Three days ago, Anthropic announced it is spending $200 billion on compute infrastructure—an 80x multiplier on current usage—because agent demand is accelerating faster than anyone modeled. At the same time, the EU AI Act's enforcement arm published pre-release testing requirements for autonomous systems, and a Forbes/Okta joint study revealed that 67% of enterprise agents are running with permissions broader than the humans who deployed them.
This is not a coincidence. It's a pattern. Agents are becoming infrastructure, and infrastructure gets regulated, audited, and attacked.
If you read our piece on self-improving agents last week, you know agents are about to get much more capable—learning from their own history, grading their own work, and coordinating in teams of twenty. That capability explosion makes security and governance the critical bottleneck. A learning agent with broad permissions and no audit trail is not a productivity tool. It's a liability.
Here's what changed in May 2026, and what you need to build differently.
Table of Contents
Pre-Release Testing: Governments Move First
For the first time, major governments are requiring structured pre-release testing before autonomous AI systems can be deployed to the public. The EU's enforcement guidelines, published May 2026, mandate that any agent capable of autonomous decision-making in high-risk domains must pass a documented testing protocol before launch.
This isn't a future concern. If you're building an agent that handles customer data, financial transactions, healthcare workflows, or any regulated process, you now need a paper trail of:
- Red-team results showing how the agent behaves under adversarial input
- Boundary testing proving the agent rejects out-of-scope requests
- Rollback procedures documented and tested before deployment
- Human oversight channels with defined escalation paths
The US is following. NIST's February 2026 AI Agent Standards Initiative established the baseline, and Congressional hearings in early May made it clear that pre-release accountability is the bipartisan consensus. The era of "move fast and break things" for agents is ending. The new era is "move fast and prove you didn't break anything."
The $200B Compute Bet: Scale Changes Everything
Anthropic's announced $200 billion compute investment isn't about bigger models. It's about more agents running longer. The company disclosed 80x annualized growth in usage, with the average Claude Code developer now spending 20 hours per week in the tool. That level of engagement means agents aren't being used for one-off tasks—they're persistent, always-on coworkers.
Scale changes the security model in three ways:
- Attack surface expands: An agent used once a week is a low-value target. An agent running 20 hours a week with access to your codebase, calendar, and messaging is a high-value target.
- Compounding errors: A self-improving agent that makes a subtle security mistake—say, logging a credential to a memory store—will repeat that mistake across thousands of sessions before a human notices.
- Cross-agent contamination: In multi-agent systems, one compromised agent can poison the memory or reasoning of others. The dreaming feature that makes agents so powerful also creates a shared attack surface.
The implication is straightforward: security for agents at this scale cannot be an afterthought. It has to be architectural—designed into the agent's identity, permission model, and memory layer from day one.
Identity Is the New Battleground
The most underrated security shift of 2026 is happening in identity. When an agent can browse the web, write code, send messages, and make purchases on your behalf, the question of who the agent is becomes existential.
Microsoft's security leadership has been explicit: "Every agent should have similar security protections as humans, to ensure agents don't turn into 'double agents' carrying unchecked risk." This means agents need:
- Verifiable identities—cryptographic credentials, not just API keys
- Scoped permissions—exactly what they need, no more
- Audit trails—who triggered what, when, with what data
- Rotation policies—credentials that expire and renew automatically
In practice, this looks like assigning each agent a service account with agent-id, agent-role, and agent-scope claims in a JWT token. Every tool call carries this identity. Every action is logged against it. If an agent is compromised, you revoke one identity—not an entire API key that breaks every integration.
{
"agent_id": "agent_research_042",
"agent_role": "market_research",
"agent_scope": ["read:competitor_pricing", "read:public_reviews"],
"issued_at": "2026-05-13T08:00:00Z",
"expires_at": "2026-05-13T16:00:00Z",
"human_owner": "[email protected]"
}Short expiration matters: a credential that lives for months can be stolen and exploited for months. Agents should authenticate like humans—session-bound, time-limited, and continuously re-verified.
The Permission Crisis
The Forbes/Okta study published in early May 2026 found that 67% of enterprise agents operate with permissions broader than the humans who deployed them. The reason is laziness: it's easier to grant read:* than to enumerate exact tables, easier to allow all APIs than to whitelist endpoints, easier to run as root than to configure a restricted user.
This is the agent equivalent of giving every employee the master password. And because agents run autonomously—often at night, often without human oversight—the damage from over-permissioning is worse than with humans. A human with too much access might accidentally delete a database. An agent with too much access will eventually do something catastrophic, because it has no judgment, only instructions.
The fix is least privilege by default, enforced at the framework level. OpenClaw's execution layer now rejects tool calls that exceed an agent's declared scope. LangGraph provides native permission guards. The pattern is simple in principle, harder in practice:
# Enforce least privilege at the tool level
@agent_tool(required_scope=["read:customer_data"])
def get_customer_record(customer_id: str):
# Tool implementation
...If the agent's JWT doesn't include read:customer_data in its scope, the call is blocked before it reaches the database. This isn't trust. It's verification.
Vertical Agents Win, General Assistants Lose
A security pattern that doesn't get enough attention: vertical agents are inherently safer than general assistants. An agent built to do one thing—process invoices, review code, monitor logs—has a narrow attack surface. A general assistant that can "help with anything" has an undefined one.
The market is reflecting this. In May 2026, vertical agent startups are raising at valuations that general-agent companies were getting six months ago. The reason isn't just performance—it's auditability. A vertical agent has a defined scope, a measurable success metric, and a finite set of tools. Security teams can reason about it. Compliance officers can document it. Insurance providers can underwrite it.
If you're building agents today, bias toward narrow scope. Five single-purpose agents with restricted permissions are more secure than one general agent with broad access. The multi-agent orchestration features we covered last week make this practical at scale.
Agent-Led Commerce Is Already Here
Perhaps the most surprising development of May 2026 is the emergence of agent-led commerce—agents making purchases, booking services, and negotiating contracts on behalf of users. Early pilots in travel, procurement, and insurance are showing that agents can reduce transaction friction by 40-60% when properly authorized.
But commerce agents require a security model that most builders haven't implemented: transaction-level authorization. The agent can't just have a blanket spending limit. Each purchase should require a signed approval—either pre-authorized ("spend up to $500 on flights this month") or real-time ("approve this $247 hotel booking?").
The pattern looks like this:
# Transaction approval pattern
class CommerceAgent:
def purchase(self, item, amount):
if amount <= self.pre_approved_limit:
return self.execute_purchase(item)
else:
approval = self.request_human_approval(item, amount)
if approval.signed and approval.valid:
return self.execute_purchase(item)
else:
raise InsufficientAuthorization()Agents handling money without this pattern are not agents. They're liabilities waiting to materialize.
EU AI Act Compliance: What Builders Must Implement
The EU AI Act is now in force, and its risk-based classification directly impacts agent deployments. High-risk applications—those affecting employment, credit, healthcare, or critical infrastructure—face strict requirements. The penalty for non-compliance is up to 7% of global annual revenue.
For agent builders, the actionable requirements are:
- Transparency: Users must know they're interacting with an AI agent. No pretending to be human.
- Documentation: Technical docs covering architecture, data sources, known limitations, and failure modes.
- Human oversight: Meaningful human control for high-stakes decisions. Not a button that says "override"—a process that ensures humans can intervene before harm occurs.
- Accuracy metrics: Measured and documented performance on representative test sets.
- Data governance: Provenance, quality assessment, and bias documentation for any data used in training or retrieval.
The pre-release testing requirement means you can't just build and deploy. You have to prove your agent meets these standards before it goes live. Start documenting now. The audit trail you wish you'd kept is the one you didn't.
Practical Security Patterns for Agent Builders
Here are the patterns we implement at SkillGen and recommend to every agent builder:
Pattern 1: Identity-Bound Tool Calls
Every tool call should include the agent's identity and scope. The tool should verify both before executing. This is the agent equivalent of "show your badge at the door."
Pattern 2: Memory Encryption
Agent memory stores—especially those used by dreaming and self-improvement—often contain sensitive context. Encrypt them at rest. A compromised memory store should not be a readable diary of everything your agent has seen.
Pattern 3: Sandboxed Execution
Agents that execute code or browse the web need sandboxed environments. Docker containers with read-only filesystems, no root access, network whitelists, and automatic destruction after task completion. OpenClaw's SSH sandboxing and SSRF protection are the baseline, not the ceiling.
Pattern 4: Rate-Limited Autonomy
Autonomy should be graded, not binary. An agent might get full autonomy for read-only operations, require approval for writes, and require dual approval for deletions or financial transactions. Implement this as policy, not just code.
# Autonomy policy example
autonomy_levels:
read_operations: autonomous
write_operations: human_approval_required
delete_operations: dual_approval_required
financial_transactions: real_time_human_approval
scope_expansion: blockedPattern 5: Skill Verification
Agents rely on skills—reusable capabilities that connect to external systems. But community-built skills are a supply chain risk. Verify skills before deploying: check the source, review the permissions they request, and scan for malicious behavior. The ClawHub marketplace hosts thousands of skills, but enterprise deployments should use verified registries with signed, audited packages.
Pre-Production Security Checklist
- ☐Unique agent identity with time-limited credentials
- ☐Permission boundary defined and enforced (least privilege)
- ☐Complete action audit trail with full provenance
- ☐Graded autonomy: auto / approval / dual-approval / blocked
- ☐Sandboxed execution environment (Docker, no root, network whitelist)
- ☐SSRF protection with trusted network defaults
- ☐Credential rotation with automatic expiration
- ☐Input validation and output sanitization on all tool calls
- ☐Memory encryption at rest
- ☐Error handling that never leaks credentials or internal paths
- ☐Rate limiting and resource quotas per agent identity
- ☐Pre-release red-team results documented and reviewed
Key Takeaways
What Builders Must Do Now
- Regulation is here: Pre-release testing requirements mean you need documented security practices before deployment, not after.
- Scale amplifies risk: Anthropic's 80x usage growth means agents are no longer experimental. Compromised agents at this scale cause real damage.
- Identity is foundational: Every agent needs verifiable, time-limited, scope-bound identity. API keys are not enough.
- Permissions are the attack surface: 67% of enterprise agents are over-permissioned. Default to least privilege and enforce it at the framework level.
- Vertical is safer: Narrow-scope agents with defined tool sets are more secure and more compliant than general assistants.
- Commerce needs authorization: Agents handling money require transaction-level approval, not blanket spending limits.
- EU AI Act is enforceable: Up to 7% of global revenue for non-compliance. Document everything.
- Skills are a supply chain: Verify every skill's source and permissions before deploying to production.
The agents you build in the next six months will operate under scrutiny that didn't exist six months ago. Governments are watching. Security researchers are probing. Enterprise procurement teams are asking hard questions about identity, permissions, and audit trails.
The builders who thrive won't have the smartest agents. They'll have the most trustworthy ones—systems that can prove what they did, justify why, and contain the damage when something goes wrong.
Build for trust. Everything else follows.