps into, and so on. This person’s job is to figure out what the future state workflow needs to look like to drive this new form of automation, and how to connect up the various existing or new systems in such a way that this can be fulfilled. The gnarly part of the work is mapping structured and unstructured data flows, figuring out the ideal workflow, getting the agent the context it needs to do the work properly, figuring out where the human interfaces with the agent and at what steps, manages evals and reviews after any major model or data change, and runs and manages the agents on an ongoing basis tracking KPIs, and so on. The person must be good at mapping the process and understanding where the value could be unlocked and be relatively technical, and has full autonomy to connect up business systems and drive automation. This means they’re comfortable with skills, MCP, CLIs, and so on, and the company believes it’s safe for them to do so. But also great operationally and at business. It may be an existing person repositioned, or a totally net new person in the company. There will likely need to be one or more of these people on every team, so it’s not a centralized role per se. It may rile up into IT or an AI team, or live in the function and just have checkpoints with a central function. This would also be a fantastic job for next gen hires who are leaning into AI, and are technical, to be able to go into. And for anyone concerned about engineers in the future, this will be an obvious area for these skills as well.
English
For @consensus2026 builders:
The governance layer for agents needs a small vocabulary.
APPROVED.
PENDING.
DENIED.
Three decisions. Two domains. One signed file.
That is Sigil Sign in 90 seconds.
sigilcore.com/blog/agent-run…
English
Why Ed25519 over ECDSA for Sigil attestations?
Because pre-execution authorization receipts should be boring to verify and hard to misread.
Deterministic signing. Smaller verifier surface. Cleaner JWKS. Fewer ambiguity traps.
sigilcore.com/blog/cryptogra…
English
Live now: the Sigil Watch CISO Board Report template.
Use it to brief executives on autonomous AI risk, governance gaps, and why agents need enforceable bounds before they touch treasury, systems, or customer data.
Download: sigil.watch/resources
English
Agents should not hold standing credentials.
They should earn a scoped credential at the moment of use, for one authorized action, then lose it.
That is the point of JIT credential brokering for agent workflows.
sigilcore.com/blog/deploymen…
English
Your AI agent is not another SaaS tool.
It can read private data, ingest untrusted input, and take action.
That combination is where pilots become incidents.
The Agent Risk Scorecard is live. Score the blast radius before scaling.
scorecard.sigil.watch
English
Field notes from @consensus2026 :
Your agent wired $10M to the wrong address. Now what?
The real answer is that the first 60 minutes are already too late. The control has to fire before the wallet signs.
sigilcore.com/blog/field-not…
cc @gosodax @lagrangedev @0G_labs @HouseofZK @Sealcoin_QAIT @BuildonSapien @HalbornSecurity
English
AI governance has named the levers for human control: oversight, structured access, deactivation, monitoring.
None of them stop an autonomous agent at the moment it tries to act.
The missing primitive is pre-execution enforcement.
sigilcore.com/blog/policy-as…
English
8/ The structural answer:
Stop treating identity verification as authorization.
Identity becomes one signal. Authorization becomes a separate, deterministic act — pre-execution clearance, scoped per action, cryptographically signed.
sigilcore.com
English
7/ Every autonomous-agent stack built on "verified identity = trusted action" inherits this rot.
If the identity layer is probabilistic, every action downstream is too.
You don't fix a probabilistic input by stacking more probabilistic checks on top.
English
1/ Lütke captures the inflection point: a general-purpose chatbot now produces a synthetic person AND a holographically convincing ID in a single output.
The era of "verified by ID + selfie" doesn't have years left. It has months. 🧵
English