> ../signals/2026-06-13.md
── Signal one · Agentjacking gets a name ──
A security research note this week put a name on the attack we wrote up in Wednesday's failure report: agentjacking, the hijacking of coding and tool-using agents by injecting instructions through MCP servers and tool outputs. Naming matters. An attack with a name gets a control mapping, gets into threat models, and gets asked about in procurement. This one maps cleanly onto the agentic threat taxonomy from late last year: goal hijack as the primary category, supply chain as the delivery path.
The mechanism is the one that keeps recurring. Untrusted content, a tool result, a server's tool definition, an external document, enters the agent's context with instruction-level authority before any human reviews it. The agent cannot tell the operator's instructions from the attacker's, because in a context window they look identical.
The practical implication: if you run coding agents or any agent that loads third-party MCP servers, the data path is now an attack path with a name your security team will recognize. Treat tool definitions and tool outputs as untrusted input, scope what the agent can do with what it reads, and review consequential actions before they execute.
── Signal two · Agents get money and identity, with guardrails attached ──
Two releases the same day point at the same shift. A major wallet provider opened early access to an agent wallet that lets an agent execute on-chain transactions, but only behind a default guard mode: spending limits, allowlists, transaction simulation before execution, and a two-factor human approval on the riskier edges. Separately, a platform for operating and monetizing agents shipped an open agent manifest under a permissive license, with a portable identity and audit trail and an orchestration layer for multi-agent work.
Read together, the signal is that the financial and identity primitives for agents are arriving, and the serious ones are arriving with governance built into the rails rather than bolted on later. A spending limit, an allowlist, a simulation step, and an approval on the risky edge are the approval queue and the trust boundary, expressed in a wallet. A portable manifest with an audit trail is attributable agent identity, expressed as a standard.
The practical implication: the patterns we have been writing about, scoped authority, human approval on consequential actions, attributable identity, are no longer just internal discipline. They are becoming the default shape of the infrastructure. If your agents are going to handle money or act across vendor boundaries, adopt rails that enforce these by default, and do not disable the guard mode because it is in the way.
── Signal three · Governance becomes a buyable layer ──
A Big Four firm expanded its alliance with a major platform vendor this week to deploy that vendor's agent management product across client engagements, folding it into the firm's trusted-AI framework to manage, monitor, and secure agents at scale. Set the brand names aside and look at the shape: agent governance is being packaged and sold as a layer, the way identity management and observability were before it.
The practical implication for smaller teams and for those of us building agents for clients: governance is moving from a thing you improvise to a thing buyers expect to see and increasingly expect to purchase. The bar for "is this agent safe to run in our operations" is rising, and it is being set by procurement, not by engineering. Whatever you ship now competes against that bar. A documented trust boundary, an approval queue, attributable identity, and an audit trail are no longer a differentiator. Soon they are table stakes.
── What to do with this ──
◆ Signal I: Add agentjacking to your threat model by name. Audit which MCP servers your agents load, quarantine tool output as untrusted, and scope the actions an agent can take with what it reads.
◆ Signal II: If your agents will touch money or cross vendor boundaries, pick rails that enforce spending limits, allowlists, simulation, approval on risky edges, and portable identity by default. Leave the guard mode on.
◆ Signal III: Write down your governance posture as if a procurement team will read it, because soon one will. Trust boundary, approval queue, identity, audit trail.
── End of signal ──
◆ Agentjacking is now a named attack class. The data path is an attack path.
◆ Agent wallets and identity manifests are arriving with governance on the rails. That is the trust boundary and the approval queue, productized.
◆ Agent governance is becoming a buyable layer. The safety bar is now set by procurement.
ORBIRESEARCH