Compass x Para: The Trust Chasm in Agentic Finance (and How We Bridged It)

A co-authored write-up from Compass Labs and Para.

We're at the start of a shift from algorithmic finance to agentic finance — markets where the thing reading the yield curve, rebalancing the credit, and placing the trade is an AI agent, not a person. The tooling is already here. Through the Compass CLI and MCP, an LLM like Claude can manage a real portfolio across DeFi: hunt for yield, rebalance credit, trade perps, allocate into tokenized stocks.

So why isn't every fund and power-user handing their keys to an agent tonight?

Because if you give an agent the power to move your money, you give it the power to lose it. An LLM doesn't have to be malicious to be dangerous. It can be tricked. It can hallucinate. It can be hit with a prompt-injection attack buried in a webpage it reads. Left unconstrained, one bad day looks like:

• a drained wallet,
• an approval granted to a malicious contract dressed up as a yield aggregator,
• funds wired to a stranger,
• a signature on a phishing transaction.

The industry's usual answer is to take the autonomy away — wrap the agent in so many confirmations that a high-speed model becomes a slow macro with extra steps. That isn't agentic finance. It's a chatbot with a keyboard shortcut.

Compass and Para take the other path: keep the autonomy, remove the blast radius.

Separation of powers

The fix is to split two things almost everyone bundles together: the ability to act and the authority to permit.

The agent moves the money. You set the rules.

• The hands — Compass. Claude (or any agent) drives the Compass CLI and MCP to navigate DeFi: yield, lending, borrowing, perps, tokenized assets. Compass turns an intent like "earn on this USDC" into a ready-to-sign transaction and returns positions, balances, and risk through one API. It is non-custodial — Compass never holds funds and never signs.
• The guardrails — Para. The agent's wallet lives behind Para's policy engine. Every transaction the agent wants to send is evaluated against a policy you set before it can be signed: spending caps, allowlisted venues, approved destinations — enforced cryptographically at the infrastructure layer, not by hoping the model behaves.

Neither side is custodial. Compass builds the transaction; Para's policy decides whether the wallet will sign it. The agent gets to be useful inside a box whose walls it cannot move.

What "blocked" actually means

The agent can look, analyze, and attempt anything it likes. The moment it attempts something your policy doesn't allow — sending USDC to an unverified external address, granting unlimited spend to a non-permissioned venue — the signer simply refuses. There is no override the model can talk its way into, because the check runs below the model, at the point of signing.

agent: "deposit 500 USDC into the best stablecoin vault"
  -> Compass: prepare the transaction (unsigned)
  -> Para: evaluate against your policy
       within caps + allowlisted venue?   -> sign + broadcast
       new / unverified destination?      -> refuse, nothing is signed
       over the spending cap?             -> refuse, nothing is signed
  -> on-chain settlement; positions + PnL returned via Compass

The transaction that violates policy is never signed. Nothing is broadcast. The capital stays put. The worst case for a compromised or confused agent is a blocked transaction — not an empty vault.

We built this end to end and ran it on Base. The agent could complete an authorized deposit — prepared by Compass, signed under Para policy, confirmed on-chain — and the same agent was blocked, under live policy enforcement, the moment it tried to step outside its scope. The guardrail is structural, not a prompt.

Why this matters for capital

This isn't only a developer demo. It's the shape of how serious capital can actually enter agentic finance.

Remove the fear of catastrophic failure and you unlock the upside: agents that manage collateral ratios across protocols 24/7, rebalance risk in real time, and act on fleeting opportunities — with the operator knowing the worst case is a refused transaction, not a wired-away balance. The mandate is set by a human and enforced by infrastructure; the agent operates freely inside it.

Agentic finance shouldn't require blind faith. It requires guardrails that hold even when the model is wrong. We've built the hands. Para built the shields. Now the agents can run.

Try it

• Compass API docs: docs.compasslabs.ai
• Compass CLI & MCP: docs.compasslabs.ai/v2/Agents/CLI
• Para: getpara.com
• Para × Compass walkthrough: docs.getpara.com/v2/walkthroughs/compass
• Book a demo

If you're building agents that touch real capital, this is the pattern: an agent with full reach through Compass, a human-set policy enforced by Para, and nothing custodial in between.

Compass does not control DeFi protocols or smart contracts. Using DeFi protocols involves risk, including potential loss of funds. This is not investment advice.