AI can help with onchain chores, but handing it your keys is asking for trouble. Ledger’s new Agent Stack takes a different route. Let the software do the busywork, keep the signing on secure hardware, and make humans approve the risky parts.

If you’ve ever watched an agent try to approve a token with the wrong spender or bridge to a mystery chain, you know why this matters. It’s not about speed. It’s about guardrails that actually hold when things get weird.

Here’s what changed, what shipped, and how to use it without getting burned.

Point Details Hardware-gated approvals Agents can prepare transactions, but high-risk or out-of-policy actions require explicit human confirmation on a Ledger device with a trusted display, per Ledger’s design note “Agents propose. Humans sign. Hardware enforces.” Ledger (blog) Open-source release Ledger publicly announced the Agent Stack toolkit as open source on July 16, 2026. The Block Early integrations Third parties including MoonPay and Shisa.ai have added support or integrations, signaling real-world uptake. The Block Battle-tested in a build sprint During the N3XT Build & Show, 50 submissions from 38 universities across 8 countries shipped 46 public repos that used Agent Stack components like DMK and Wallet CLI. Ledger (blog) Human-in-the-loop policy model Teams can predefine safe actions and limits, then surface anything outside those rules for manual approval on hardware. Cleaner ops vs blind signing Reduces copy-paste and blind approvals without giving agents raw key access. Still requires careful policy design and device hygiene.

How hardware-gated agents work in practice

At a high level, the flow is simple.

  • The agent assembles a plan. Swap here, bridge there, claim something, whatever the workflow calls for.
  • It checks that plan against a policy. That policy is your rulebook. Which contracts are trusted, how big a swap can be, what chains are allowed, and so on.
  • If the plan fits the rules, the agent prepares a transaction and queues it for signing.
  • When the action is sensitive or out-of-policy, the user has to review it on a Ledger hardware wallet and physically confirm it.

Ledger’s description is blunt and useful: “Agents propose. Humans sign. Hardware enforces.” You can read it straight from their July 1 write-up. Ledger (blog)

The value is in that last step. The trusted display shows what’s actually being signed, not what a web page says is happening. That closes a nasty set of attack paths where a front end, a plugin, or even the agent itself could get tricked.

What shipped on day one

Ledger pushed the Agent Stack as an open-source toolkit on July 16, 2026. The Block covered the release and noted that it’s hardware-backed by design. That matters for trust, but also for adoption because it slots into existing device fleets held by users and desks.

During an earlier build challenge in June, students and teams kicked the tires on key components like DMK and the Wallet CLI. Ledger’s recap counted 50 submissions from 38 universities across 8 countries with 46 public GitHub repos over eight days. Ledger (blog) That’s not a guarantee of quality, but it’s a signal that the tooling is usable by people who aren’t already inside Ledger.

Early adopters are already wiring it into flows. MoonPay and Shisa.ai were both named as integrating or supporting the stack at launch. The Block

The human approval layer, explained

Not every action needs a hand-raise. You don’t want to turn your hardware wallet into a toaster that pops every five seconds. The trick is the policy. Define a safe envelope, then surface the exceptions.

Common out-of-policy triggers

  • Unknown contract or spender address.
  • Large value transfers above a preset ceiling.
  • Permit-style approvals that grant unlimited allowances.
  • Bridging or chain switching to networks you didn’t pre-approve.
  • Deploying contracts or upgrading proxies.
  • Interactions with contracts that recently changed bytecode or verified source.

When the agent hits one of these, the device shows the real payload. You review the asset, the amount, the destination, the contract method, maybe a decoded summary. Then you decide.

Pro tip: Start tight. Engineers always want fewer pop-ups. Traders always want faster flows. For week one, bias toward more reviews. You can relax later once logs tell you where the noise is.

Developer setup: a short path to your first safe action

You don’t need to re-architect your entire app to get value. Wire up the agent, load a basic rulebook, and route signatures through the hardware.

  1. Choose your agent runtime and planner. It can be rule-based or LLM-assisted, but it must emit standardized actions you can validate.
  2. Define policies as code. Start with an allowlist of contracts, a per-transaction value cap, and a daily aggregate limit. Keep the file human-reviewable.
  3. Use the wallet CLI or SDK layer to route all signing to the Ledger device. Never hand the agent a private key or a raw JSON-RPC signer.
  4. Build a review screen that mirrors the device. Show the same decoded fields. No surprises.
  5. Log everything. Keep an append-only trail of the agent’s plan, the policy evaluation, the device prompt, and the human action.
  6. Fail closed. If policy evaluation crashes or the device disconnects, stop the workflow. Ask for re-approval.

This is the 80 percent version. Later, you can layer in per-address risk scores, method-level approvals, time locks for large moves, and team-based approvals for treasury-sized wallets.

Agent custody vs hardware-gated: a quick comparison

Model What it looks like Main risks Good for Agent holds keys Agent runs with a hot wallet or imported signer Key exfiltration, unlimited spend, invisible approvals, compromised runtime Test environments, tiny balances, low-stakes automation Hardware-gated agent Agent proposes, policy screens, human confirms on hardware Policy misconfig, alert fatigue, device hygiene, UX friction under load Retail self-custody, small desks, compliant flows that need auditability Custodial API agent Agent calls a custodian that enforces rules server-side Custodian risk, vendor lock-in, limited method coverage Enterprises needing permissions, reporting, and recovery paths

Plenty of teams will mix these. For example, let the agent do watch-only planning across multiple chains while only one wallet is wired for signing on-device.

Where this lands in the stack

Wallets and extensions

This is the obvious one. Autofill what you can. When the transaction moves real value or tweaks an approval, push the final click to the device. That keeps self-custody intact while still cutting down on copying contract addresses from Twitter.

Onramps and offramps

Onramps have a lot to gain from reducing manual steps while staying within com…

Mənbə: cryptodaily.co.uk →