Something is shifting in how software handles money. For years the assumption was that a human sits at the end of every transaction, reading a screen, clicking a button, confirming a payment. That assumption is starting to break. AI agents are beginning to act on people's behalf, and some of what they do involves moving real value.
You can see the bigger players positioning for it. Payment networks, card issuers, and cloud providers are all building pieces of an agent-commerce layer — the rails for machines that transact rather than people. The interesting question underneath all of it is simple. If an agent is going to handle money, what does it actually need to do that safely?
What an agent needs that a person does not
A person interacts with a financial product through an interface designed for eyes and fingers. An agent does not. It needs to read the state of a market, understand the options, price them, and execute — all from structured information it can parse, not a dashboard it has to look at.
So the first thing an agent needs is a surface built for it. Documentation a model can read and integrate from directly. Output in a format an agent parses faster than it parses a human-facing screen. Endpoints that stay correct as the underlying platform changes, so the agent does not drift out of date the moment something ships. This is the difference between an API that a human developer wires up once, and one an agent can pick up and integrate itself — through a CLI or an MCP server it can call as a tool.
The authorization problem
Here is the part that matters most, and the part that is easy to get wrong.
You do not want an agent holding the keys. The whole point of letting an agent act is convenience, but convenience cannot mean handing custody of someone's money to a model. The model can read the market, find the best option, and prepare the transaction. What it must not do is be the thing that finally authorises moving the funds.
The clean version of this is non-custodial. The infrastructure prepares the on-chain transaction. The agent proposes it, having done the reading and the pricing. And the final authorisation is bound to the end-user's signer — the wallet the user controls, often scoped by a policy that says what the agent is and is not allowed to do. The asset never moves through the infrastructure, and it never sits with the agent. The agent suggests, the signer decides.
That separation is what makes any of this acceptable. An agent that can find you the safest yield is useful. An agent that can empty your wallet because it misread a prompt is a liability. Binding authorisation to the user's own signer is what keeps the first without the second — it is exactly the pattern we built with Sly, where an agent can borrow a little but cannot drain the position.
What it looks like in practice
Once the surface and the safety model are right, the experience gets very direct. A user says "move my stablecoins into the safest yield you can find", or "buy me tokenised Apple", and it happens. The agent reads the market, prices it, prepares the transaction, and the user's signer authorises it. No screens, no twelve-step flow.
The reason this is reachable now, and was not a year ago, is that the financial products have to be on-chain and behind one programmable interface first. If yield, lending, swaps, and tokenised assets all live behind a single API, putting an agent on top is the natural next step rather than a research project. The hard part was never the agent. It was having a clean, programmable, non-custodial surface for it to act through.
Where this goes
We do not think the headline is "crypto goes mainstream" or "agents take over." It is more specific than that. As more financial products become programmable, the interface to them stops being a screen and starts being an instruction. Some of those instructions will come from people, and a growing share will come from agents acting for people, inside limits those people set.
The infrastructure that makes that safe is not glamorous. It is preparing transactions correctly, exposing them in a way a machine can use, and making sure the only thing that can authorise a transfer is the user's own signer. Get that right and agents handling money stops being a scary idea and becomes a boring, useful one. That is usually the sign that something is real.
If you are building agent workflows that need to touch real money on-chain, we would love to compare notes — email contact@compasslabs.ai, or start with the agent docs.
Compass does not control DeFi protocols or smart contracts. Using DeFi protocols involves risk, including potential loss of funds. This is not investment advice.