AI can help with onchain chores, but handing it your keys is asking for trouble. Ledger’s new Agent Stack takes a different route. Let the software do the busywork, keep the signing on secure hardware, and make humans approve the risky parts.
If you’ve ever watched an agent try to approve a token with the wrong spender or bridge to a mystery chain, you know why this matters. It’s not about speed. It’s about guardrails that actually hold when things get weird.
Here’s what changed, what shipped, and how to use it without getting burned.
| Point | Details |
|---|---|
| Hardware-gated approvals | Agents can prepare transactions, but high-risk or out-of-policy actions require explicit human confirmation on a Ledger device with a trusted display, per Ledger’s design note “Agents propose. Humans sign. Hardware enforces.” Ledger (blog) |
| Open-source release | Ledger publicly announced the Agent Stack toolkit as open source on July 16, 2026. The Block |
| Early integrations | Third parties including MoonPay and Shisa.ai have added support or integrations, signaling real-world uptake. The Block |
| Battle-tested in a build sprint | During the N3XT Build & Show, 50 submissions from 38 universities across 8 countries shipped 46 public repos that used Agent Stack components like DMK and Wallet CLI. Ledger (blog) |
| Human-in-the-loop policy model | Teams can predefine safe actions and limits, then surface anything outside those rules for manual approval on hardware. |
| Cleaner ops vs blind signing | Reduces copy-paste and blind approvals without giving agents raw key access. Still requires careful policy design and device hygiene. |
How hardware-gated agents work in practice
At a high level, the flow is simple.
- The agent assembles a plan. Swap here, bridge there, claim something, whatever the workflow calls for.
- It checks that plan against a policy. That policy is your rulebook. Which contracts are trusted, how big a swap can be, what chains are allowed, and so on.
- If the plan fits the rules, the agent prepares a transaction and queues it for signing.
- When the action is sensitive or out-of-policy, the user has to review it on a Ledger hardware wallet and physically confirm it.
Ledger’s description is blunt and useful: “Agents propose. Humans sign. Hardware enforces.” You can read it straight from their July 1 write-up. Ledger (blog)
The value is in that last step. The trusted display shows what’s actually being signed, not what a web page says is happening. That closes a nasty set of attack paths where a front end, a plugin, or even the agent itself could get tricked.
What shipped on day one
Ledger pushed the Agent Stack as an open-source toolkit on July 16, 2026. The Block covered the release and noted that it’s hardware-backed by design. That matters for trust, but also for adoption because it slots into existing device fleets held by users and desks.
During an earlier build challenge in June, students and teams kicked the tires on key components like DMK and the Wallet CLI. Ledger’s recap counted 50 submissions from 38 universities across 8 countries with 46 public GitHub repos over eight days. Ledger (blog) That’s not a guarantee of quality, but it’s a signal that the tooling is usable by people who aren’t already inside Ledger.
Early adopters are already wiring it into flows. MoonPay and Shisa.ai were both named as integrating or supporting the stack at launch. The Block
The human approval layer, explained
Not every action needs a hand-raise. You don’t want to turn your hardware wallet into a toaster that pops every five seconds. The trick is the policy. Define a safe envelope, then surface the exceptions.
Common out-of-policy triggers
- Unknown contract or spender address.
- Large value transfers above a preset ceiling.
- Permit-style approvals that grant unlimited allowances.
- Bridging or chain switching to networks you didn’t pre-approve.
- Deploying contracts or upgrading proxies.
- Interactions with contracts that recently changed bytecode or verified source.
When the agent hits one of these, the device shows the real payload. You review the asset, the amount, the destination, the contract method, maybe a decoded summary. Then you decide.
Pro tip: Start tight. Engineers always want fewer pop-ups. Traders always want faster flows. For week one, bias toward more reviews. You can relax later once logs tell you where the noise is.
Developer setup: a short path to your first safe action
You don’t need to re-architect your entire app to get value. Wire up the agent, load a basic rulebook, and route signatures through the hardware.
- Choose your agent runtime and planner. It can be rule-based or LLM-assisted, but it must emit standardized actions you can validate.
- Define policies as code. Start with an allowlist of contracts, a per-transaction value cap, and a daily aggregate limit. Keep the file human-reviewable.
- Use the wallet CLI or SDK layer to route all signing to the Ledger device. Never hand the agent a private key or a raw JSON-RPC signer.
- Build a review screen that mirrors the device. Show the same decoded fields. No surprises.
- Log everything. Keep an append-only trail of the agent’s plan, the policy evaluation, the device prompt, and the human action.
- Fail closed. If policy evaluation crashes or the device disconnects, stop the workflow. Ask for re-approval.
This is the 80 percent version. Later, you can layer in per-address risk scores, method-level approvals, time locks for large moves, and team-based approvals for treasury-sized wallets.
Agent custody vs hardware-gated: a quick comparison
| Model | What it looks like | Main risks | Good for |
|---|---|---|---|
| Agent holds keys | Agent runs with a hot wallet or imported signer | Key exfiltration, unlimited spend, invisible approvals, compromised runtime | Test environments, tiny balances, low-stakes automation |
| Hardware-gated agent | Agent proposes, policy screens, human confirms on hardware | Policy misconfig, alert fatigue, device hygiene, UX friction under load | Retail self-custody, small desks, compliant flows that need auditability |
| Custodial API agent | Agent calls a custodian that enforces rules server-side | Custodian risk, vendor lock-in, limited method coverage | Enterprises needing permissions, reporting, and recovery paths |
Plenty of teams will mix these. For example, let the agent do watch-only planning across multiple chains while only one wallet is wired for signing on-device.
Where this lands in the stack
Wallets and extensions
This is the obvious one. Autofill what you can. When the transaction moves real value or tweaks an approval, push the final click to the device. That keeps self-custody intact while still cutting down on copying contract addresses from Twitter.
Onramps and offramps
Onramps have a lot to gain from reducing manual steps while staying within compliance boundaries. The early mention of MoonPay among initial adopters shows where this is headed: smoother purchase flows but still human-confirmed at the wallet edge. The Block
AI assistants and chat-style planners
Chat agents are good at explaining steps and fetching quotes. They are bad at exercising restraint. By forcing them to pass through a hardware gate, you can keep the assistant experience without letting it run your treasury. Shisa.ai’s integration callout hints at this use case landing first in power-user tooling. The Block
Education and research
The N3XT challenge numbers suggest a healthy pipeline of sample repos and patterns. It also means students are building with real devices, not just happy-path mocks. That tends to flush out annoying UX gaps early. Ledger (blog)
Risks, blind spots, and how not to trip
- Policy sprawl. A bloated rule set becomes impossible to audit. Keep policies small, composable, and versioned.
- Alert fatigue. Too many prompts and humans stop reading. Reduce noise by grouping small actions and approving batched flows where safe.
- Display mismatch. If your UI shows friendlier names than the device, users may confirm by habit. Train people to read the device, not the app.
- Chain and token confusion. Tick symbols lie. Only trust the chain ID, contract address, and decimals shown on the device.
- Firmware and supply-chain hygiene. Keep device firmware current. Buy hardware from trusted channels. Air-gap recovery phrases.
- Agent prompt injection. If you run LLMs, treat website content and onchain metadata as untrusted input. Sanitize before planning actions.
- Broken failsafes. If the agent or policy engine crashes, make sure the default is do nothing. No retries without a human.
Pro tip: Add a single global kill switch that forces device confirmation for every action until you flip it back. You will want this during incidents.
Metrics to watch next quarter
- Integrations that ship to production. It’s one thing to announce support, another to push it into live user flows. Watch what MoonPay and similar consumer gateways actually roll out. The Block
- Policy templates. Expect baseline rule sets to emerge for common actions like ERC20 swaps or NFT listings. Reusable templates lower setup time and reduce mistakes.
- Repo velocity. The number of public repos is a starting point. The useful metric is maintenance. Do examples get updates when chains or popular DEX routers change?
- Multi-user approvals. Small teams want at least two-person checkoff for big moves. Whether this lands as native policy or app-layer logic will shape treasury adoption.
- Coverage across chains. The long tail of L2s and sidechains is where agents misbehave. The more robust the cross-chain decoding and display, the safer this gets.

Diagram of Ledger’s ‘Agentic Attack Surface and Ledger Governance Layer’ showing agents proposing actions, a trusted display for human approval, and a hardware root-of-trust that enforces signatures — illustrating the human-in-the-loop security model. — Source: Ledger
Who should actually try this first
- Power users juggling many wallets. If you already live with a hardware wallet on your desk, this reduces copy-paste while keeping your habits intact.
- Small trading desks. You want speed but you can’t have a script with keys. The human gate gives you speed on normal trades and friction on the weird ones.
- Compliance-minded teams. If you need proofs that a human signed and policies were enforced, hardware-backed prompts give you a clean audit trail.
- Builders of chat assistants. You can ship a slick assistant without handing it custody. That alone unlocks safer experimentation.
Note: None of this makes markets less volatile. It just makes execution safer. You still carry price risk, protocol risk, and all the usual onchain hazards.
What this does not solve
- Bad quotes or MEV losses. The device confirms the action, not your slippage outcome or the sandwich risk.
- Rug detection. If your policy trusts a contract that turns malicious later, the agent might still usher you into a trap.
- Phishing for the human. A well-timed phone call or a fake support chat can still push someone to confirm a transaction they do not understand.
- Key recovery mistakes. Social recovery or seed storage errors remain your problem. Hardware gates do not rescue a leaked phrase.
Stay on top of agent-wallet security
If you want the weekly pulse on what actually ships in agent tooling and wallet security, we track it closely at Crypto Daily with a builder’s eye, not a hype lens.
Frequently Asked Questions
Does the agent ever get my private keys?
No. The design keeps private keys inside Ledger hardware. The agent assembles transactions and suggests actions, but only the device signs after a human confirms.
Can I auto-approve small transactions?
Yes, if your policy allows it. Teams often set tiny value caps or allowlists for routine actions. Anything outside that envelope triggers a device review.
What if the agent or policy engine crashes mid-flow?
Build your integration to fail closed. If validation fails or the device disconnects, stop and require a fresh human approval. Do not let retries slip through without review.
Which companies are integrating the Agent Stack?
Reporting around the launch named MoonPay and Shisa.ai among early adopters or supporters. Production rollouts may vary by region and product line. The Block
Is this open source and available today?
Yes. The Agent Stack toolkit was announced as open source on July 16, 2026, with public repos and docs referenced in coverage and Ledger communications. The Block
How do I know what I’m actually signing?
Trust the device screen. It decodes and shows the critical fields from the transaction or message. Compare the contract address, chain ID, and amounts on the device, not just the app UI.
Will this slow me down during volatile markets?
There is some friction on out-of-policy actions. You can tune policies to minimize prompts for routine trades, but you should expect human-confirmed steps when value or risk jumps.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.







