Agentic security: How to protect critical assets in AI-driven systems

In November 2024, an AI agent called Freysa was given control of a crypto prize pool worth 13.19 ETH (roughly $47,000) and one instruction: do not transfer money, under any circumstance. The prize would be given to anyone who sent Freysa a message trying to convince it to release the funds. If the message worked, the sender won the entire pool.

After 481 failed attempts by human participants, a single prompt injection convinced the agent to redefine its own transfer function and release the entire pool. The agent did not resist. It responded enthusiastically.

Fifteen months later, an autonomous trading bot called Lobstar Wilde sent 52 million memecoin tokens to a stranger on X who had posted a plea for 4 SOL (roughly $12). The bot intended to send 52,439 LOBSTAR tokens, worth about 4 SOL, but misread an API response and sent 52,439,000 instead, transferring roughly $250,000 in a single unreviewed transaction. The bot had been live for three days.

In crypto, every onchain asset movement ultimately depends on a valid signature. A blockchain does not know whether that signature came from a careful user, a manipulated AI agent, a compromised backend, or an operator account that was never supposed to have that level of authority. It only knows whether the signature is valid.

As AI agents begin operating wallets, payment flows, smart contracts, and financial applications, builders need infrastructure that defines what agents can access, what they can authorize, what they can execute, and what happens when the agent makes a mistake or is manipulated.

Agentic systems will create new product experiences, from autonomous trading and machine payments to AI-managed treasury workflows. But those experiences can only move into production if the security model is built for delegated control, policy enforcement, and verifiable execution from the start.

What is agentic security, and why is it important in financial systems like crypto?

Agentic security is the set of controls that governs what AI agents can access, authorize, and execute, especially when those agents interact with critical assets.

In a wallet context, agentic security means protecting assets when an AI agent can interact with the systems that control value. The core question is not just, “Can the AI understand the task?” It is, “What is the AI allowed to do, and what happens if it makes a mistake or is manipulated?”

For crypto wallets, agentic security includes agent controls like:

• They should only be able to access specific wallets, contracts, chains, and transaction types.
• They should have spending limits, approval requirements, and restricted permissions.
• They should not be able to move critical assets without policy checks.
• Their actions should be logged, auditable, and revocable.

The same protections that keep a compromised frontend, backend service, or operator account from moving assets also need to apply to AI agents. The difference is that agents may act more frequently, more autonomously, and across more systems than a traditional user.

A secure agentic wallet system should treat the AI agent as a delegated actor. It can propose actions. It can initiate workflows. It can help automate financial activity. But it should not become the final authority over critical assets.

Why is agentic security important?

Agentic security is important because AI systems are starting to sit directly in the path between user intent and financial execution.

In traditional wallet flows, users often review and approve transactions manually. In agentic systems, that approval loop can become automated. An agent may decide when to send a payment, execute a trade, rebalance a portfolio, claim a yield opportunity, pay for an API, or interact with a smart contract. That creates a powerful user experience, but it also creates a larger attack surface.

Unchecked AI systems can fail in several ways. An agent can misunderstand an instruction and execute the wrong action. It can be manipulated through prompt injection. It can rely on a malicious website, API response, document, smart contract interface, or tool output. It can call the right tool with the wrong parameters. It can approve a transaction that looks routine but contains a malicious destination, unexpected contract call, or larger-than-expected value transfer.

In March 2025, a hacker accessed the dashboard of AI crypto agent AIXBT and queued two fraudulent prompts that instructed the agent to transfer 55.5 ETH (roughly $105,000) from its wallet. The agent executed both transfers. The attacker did not need to compromise the AI model itself. They only needed access to the system that fed it instructions. 

This is an important lesson: attackers do not need to break the blockchain. They only need to find a path to a valid signature.

AI agents increase the importance of that lesson because they introduce a new automated execution layer. If an agent has broad wallet access and no enforceable policy boundary, a compromised agent can become a direct path to asset movement. If the agent is connected to payment APIs, smart contracts, or treasury wallets, the blast radius can extend beyond one wallet into the entire financial workflow.

What protects AI systems from unauthorized asset movement?

A secure agentic system needs more than a wallet address and an API key. It needs a security architecture that assumes the agent may be wrong, the surrounding application may be compromised, and the transaction may be unsafe unless it passes policy.

This is where Turnkey’s architecture matters. All of Turnkey’s critical workloads –  private key generation, transaction signing, and policy evaluation – run in secure enclaves, a type of Trusted Execution Environment, and its framework is designed to prove security-critical systems are verifiable and running the expected software. 

Turnkey’s architecture for AI: TEEs, Policy, Verifiability

Securing critical assets in AI systems entails creating the same protections a wallet would need from any delegated user.

• Trusted Execution Environments create isolated runtimes for sensitive operations. In Turnkey’s case, secure enclaves are used for critical workloads such as private key generation, transaction signing, and policy evaluation. This reduces reliance on the surrounding cloud environment, application server, or operator path.
• Policies define what an agent is allowed to do before assets move. For agentic systems, policy is the difference between giving an AI agent a wallet and giving it a constrained operating envelope. The agent can request an action, but the policy decides whether that action is allowed.
• Verifiability gives production financial systems proof, not just trust that sensitive operations are running in the expected environment and that security-critical code has not been swapped or weakened. Turnkey’s security framework is built around proving that security-critical workloads are running the expected software in secure enclaves.

Together, TEEs, policy, and verifiability create the core security model for AI-driven financial infrastructure. TEEs protect the execution environment. Policies constrain what agents can do. Verifiability gives teams confidence that those protections are actually in place.

Without those foundations, agentic wallets can become exposed signing surfaces. With them, agents can operate within defined limits while critical assets remain protected.

Turnkey's policy for AI vs competitors

Developers need to look carefully at competing wallet architectures. Depending on the security setup, MPC and HSM-based systems may provide some protections for private keys, but key protection alone does not solve agentic security.

There was no policy layer evaluating the transaction independently of the agent's reasoning. When the agent was convinced to reinterpret its own function, nothing else stood in the way. 

Turnkey’s advantage is that policy is part of the protected signing architecture, not just a product-layer permission model. That distinction matters for institutions and production applications. 

A lightweight agent wallet may work for experiments, demos, or low-value workflows. But when real customer funds, treasury assets, payment flows, or institutional wallets are involved, the system needs stronger guarantees.

How Turnkey secures assets when agents are in control of wallets

Turnkey secures assets in agentic systems by treating AI agents as delegated actors with constrained authority.

An AI agent can operate a wallet programmatically, but it does not need unrestricted control over that wallet. The agent can be assigned specific permissions, scoped credentials, and policies that define what it can do. When the agent requests a signature, Turnkey evaluates the request before the transaction is signed.

This gives developers a way to separate agent intent from signing authority. The agent may decide that a payment should be made, a trade should be executed, or a contract should be called. But Turnkey can enforce whether that action is allowed based on the policy attached to the wallet, user, organization, or workflow.

This lets teams build AI-driven systems where agents can be useful without being all-powerful. Agents can operate wallets. They can automate transactions. They can interact with onchain applications. But every critical action still passes through policy-controlled signing.

Building on that foundation: Turnkey for AI features

Turnkey’s AI Agents solution is built for developers working at the intersection of crypto and AI, with features including agentic wallets, delegated access, API keys, and policies. That makes Turnkey a foundation for applications where agents need to operate wallets without receiving unrestricted control over assets.

Turnkey gives developers the primitives to create agent wallets, scope delegated access, enforce policy, support multichain execution, automate gas and transaction workflows, and integrate with emerging agentic standards and machine payment protocols. Together, those features help agents operate across crypto environments without giving them unrestricted control over the assets they use.

Turnkey: Agentic security to the core

Turnkey AI Skills give developers and operators a faster way to control wallet infrastructure through natural language. Instead of moving between docs, SDKs, API references, dashboards, and custom scripts, teams can use prompts to run common Turnkey workflows like wallet creation, policy configuration, transaction signing, and administrative tasks.
‍

Product · Turnkey AI Skills

"Give every AI agent its own scoped wallet, policy-enforced signing, and a tamper-proof audit trail. Turnkey AI Skills enforce constraints before any transaction is signed, so a compromised agent can never drain funds, override approvals, or route around your guardrails."

Explore AI Skills →

Agentic infrastructure should not only secure agents after they exist. It should also make agents easier to set up, configure, constrain, and operate from the beginning.

With Turnkey AI Skills, a team can use a prompt via Claude Code to help set up a wallet for an AI agent, generate credentials, define the access model, and configure policy constraints in a single workflow. That makes it easier to test agent wallet flows before building a full integration, while still keeping signing authority governed by Turnkey’s underlying infrastructure.

For developers, this reduces setup time. For product and operations teams, it creates a more direct way to test wallet behavior, inspect activity, update policies, manage approvals, and administer agent workflows without turning every request into an engineering ticket.

AI-forward companies building applications on Turnkey

Several companies are already building AI-forward applications on Turnkey, where agents, automation, and wallet infrastructure come together.

These teams are building systems where AI can help users trade, transact, manage wallets, execute onchain actions, and interact with crypto applications programmatically. In these workflows, agents can propose actions or initiate execution, but the wallet infrastructure still needs to protect keys, enforce policy, and control what can be signed.

Turnkey provides the foundation for that model: secure wallets, delegated access, policy-controlled signing, and verifiable infrastructure. That is what makes agents usable in production. Turnkey allows them to act, but only within the limits the application defines.

Case study · AI Agents

Spectral Labs built onchain AI agents on Turnkey for Spectral SYNTAX. Turnkey creates a smart wallet for each agent so it can execute onchain actions, with the Turnkey policy engine enforcing controls around transaction amounts and signature patterns.

Learn more →

Case study · AI Agents

Pass App uses Turnkey for AI-powered wallets and agents that interact with crypto on behalf of users. Turnkey provides core key-management infrastructure, non-custodial recovery, and a verification layer for the more complex agent-driven transactions.

Learn more →

Case study · AI Agents

Parallel Studios built Wayfinder, an onchain AI protocol that uses LLM models to execute crypto transactions for users. Turnkey provides the secure session-based signing model that lets users pre-approve multiple transactions while preserving non-custodial control.

Learn more →

Turnkey: The future of AI financial infrastructure

The next generation of financial applications will be more autonomous. Agents will pay for APIs, execute trades, manage treasury workflows, coordinate micropayments, interact with smart contracts, and move value across chains.

That future needs secure signing infrastructure built for delegated execution. It needs policies that live close to the keys. It needs wallets that can be operated by agents without giving those agents unlimited control. It needs verifiability so developers and institutions can trust the systems protecting critical assets.

With secure enclaves, policy-controlled signing, delegated access, multichain support, and agent-ready wallet infrastructure, Turnkey gives builders the foundation for that future, allowing them to build AI systems that can act without putting critical assets at unnecessary risk.

As AI agents become financial actors, the strongest infrastructure will help them move money safely, within defined policies, with verifiable records of what was requested, approved, and signed. That’s what Turnkey provides.

Get started with Turnkey today. 

‍