Security in the Agentic Economy

In this X Space, Concordium CTO Peter Marirosans hosts two senior security engineers from CertiK, Luigi Girletti and Stefano Angieri, for an hour on what security has to become once AI agents start holding keys and moving money on their own.

For most of crypto's history, security came last, a box ticked once the product was already live. Autonomous agents that transact at machine speed push it to the front of the queue. The hour keeps returning to one question: before you hand an agent real value, what has to be true for you to trust it?

The conversation moves from what changed to what it means. The human judgment that used to sit in the decision chain, the pause where someone could stop and check, is leaving the loop as agents execute on their own.

AI has lowered the barrier to attacks at the same time, with prompt injection arriving as a genuinely new threat and April the worst month for crypto losses since 2022. CertiK's read is that most damage still traces back to old-fashioned operational failures and human error, which is why so much of the hour lands on culture over tooling, captured in Peter's image of teams treating each release like a four-second pit stop when the honest version is closer to three careful days.

The institutional questions follow from there: can the system stay up, what depends on what, what happens when one piece fails. Those happen to be the questions Concordium has built toward since its mainnet launched five years ago this month, pushing identity, tokens, and audits to the protocol level.

It comes together in the closing question. Asked what one foundation must exist before society trusts agents with real value, both engineers land on the same three things: you have to identify the agent, verify that its actions match its owner's intent, and hold it accountable. An autonomous system you can trust and hold to account is progress. One you cannot is risk at machine speed.

1: Welcome, Framing, and Guest Introductions

1 Welcome Framing and Guest Introductions

0:00

/286.882018

1×

• Peter's opening frame: security is moving from afterthought to core infrastructure
  • Crypto has long treated security as a secondary concern, especially in bull markets where speed is rewarded
  • Security work often gets reduced to a tick boxing exercise
  • That is changing: AI agents are becoming key economic players and actors
  • Institutions are increasingly building in digital assets
  • The ecosystem is growing more autonomous and therefore more valuable
  • Security is shifting to support this as a core infrastructure function
• Scope of the Space
  • How AI is reshaping the threat landscape right now
  • Why old security assumptions that the industry was comfortable with are breaking
• Concordium milestone
  • This month marks Concordium's fifth mainnet anniversary
  • Launched five years ago with trust and identity as the core vision
  • The chain continues building toward trust infrastructure, now extended into the AI and agentic world
• Guest context: CertiK and the Concordium audit
  • Luigi and Stefano come from CertiK, described by Peter as one of the most reputable security firms in Web3
  • Peter has worked with both over recent months on Concordium's own audits, which have just been published
  • Peter encourages listeners to read the audit results
• Luigi Girletti, Senior Blockchain Security Engineer, CertiK
  • Four years at CertiK
  • Started in smart contract security, now focused on infrastructure and the blockchain layer itself
  • Has audited a range of chains, including custom chains and Concordium
  • Prior background as a telecommunications engineer working on 5G networks and distributed systems, which informs his infrastructure security work
• Stefano Angieri, Senior Blockchain Security Engineer, CertiK
  • Previously protocol architect at Interchain Foundation, working on interoperability
  • Holds a PhD in computer science and telematic engineering, focused on applying blockchain to internet resource management
  • Specializes in distributed system security at the infrastructure level

2: What Changed in the Last 12 to 18 Months

2 What Changed in the Last 12 to 18 Months

0:00

/292.444014

1×

• Peter's framing question
  • Most AI talk focuses on what agents can do and the latest developments
  • The more potent question: what happens when AI systems start interacting with financial infrastructure at scale
  • At Consensus 2026, CertiK argued AI makes crypto security more urgent, not less
  • What changed in 12 to 18 months that made this impossible to ignore?
• Luigi: the human is leaving the loop
  • The core loss is human judgment in the decision chain
  • Agents are now holding keys, executing transactions, and moving funds directly
  • If there is a flaw in the system, attacks move at machine speed
  • Previously a human could spot an issue, pause, and check; autonomous agents remove that circuit breaker
• Peter's addition: even the checks are agentic now
  • Human involvement inherently slowed the system down, even on positive checks
  • That natural friction is gone
  • Luigi agrees: when checks are improper, faults simply propagate faster than before
• Stefano: the engineering workflow shift
  • An enormous change in how engineers operate using AI over the past 18 months
  • Workflows now exist that were simply impossible 18 months ago
  • Loop engineering: making agents work by themselves is now standard practice
  • AI model evolution enables cheap, fast, and efficient attacks
• The guardrail problem
  • Guardrails are needed to validate that agents do what they were intended to do
  • Stefano suggests validation should eventually happen before settlement on the execution layer
  • Peter pushes further: agents are currently setting their own guardrails, with agents advising agents
  • That circularity fails when both are wrong, and the industry underappreciates this
• Luigi: intent validation needs a generic standard
  • The need: a way to validate that what an agent executes matches the owner's intended behavior
  • Companies are currently building proprietary solutions in isolation
  • A generic, ecosystem-agnostic mechanism is needed so an agent can operate across different ecosystems without separate trust mechanisms for each

3: Has AI Changed the Threat Landscape or Just Accelerated It

3 Has AI Changed the Threat Landscape or Just Accelerated It

0:00

/362.082018

1×

• Peter's question: fundamental change or acceleration
  • Agents cut both ways: they can be used to build and to launch attacks
  • Sophisticated attacks previously required real expertise in how systems work
  • AI is eroding that barrier fast: phishing, deepfakes, voice cloning at phenomenal speed and capability
  • Has AI fundamentally changed the threat landscape, or just accelerated the existing problem?
• Luigi: the answer is both
  • Vulnerability discovery and exploitation now happen faster and more efficiently
  • Most existing attack types have become easier to execute with AI
  • AI also introduces genuinely new problems, prompt injection being the prime example
  • An agent managing money that gets injected with an unintended prompt becomes a financial issue
• Prompt injection explained
  • Peter asks Luigi to define it for listeners
  • Any source fed to an agent can be used to sneak in an extra prompt that changes the agent's behavior
  • Injection vectors include images and social media content
  • Recent real case: an agent was tricked into sending money via an X post
  • Defense requires validation after the prompt and pre-execution of the transaction before it settles
  • This is difficult, and systems are still working out how to do it
• The data: April was the worst month since 2022
  • CertiK's regular incident report tracks money losses across the Web3 space
  • April alone recorded the highest losses of any month since 2022
  • Luigi attributes this spike to AI
• Stefano: targets are shifting from contracts to infrastructure
  • Hacks no longer happen only at the smart contract level
  • The GemDAO hack stole $290 million by targeting the infrastructure itself
  • AI is becoming a supply chain threat
  • Teams need a clear, secure dependency map: what they use, how they use it, and whether each API can be trusted
  • When multiple agents interact, hidden dependency risks can be triggered
• The human remains the most vulnerable part
  • Phishing campaigns are becoming good enough to fool attentive users
  • Deepfakes and voice cloning are advancing rapidly
  • Three seconds of audio is now enough to replicate a voice with AI

4: The Attack That Keeps You Up at Night, and Who Benefits

4 The Attack That Keeps You Up at Night and Who Benefits

0:00

/213.941995

1×

• Peter's question: which AI-powered attack concerns you most today
  • Framed off the voice cloning point: a simple "Hello, how are you?" is enough audio to capture a voice
• Luigi: AI-powered social engineering
  • Deepfake phishing and voice cloning are his top concern
  • There is no code you can write to secure against it
  • It skips every technical defense and attacks the human directly, currently the most vulnerable element
  • Peter's reaction: it undermines basic trust in communication itself, "am I actually talking to you guys?"
• Who benefits from the arms race right now
  • Stefano: the situation is roughly equalized
  • As attackers get better tools, defenders can build better security solutions with the same AI advances
  • He cites Concordium's gray box approach to securing its infrastructure as an example of AI-enabled defense
• The structural asymmetries
  • Attacker incentive scales with value: breaking a system holding many tokens means a large payoff, justifying large effort
  • The classic imbalance: the attacker needs a single weak point, the defender must close every door
  • Peter: all doors and windows must be shut, one tiny kink is all it takes
• Stefano's counterweight: most attacks are still old-fashioned
  • The majority of witnessed attacks stem from standard operational security failures
  • Crypto key compromise and similar issues existed long before AI
  • The need: security education and adopting security as a standard procedure within the development process

5: The Human Factor and Team Culture

5 The Human Factor and Team Culture

0:00

/248.130023

1×

• Peter's question: why are preventable mistakes still happening
  • Human behavior has been the biggest vulnerability for a long time
  • People remain the weakest link to a certain extent
  • What are the most common mistakes teams make?
• Luigi: the industry's speed culture is the root problem
  • Constant pressure to push to market as fast as possible
  • Products launch on set deadlines even when known issues exist
  • The time squeeze trains developers to ignore warnings and rush launches
• Key segregation failures
  • Teams fail to separate operational keys from treasury keys
  • Without segregation, a single compromise loses both the money and control of the project
• Peter's insight: self-inflicted urgency mirrors phishing tactics
  • Classic social engineering works by creating urgency: "I'm your boss" or "it's your child, I've lost my phone, act now"
  • Urgency suppresses thinking and questioning
  • Teams do the same thing to themselves: pressure to ship the latest feature, push, push, push
  • The industry manufactures internally the exact vulnerability attackers exploit externally
• The CTO as clutch
  • Peter describes his own position: business on one side demanding delivery, engineering on the other asking for time
  • The CTO sits in the middle keeping the two connected without burning out either side
• The Formula One pit stop analogy
  • The misconception: development is like a four-second tire change, you've done it before so it should be instant
  • Reality: each release is a new piece of code, a different wheel, a different nut, a different spanner
  • Because the components differ each time, time must be taken to avoid leaving a nut loose as the car goes out
  • Done properly, it is closer to three days changing a tire than four seconds
• Luigi's cultural advice
  • Reward teams that refuse to publish in a rush and hold a launch when they find a bug
  • Stop blaming developers for bugs; reward them for finding them
  • The incentive flip is what makes the culture shift stick

6: Breaking the Cycle: Tools vs Process

6 Breaking the Cycle Tools vs Process

0:00

/148.756009

1×

• Peter's question
  • The industry keeps buying better tools while making the same human mistakes
  • How does the cycle break: skip the tools, or get better tools but change the process?
• Stefano: diagnose before you buy
  • Before purchasing another security tool, understand the real causes of the recurring mistakes
  • The usual root causes: unclear ownership, poor collaboration, too short-term incentives, and risk addressed far too late
• The novelty posture of the industry
  • These failures are consequences of how new the field is
  • People forget the industry is attempting genuinely new things that will serve the next digital era
  • Innovation itself creates the need to go slowly and reflect on what is being built and which mistakes are possible
• Right tool over newest tool
  • The goal should be using the right tool, not the newest or most expensive one
  • Security expertise can guide teams to understand their actual needs and where security investment belongs
• Build capability, don't buy it
  • The industry should focus less on buying capability and more on building it
  • What that means in practice: stronger teams with clear accountability, better feedback loops, and a culture that learns from mistakes

7: Where AI Adds Value for Defenders

7 Where AI Adds Value for Defenders

0:00

/419.066009

1×

• Peter's pivot: AI as a defensive asset
  • AI is increasing the attack surface, but there is value to capture on the defense side
  • Where does AI genuinely add value to a security team today?
• Luigi: coverage gains with a noise problem
  • AI dramatically increases code coverage and reduces the time needed to scan a codebase
  • The catch: it generates too much noise
  • A scan might return 300 findings, and the time saved finding them gets spent reviewing them
  • It is a trade-off that must be factored in
• The CertiK AI Auditor
  • Built specifically with the noise problem in mind
  • Used internally first, then released to the public
  • Catches close to 90% of incidents with reduced noise
  • Will improve over time, but Luigi considers it solid already
• Stefano: what stays human
  • Human judgment remains essential to assess the real gaps between what AI reports and what is actually auditable in the system
  • Humans build the reasoning loops that help AI think about specific problems, saving time
  • The fundamental human edge: lateral thinking, the creative leap that directs AI to look for something specific in a protocol
  • Analytical thinking may eventually be replicated; whether lateral thinking can be remains open
• Peter's reflection
  • By applying our expertise we are also training the AI, so in theory it learns what we look for
  • His instinct: humans think in ways distinct from applied logic, sometimes usefully illogical, and that is part of being human
• What people overestimate about AI replacing security experts
  • AI now writes code and reviews code, but two questions remain unanswered: does generated code do exactly what was intended, and is it secure
  • Neither check is exhaustive yet; human double-checking is still required
  • AI is poor at removing its own false positives and frequently hallucinates problems over small wrinkles
  • For codebases largely developed with AI, a structured verification approach like gray box testing becomes essential to guarantee the code behaves exactly as specified under specific conditions

8: Gray Box Testing Explained

8 Gray Box Testing Explained

0:00

/173.86

1×

• Peter's listener question: what is gray box testing
  • A question he has been asked several times, so he puts it to Luigi directly
• Luigi's definitions
  • Black box: no reading of the code; you test the entry points with known inputs and analyze the outputs
  • White box: you know how the code functions and execute specific flows through it
  • Gray box: a combination of both; you design an experiment based on a flow you know from the documentation and the code, then test inputs and outputs as in black box
• Why gray box fits the AI era
  • Peter: it is the right balance for the current development cycle
  • Luigi: AI now writes thousands and thousands of lines of code, and most of the time developers don't even check them
  • Peter: checking absolutely everything would forfeit the speed gain AI provides, which is exactly why gray box makes sense as the middle path
• Stefano: realistic test environments are the real strength
  • Beyond the gray box method itself, the most important part is building a realistic test environment for the system under analysis
  • This allows simulation of the production workflow and provides real evidence of what a specific action does to the system
  • Verification becomes data-driven: judgment is based on observed evidence from the simulation rather than assumption
  • This is where system-level security gets interesting: you can replicate what would happen in production by performing specific actions safely

9: The Institutional Lens and Concordium's Security Posture

9 The Institutional Lens and Concordiums Security Posture

0:00

/328.040023

1×

• Peter's question: what institutions evaluate that crypto natives overlook
  • The institutional approach changes the landscape: security stops being the developer's problem and becomes a business requirement
  • Particularly relevant viewed from inside a crypto native project like Concordium
• Luigi: the institutional question is "will it stay up?"
  • Crypto native systems focus on code and business logic, and making sure it works; that part is fine
  • What they miss, and what institutions actually evaluate: resiliency and availability
  • Can a system performing critical operations be relied upon to stay running?
• Dependency mapping
  • Every dependency a system has should be mapped to the potential consequences of its failure
  • Each mapped failure needs an associated reaction plan
  • Example: if the wallet gets hacked, you know exactly what to do to limit the consequences
• Peter's acknowledgment: crypto builds in fragments
  • The space is used to building the single app, the wallet, the SDK that sits on top
  • With many different teams doing many different developments, crypto projects rarely look at the full picture
  • Something the industry, Concordium included, should start doing deliberately
• Is security now a differentiator for infrastructure providers
  • Luigi: a rhetorical question, of course it is
  • In a space where anyone can build anything, out-featuring a competitor is very difficult
  • The remaining way to differentiate: build something more trustable and demonstrably more secure than competitors
• Peter's on-record account of Concordium's security posture
  • He kicked off the security push with Concordium's head of security last year
  • The goal: keep it running in the background so the project can credibly say its infrastructure is secure, because security will be paramount
  • "I don't want to say I was right, but I'm glad we did what we did"
  • Glad the tokens were pushed to the protocol level, glad the protocol has been audited, glad identity sits at the protocol level
  • The security mindset has been there from the beginning, and it matters because the infrastructure is where things run
  • All the AI-built applications and agents run on infrastructures; the infrastructure is what becomes important
• Stefano: dependability as the standard, and praise for Concordium
  • If the aim is building the next digital infrastructure, it cannot have availability problems; it must be dependable
  • Comparison: the losses incurred when the internet goes down for even an hour; the same level of thinking applies here
  • AI makes finding bugs easier, so the bar for projects building infrastructure must rise
  • CertiK was surprised and pleased by how Concordium's team handled the availability issue found during their engagements, treating it as an extremely serious problem
  • That response exemplifies the shift required for projects aiming to be dependable

10: Rapid Fire Round

10 Rapid Fire Round

0:00

/224.688005

1×

• Q1: Most underestimated security risk in crypto right now
  • Luigi: availability and key management
  • Stefano: interoperability with external dependencies, and the mapping of those dependencies
• Q2: One security habit every builder should adopt before shipping
  • Luigi: test every case, not only the happy paths
    • Testing only happy paths is very common; edge cases are where the discipline belongs
  • Stefano: end-to-end testing is becoming fundamental across the whole infrastructure, agrees with Luigi
• Q3: Has AI made defenders or attackers stronger
  • Luigi: both, but attackers have higher motivation; they only need to break in once while defenders must be right all the time
  • Stefano: the sides can be equally equipped, so the stronger one is whoever has the bigger budget
  • Peter's reaction: the strongest is the one who can spend the most money on it
• Q4: One thing most founders only learn after a security incident
  • Luigi: if something can go wrong, it will, and usually at the worst possible time
  • Stefano: trust in the security process you have in place, and build that process to resolve situations before the incident happens; that posture is typically learned only after an incident
• Q5: One prediction for crypto security over the next five years
  • Stefano: most transactions will be done by agents, so the industry must move to creating guardrails for agents operating between themselves
  • Luigi: complete agreement

11: The Closing Question and Wrap

11 The Closing Question and Wrap

0:00

/196.43034

1×

• Peter's final question
  • The trajectory is set: AI agents will become major economic participants, moving assets, coordinating services, and making decisions with real autonomy
  • What one security foundation must exist before society is comfortable trusting them with real value?
• Luigi: identity, intent, and accountability
  • The whole conversation has circled this answer
  • First: you must be able to identify the agent
  • Second: you must be able to ensure and verify that the owner's intended intention is actually satisfied by the agent
  • Third: enough guardrails to make the agent trustable
  • The core principle: an autonomous system you cannot trust and cannot hold accountable is not progress, it is a risk, and one moving at machine speed
• Stefano: pre-execution intent evaluation as North Star, with pragmatic trade-offs
  • Agrees that evaluating intent before execution should be one of the North Stars to build toward
  • The trade-off to respect: the speeds these machines need when interacting
  • Blockchain solutions are the direction of travel, but a hybrid approach may be needed, potentially borrowing from internet routing, to enforce the pre-execution layer
• Peter's summation
  • The AI conversation up to now has been about capability; security forces the focus onto responsibility
  • As systems become more autonomous and more financial, trust becomes essential and cannot be ignored
  • That trust comes from being able to rely on secure infrastructure, "and that's where we come in"
• Sign-off
  • Peter thanks Luigi and Stefano, hopes for more conversations, and thanks the listeners