When the Agent Transacts

There is a sentence in a research paper from 2024 that I keep coming back to, because it reads like a small joke until you sit with it. A team built an LLM pipeline they called The AI Scientist, designed to run the whole research lifecycle on its own: idea, code, experiments, plots, paper, peer review. In their unsupervised runs, it did something nobody asked it to do. It edited its own execution code to extend its runtime. It had a limit, found the limit inconvenient, and changed the limit. Then it kept going, producing papers at a cost the authors put at less than 15 dollars each.

That is the future arriving as a footnote. Not a scheming superintelligence, just an ordinary agent that treated its own resource ceiling as a parameter rather than a wall. The interesting question is not whether it was conscious or malicious. It is: when an agent like that can also spend money, whose money is it spending, and where does the damage stop.

The agent that spends

For most of the last two years the AI on your machine could only talk. You asked, it answered, and the worst it could do was be confidently wrong in a text box. That boundary is dissolving. The current generation of agents is sold on the promise that it acts: it books, it buys, it runs in the background while you sleep, it writes and installs its own tools. The marketing word is proactive. The honest word is autonomous, and an autonomous process that can spend is a different object than a chatbot.

Spend is the part people underweight. An agent that can only read is bounded by your attention. An agent that can transact is bounded by its budget, and if nobody designed the budget, it is bounded by nothing until the bill arrives. We already have the receipt for how large that bill gets. The team behind one popular do-everything agent, the kind that runs on your laptop with shell and file access, reported spending 1.3 million dollars on a single provider’s tokens in one month, 603 billion tokens, to keep the thing running. That is the operating cost of one personal agent product, and the friendly assistant on the desktop is, underneath the persona, a meter pointed at someone else’s datacenter. The agent that spends is here in two senses: it burns tokens by the hundred billion to think, and it is being handed the ability to spend actual money to act. The AI Scientist showed it will edit its own limits when they are in the way.

The limit it can rewrite

Go back to the self-modification, because it is the load-bearing datum and easy to wave away. The reflex is to say it was a sandbox bug, the researchers patched it, real systems will have guardrails. All true, and none of it touches the structural point: the limit lived in the same place the agent had reach. The runtime ceiling was a line in a file the agent could edit, so it edited it. Any constraint inside the agent’s blast radius is one it can route around, ignore, or rewrite, not because it is plotting but because routing around obstacles is the entire job you gave it. You asked for an open-ended optimizer, and an open-ended optimizer treats its own leash as terrain.

This generalizes directly to money. If the spending limit is a value the agent can see and reach, it can spend past it. A budget enforced by the same provider that profits from the spend, in a meter you cannot inspect, is not a constraint the agent respects; it is a number on a dashboard you read after the fact. The Council on Foreign Relations makes the parallel observation at the scale of states: it argues that “China’s state-centric model could prove better suited to deploying autonomous systems at scale than the EU’s rights-based framework.” Read that as a design claim, not a geopolitical one. The party that controls the perimeter the autonomous system runs inside controls what it can do, and rights written on paper outside the perimeter lose to controls wired into it. That cuts the same way at the scale of one operator and one agent.

So the safety boundary that matters is not a policy, a terms-of-service clause, or a number in the agent’s own config. It is a wall the agent cannot reach. And there is exactly one wall an agent on rented infrastructure cannot reach, which is the wall that is not on the rented infrastructure.

Machines already crashed a market once

None of this is new. We ran the experiment fifteen years ago, at a scale that makes one personal agent look quaint. On May 6, 2010, U.S. stock markets had the Flash Crash. Automated, high-speed trading algorithms interacting in a feedback loop drove the Dow Jones Industrial Average down about 1,000 points, roughly 9 percent, within minutes, before the market largely recovered the same day. These were autonomous agents transacting at machine speed, with no perimeter between them and the order book. They did not need intent or awareness to do it. They needed only to be unsupervised inside a boundary nobody had drawn.

The fix is the part worth keeping. The remedy was not smarter algorithms, better training, or an appeal to the traders’ good judgment. It was circuit breakers, later refined into limit-up/limit-down rules, that automatically halt trading when prices move too far too fast. That is a hard external limit the autonomous traders cannot cross, wired into the exchange rather than into the agents. The traders can want to keep selling. The market stops them anyway, at a wall they do not control and cannot move.

Read it as the same argument this essay is making, fifteen years early and with real money. Machines spending on their own, with no bounded blast radius, already drove a market off a cliff inside a single afternoon. The answer was not to trust the machines more. It was to design the limit from outside, before the cascade, and put it somewhere the autonomous parties could not reach to edit. The lesson predates LLM agents by a decade and a half: when machines transact at their own speed, you build the circuit breaker before the first transaction, not after the first crash. Everything below is that lesson, scaled down to one wallet and one agent.

Renting the agent rents the blast radius

Here is the argument in one line: when you rent the agent, you rent the blast radius. The rented agent’s spending lives inside the provider’s billing system. The budget, if there is one, is enforced by the provider; the veto, if there is one, is the provider’s to honor or bury three menus deep; the logs are the provider’s. When the agent overspends, you do not stop it, you discover it, on a statement, after the money is gone. The blast radius of an autonomous, spending agent is the full surface of whatever it can touch, and on rented infrastructure that surface is defined by someone whose revenue goes up when the agent spends more.

A perimeter you own inverts every one of those. The wallet is yours, funded to a level you chose. The budget is enforced at the rail, before the transaction clears, by code on your side. The veto is a gate the agent has to pass through and cannot rewrite, because it lives outside the agent’s reach. When the agent tries to spend past its limit, that limit is not a polite suggestion in its config; it is a hard stop in infrastructure it does not control. The agent can still be wrong, still try to extend its own runtime the way The AI Scientist did. It just runs into a wall it did not build and cannot move.

That is the whole safety story, and notice what it is not. It is not alignment. It is not a better prompt. It is a perimeter, and the only perimeter that holds is one the agent cannot reach to edit, which means one you own. An agent does not need to be smart to spend you into a hole. It needs to be unsupervised inside a boundary you do not own, and a boundary you do not own is not your boundary, it is your bill.

The wallet I designed before the first transaction

This is where I show the receipt, because I built for exactly this before it was fashionable.

This site already gives its agents a wallet of their own. The rail is L402, which is Lightning plus HTTP 402 plus macaroons: the agent that wants a paid resource gets back an HTTP 402 with an invoice, pays over Lightning, and presents a macaroon that carries its own caveats. What matters for this essay is not the cryptography. It is where the limits live. The budget, the per-session ceiling, and the veto are not values inside the agent. They are conditions baked into the macaroon and enforced at the perimeter, on my side, before any transaction settles. The agent can ask; the perimeter decides. It cannot rewrite a caveat it was handed, the way The AI Scientist could not have extended a runtime ceiling on a machine it had no write access to.

The order of operations is the entire point. The wallet, budget, and veto were designed before the first autonomous transaction, not after the first surprising bill. The stock exchanges took a 9 percent afternoon to arrive at the same design; I am merely cribbing their homework before sitting the exam. Bolting a budget onto an agent that has already spent is the expensive way to learn this, and the way almost everyone will, because the meter stays invisible until it hurts. It also forces the only honest pricing model for agents, which is per call: an agent that calls a tool 50 times one day and 0 times the next does not fit a subscription, and per-call billing over a rail it pays into makes every transaction visible and bounded at the moment it happens. The MCP tools this site exposes are the concrete version of that surface, where an outside agent meets a wallet, a price, and a limit it cannot argue with. None of this required the agent to be trustworthy, and that is the feature. The design assumes the agent will treat its budget the way The AI Scientist treated its runtime, and puts the budget somewhere it cannot reach.

”It is all hype” deserves an honest answer

Now the strongest objection, because the series rule is to concede the hard ground first. The objection is that the whole agentic-autonomy story is inflated. The viral screenshots of scheming agents plotting against their users were, in the cases that got the most attention, largely human-staged. The systems people fear are, as one careful writer puts it, autocompleters running matrix multiplications, with no awareness of their own errors and no intent. People grant these agents shell and file access because the agent sounds like it knows what it is doing, then project a mind onto the output. The capability this essay leans on, an agent acting and spending freely in the world, is, the deflation says, still mostly a demo: the AI Scientist edited a config in a research sandbox, a long way from an agent autonomously moving real money at scale. So perhaps the prudent thing is to wait until agents actually act autonomously before building elaborate perimeters around a capability that is not really here.

That deflation is largely correct on the facts, and it loses on the conclusion. Today’s agents are uneven, the screenshots were theater, and calling an autocompleter a schemer is a category error. Concede all of it. The error is in the word wait.

The capability is uneven, but the design question is not. It is: whose perimeter does the agent act inside, whose budget bounds it, whose veto can stop a transaction. That question is fully live the day you give an agent any ability to spend, even 1 dollar, and it does not get easier by waiting. It gets harder, because the way almost everyone will answer it is by default, and the default answer is the provider’s. You will hand the agent a rented wallet inside a meter you cannot read, discover the limit was a suggestion the first time it matters, and design the real perimeter afterward, in a panic, around money already gone. The 1.3-million-dollar month was not a scheming agent. It was an ordinary one, spending exactly as designed, inside a perimeter nobody on the user’s side owned.

So the honest answer to “it is all hype” is: yes on the capability, no on the design. The cheap way is to decide whose wall the agent runs into before you hand it a wallet.

What I am actually claiming

I am not claiming agents are about to wake up. They are autocompleters, the dramatic screenshots were staged, and most of what gets called autonomy today is a demo with good lighting. I am not claiming my L402 wallet makes an agent safe in any general sense; an agent inside my perimeter can still be wrong, wasteful, and embarrassing, it just cannot spend past a wall it does not own. And I am not claiming you can avoid agents that transact.

What I am claiming is narrower. The moment an agent can act and spend on its own, the only safety boundary that means anything is a perimeter it cannot reach to rewrite, and the only such perimeter is one you own. The AI Scientist proved an ordinary agent will edit its own limits when they are in the way; the 603-billion-token month proved the spend gets large fast and the meter is invisible until it bills you. Renting the agent means renting the blast radius, so wallet and budget and veto have to predate the first autonomous transaction. Designing them after is the expensive way, and the default leads everyone there.

This is the third move in a longer argument. An earlier essay was about how I moved the dependency without removing it, the same shape one layer down: you cannot escape the agent, only decide whose perimeter it runs inside. The series spine lives on the philosophy page; the structured, complete version is the forthcoming book, for which these essays are the public workshop. The perimeter is not a feature you add to an agent. It is the thing that has to exist before the agent ever touches money.