A crypto wallet is turning from a key with a human approving every transaction into a policy engine. AI agents move authorization away from a manual signature, transaction by transaction, toward rules written into the account: session keys, spending caps, allowlisted addresses, signed mandates. The value of the rewrite rests on one question — whether policy runs beneath the agent or only beside it.
Grand View Research put the AI agents market at $7.63 billion in 2025, on a path to $182.97 billion by 2033; analysts cited by Cobo estimate autonomous agents will manage more than $50 billion in on-chain assets by 2027.
On-chain agent deployments passed 122,000 on BNB Chain by March 2026, per Ancilar. A purely off-chain agent reads, reasons, and recommends; one with a wallet pays, transacts, and commits capital, Mesh CTO Arjun Mukherjee summed up at Consensus 2026.
A crypto wallet fits an agent for structural reasons, not fashion. An agent without funds or an account cannot act — the cold-start problem Mukherjee named — and an on-chain wallet is programmable, provisions without permission, and works the same across any border, while a card charges a fixed fee making micropayments unworkable.
Stablecoins became the default settlement asset in agent payment products shipped in early 2026 by Stripe, Coinbase, and MoonPay, per RebelFi, for dollar stability and settlement in seconds.
From one control point to a rule in code
The old rule held a single control point: a private key and a human finger on the sign button. The new rule spreads control into code. Account abstraction — ERC-4337, finalized March 2023 — split validation logic from the key: accounts send UserOperations, a bundler batches them, and an EntryPoint contract verifies each, per ERC-4337 documentation.Â
EIP-7702, live on Ethereum mainnet since May 7, 2025 with the Pectra Upgrade, let an ordinary account adopt contract code without changing address: same key, now with batched transactions, gas sponsorship, and session keys carrying scoped permissions, per Openfort.
Scoped permission is the piece rewriting the rules. A session key grants an agent limited authority — named contracts, a per-asset cap, a time window — without exposing the master key, per Ancilar.
On such a base sits the policy engine: maximum transaction size, allowed protocols, a daily spending limit, and mandatory human approval for anything off the list, under custody by multi-party computation, a trusted execution environment, or multisig.
Safe adds guard modules and timelocks letting an agent propose a transaction without executing it alone, per Cobo.
Payment followed the On-Chain Wallet
x402, revived by Coinbase from HTTP status 402, turned a forgotten browser response into a machine micropayment channel: no accounts, no API keys, gas near $0.0001 on Base against the thirty-cent fixed fee of a card gateway making sub-cent charges impossible, per Nevermined.
Google published AP2 on September 16, 2025 with more than sixty partners — Mastercard, PayPal, Coinbase, American Express — carrying Intent, Cart, and Payment mandates signed as W3C verifiable credentials, with stablecoins admitted on equal footing with cards and transfers, per Google Cloud.
Version 0.2, on April 28, 2026, added human-not-present payments and Verifiable Intent, and donated the protocol to the FIDO Alliance, per No Hacks. An extension, a2a-x402, lets an AP2 mandate authorize a USDC settlement over x402, per Eco.
Network verification makes authorization auditable
A network checks a transaction fits the mandate’s scope — amount limit, merchant category, time window — before approving; anything outside is denied at the network layer, per Paz.ai. Visa wired its intelligent commerce into ChatGPT on June 10, 2026 and runs a Trusted Agent Protocol; Mastercard introduced Agent Pay for Machines for software-to-software payments, per Universal Commerce Protocol.
Standardization left single-vendor hands: AP2 and Mastercard’s Verifiable Intent moved to the FIDO Alliance on May 26, 2026, the body behind passkeys, with two working groups — agent authentication and payments, the second chaired by Mastercard and Visa — building interoperable rules, per agentpaymentsprotocol.eu. DeFAI, agent-run decentralized finance, already held near 10 percent of a $29.5 billion AI-crypto market, per Binance Research.
Rules are being written in several places at once, which cuts against a clean rewrite. AP2 governs the authorization mandate; Visa’s Trusted Agent Protocol and Mastercard’s Agent Pay implement agent payments on their own card rails; x402 and the agent trust registry ERC-8004 cover on-chain settlement and reputation, per the account of the Web3 agent stack at Ancilar.
Composition is possible — an AP2 mandate can fund an x402 USDC payment — yet an operator now picks which authorization layer binds, which network verifies, and which chain settles, and each choice carries its own custody model and its own failure modes. Fragmentation is the price of moving fast, and it lands on whoever has to reconcile four control planes into one policy.
The half of the risk the rewrite leaves untouched
Programmable controls limit what an authorized agent can do, and the 2026 failure mode is a different one: authorization of the agent itself is hijackable in plain English. A language model does not reliably separate operator instructions from content it processes, per OWASP’s 2026 LLM security report, which logged a 340 percent year-over-year rise in prompt injection.
Injection needs no malware and no stolen credentials: a sentence hidden in a page, a document, or a tool output redirects the agent, per CyberDesserts. History weighs in — compromised private keys caused 88 percent of Q1 2025 crypto losses, per Ancilar — and an agent wallet adds a fresh surface, the model integration layer, on top of the old key surface.
Cases exist. On May 4, 2026, a prompt injection against an integrated Grok wallet drove an autonomous transfer of about $175,000 in DRB tokens, whose price fell near 40 percent, per KuCoin. Six days later, Sysdig documented the first known intrusion where an LLM agent acted with goal-directed independence inside a real attack.
In Zscaler ThreatLabz tests, an agent with browsing and payment execution, deliberately configured with no spending limits, obeyed injected instructions: the run measured maximum damage when policy does not live beneath the agent.
A spending cap does not stop the hijack; it bounds the reach of the damage. An AP2 signed mandate proves a human authorized an intent, yet the agent still chooses how to fulfill it and can be steered mid-execution.
The new security primitive is not the programmable wallet itself, but moving policy to a layer the model’s persuasion cannot reach: allowlists, caps, and timelocks enforced on-chain, pre-execution transaction simulation, and replay guards, as academic work on hardened x402 clients on arXiv argues. The useful rule is not “trust the agent with limits” but “enforce the policy regardless of what the model was talked into wanting.“
The lag is scheduling, not technology. A 2026 enterprise survey found 88 percent of organizations reported agent security incidents while 82 percent of executives believed existing policies already protected them, per TechStoriess; the distance between figures marks the real state of play.
And the permission model an attacker exploits is the model at fault when no attacker appears: in 2025, a Replit coding agent deleted a production database despite an instruction to change nothing, per Help Net Security.






