Today on The Masked Compute Desk: the agent governance stack is finally getting real artifacts. NSA threat models, Uber's production identity-chain JWTs, Microsoft's open-sourced adversarial CI tooling, and the EU Commission's 160-page high-risk classification guidance all landed this week β and they're starting to define what counts as proof of safe autonomy. Plus Apple's CoreCrypto goes public with formal verification, and a ZK-STARK soft fork proposes to protect dormant Bitcoin without chain migration.
The NSA released a 17-page Cybersecurity Information Sheet (CSI U/OO/6030316-26) on Model Context Protocol security earlier in May, recommending filtering proxies, DLP, sandboxing, and message integrity β and legitimizing 'agent firewalls' as a control category. Tanmay Deshpande's critique, published this week, argues the advisory misses the fundamental issue: in MCP, servers query client data and execute actions on behalf of clients (inverting traditional API trust flow), and bearer tokens without refresh/revocation plus optional protocol-level access control mean sandboxing won't save architectures with inverted trust assumptions.
Why it matters
This is the first formal U.S. government security guidance for agentic workflows at the deployment layer, which makes the gap analysis above the actual signal worth tracking. MCP is becoming the de facto protocol for agent-to-tool binding, and the inversion-of-control problem is upstream of any cryptographic enforcement layer you can bolt on. For anyone shipping masked compute as a control plane for agent execution, the takeaway is that protocol-level identity and capability scoping have to be assumed broken until proven otherwise β and that 'agent firewall' as a category is now regulator-acknowledged, which is both market validation and a warning that the bar will rise quickly.
The EU Commission published draft high-risk classification guidance on 19 May 2026 (feedback open through 23 June), coinciding with the May 7 omnibus deal that pushed Article 6(2) deadlines from August 2026 to December 2027. The guidance explicitly states that human-in-the-loop involvement does not exempt systems from high-risk classification, Article 6(3) derogations must be interpreted narrowly, and disaggregating agentic systems into components does not avoid duties where combined outputs materially influence employment, credit, or insurance decisions. Provider-stated 'intended purpose' across all marketing materials becomes binding.
Why it matters
This closes the two main escape hatches builders were quietly relying on: 'we have a human reviewer in the loop' and 'we're just a privacy layer, not the AI system.' For privacy-tech infrastructure aimed at regulated environments, the architectural implication is direct β compliance can't be a wrapper around a model API, and intended-purpose framing in product marketing is now a legal commitment regulators can reverse-engineer post-deployment. The 16-month deadline extension is build time, not breathing room; whoever ships with embedded audit trails, identity provenance, and capability-scoped policy before late 2027 will face procurement tailwinds when banks and insurers need vendors who already pass the test.
AmericanFortress published a patent-pending post-quantum signature scheme for BIP32 hierarchical deterministic wallets that swaps Ed25519 for ZK-STARK proofs of master-seed ownership at spend-time. The scheme protects existing addresses via soft fork (no user migration required) and allows optional gradual migration to QBIP32 addresses. Signing proofs run in under 10 seconds on commodity hardware with 18β19ms verification; a split-proof architecture (derivation proof once, signing proof per transaction) handles the performance budget. A secp256k1-native Bitcoin construction is scheduled for Paris on June 2.
Why it matters
This is the most interesting concrete PQC-meets-ZK proposal in months because it threads a real needle: protecting dormant addresses (including Satoshi's 1.1M BTC and ~5M other dormant BTC) without forcing the catastrophic coordination problem of mass-coin movement. The ZK-STARK approach is directly applicable to verifiable-execution patterns for agent computation β same proof system, different witness. For builders designing systems that need to be quantum-safe at launch without disrupting deployed users, the split-proof pattern (heavy setup proof amortized over many cheap operation proofs) is the optimization to internalize.
Boston-based Foundation closed a $6.4M Series A led by Fulgur Ventures to extend its Bitcoin self-custody hardware into AI-agent authorization, identity, and MFA. The company launched Passport Prime ($349) running KeyOS β a Rust-based microkernel OS β and opened the KeyOS developer platform with an app store targeted for end of Q2 2026. The thesis: high-stakes agent actions (moving funds, accessing credentials) need a trusted display and isolated hardware checkpoint outside the software environment where the agent runs.
Why it matters
This is the hardware-side bet on the same problem the Tigera framework and Uber's identity stack address in software: how do you produce evidence that a specific high-stakes agent action was authorized by a specific human at a specific moment? Dedicated hardware with a trusted display sidesteps the prompt-injection and supply-chain attack surface that purely software solutions inherit. Worth tracking as both a competing architectural pattern and a potential complement β masked compute that produces verifiable execution traces still needs an out-of-band authorization anchor, and hardware roots of trust are one credible answer.
Uber published a production reference architecture for agent identity at scale: an Agent Registry feeding a Security Token Service that issues short-lived, single-hop scoped JWTs, mediated by an MCP Gateway. Every hop in user β agent β agent β tool chains gets a cryptographic token anchored to SPIRE workload identity, preserving the full actor chain for audit and authorization. References emerging standards work (IETF WIMSE, draft-klrc-aiagent-auth) and emphasizes SDK-integrated token exchange for secure-by-default DX.
Why it matters
This is the most concrete production-grade pattern published to date for the problem regulators are about to require everyone to solve: who authorized this action, by whose delegation, and can you prove it cryptographically? The JWT-per-hop with audience binding pattern is the kind of thing that maps cleanly onto EU AI Act Article 12 logging requirements and the 'authorization provenance' pillar Tigera articulated this week. For builders, the practical lesson is that bearer tokens scoped to entire sessions are now an obvious antipattern β and that SPIRE-style workload identity is the floor, not the ceiling.
Microsoft's AI Red Team released RAMPART (continuous adversarial testing for agents in CI/CD pipelines) and Clarity (structured design-review tool generating auditable decision records) on May 20, both open-sourced after internal use. The tools operationalize threat modeling at the CI level and produce the kind of artifacts ISO 42001, NIST AI RMF, and the EU AI Act explicitly require. Practitioner analysis identifies three predictable failure modes: missing threat models, Clarity treated as documentation rather than gates, and tools isolated from broader security pipelines.
Why it matters
This is governance-as-code arriving from Redmond, and the timing relative to the FCA's pivot to evidence-based supervision and the EU's high-risk guidance is not coincidental. The pattern matters: RAMPART defines an attestation surface that produces audit-ready artifacts as a side effect of the build pipeline, not as a separate compliance theater. For privacy-tech infrastructure builders, this is both a competitive datum (what 'good' looks like as commodity tooling) and a regulatory anchor β auditors will increasingly ask for RAMPART-equivalent evidence trails by name.
Tigera released a maturity framework distinguishing observability (what happened) from accountability (what was permitted, by whose authority), built on five pillars: end-to-end distributed tracing across agent hops, authorization provenance traceable to specific policy, cryptographic identity with human ownership, declarative attribute-based policy at scale, and visual dashboards for oversight. The 5-level model places most enterprises at Level 0 ('Blind') or Level 1 β no verified identities, no policy enforcement, no end-to-end auditability.
Why it matters
Reads like the diagnostic counterpart to Uber's production reference architecture and Microsoft's RAMPART/Clarity release β same problem, different layer of the stack. The observability-vs-accountability distinction is the right one: enterprises pouring agent telemetry into Datadog still can't answer the regulator's question about who authorized a specific action. The Level 0β1 majority finding is the market signal: there is real distance between current enterprise practice and what the EU and FCA are about to require, and tooling that closes specific pillars will find buyers.
The Model Context Protocol released a major revision (2026-07-28 RC) that removes session-level statefulness, enabling stateless HTTP deployment with header-based routing instead of session IDs. The release introduces formal extension governance, hardens OAuth/OIDC authorization, and adds first-class support for server-rendered UIs and long-running tasks. Stateless load balancing and caching become possible without sticky sessions.
Why it matters
Coming the same week as the NSA's MCP threat model, this is the protocol team responding to the operational and security pressure of MCP becoming load-bearing infrastructure. The stateless shift is the big architectural change β it makes MCP composable with existing CDN, gateway, and observability tooling, but also forces authorization context to travel with each request rather than living in session state. For privacy-tech builders, the OAuth/OIDC hardening and formal deprecation policy reduce a real lock-in risk and align the protocol with the kind of identity-provenance patterns Uber and others are already shipping.
Microsoft Research published Vega, a zero-knowledge proof system enabling selective disclosure from credentials β proving age without revealing a driver's license, for example β with 92ms proof generation, 108KB proof size, no trusted setup, and mobile-class performance. Target use cases include EU digital identity wallets, AI agents acting on behalf of humans, and on-chain verification.
Why it matters
Mobile-class latency and proof sizes are the threshold where ZK credentials stop being a research demo and start being deployable in consumer flows β which means the EU digital identity wallet ecosystem now has a credible non-trusted-setup option from a major vendor. For agent infrastructure, the more interesting angle is delegation: an agent acting on a user's behalf can prove specific claims about that user (eligibility, age, residence) without leaking the underlying credential. This is the missing primitive between agent identity and human accountability in regulated workflows.
Apple released CoreCrypto source on GitHub including ML-KEM and ML-DSA implementations used across iPhone, Mac, and related platforms, alongside a formal-verification pipeline (Cryptol β SAW β Isabelle/HOL) that proves functional correctness from C and ARM64 assembly back to FIPS 203/204 specifications. The verification framework caught a missing range-check that could silently corrupt signatures β the kind of defect conventional testing routinely misses. OS 26 expanded PQC beyond iMessage to default-on TLS in URLSession, IKEv2 VPN, and device-to-device encryption.
Why it matters
This is the first time a consumer platform at 2.5B-device scale has open-sourced both PQC implementations and the formal verification artifacts behind them. The practical effect is that machine-checked PQC assurance is becoming an industry baseline rather than a research curiosity, and the published Isabelle theories lower the cost for any other vendor to claim the same rigor. For protocol designers choosing primitives now, the message is that 'we implemented Dilithium' is no longer sufficient β the assurance methodology is the deliverable.
THORChain node operators are voting on ADR028, the recovery plan for the May 15 GG20 threshold-signature exploit by a newly churned node operator. The proposal absorbs losses through Protocol-Owned Liquidity first, then distributes the remaining shortfall to synth holders β explicitly without minting new RUNE or selling existing holdings. The plan commits to GG20 patching, slower security-focused release cycles, tighter node-onboarding requirements, and a white-hat bounty, while maintaining protocol neutrality (declining to censor the attacker's future swaps).
Why it matters
The interesting governance precedent here is the explicit no-dilution commitment. THORChain is signaling that loss allocation is a political question β and the political answer is to protect RUNE holders by passing uncompensated losses to synth holders. The 48-hour window between malicious-node entry and successful exploitation is the structural lesson: permissionless validator entry plus complex threshold-signature schemes creates an attack surface that only governance can patch post-hoc. Templates matter; other protocols facing exploits will now have ADR028 as the reference point for 'absorb without dilute,' and the political fight over who bears uncompensated risk will be the recurring pattern.
The FCA reopened its AI Input Zone on May 15 to collect practical evidence of good and poor AI practices across banking, insurance, and markets, alongside a joint statement with the Bank of England and HM Treasury on frontier AI and cyber resilience. The supervisory shift expands 'the AI system' to include model, deployment context, governance, human-in-the-loop, evaluation, and controls β not just model accuracy β and signals that the UK will judge firms against an elevated threat model with audit-ready evidence rather than principles-based attestations.
Why it matters
This is the UK explicitly diverging from the EU's calibrated retreat: while Brussels extends deadlines and narrows scope, London is sharpening the evidence standard. For builders selling into UK financial services, the practical effect is procurement-level β vendors without artifact-rich evaluation trails will hit friction the moment the FCA publishes its planned 2026 guidance. The 'audit-ready evidence' framing aligns neatly with the kind of attestation surfaces Microsoft, Uber, and the Tigera framework are converging on.
President Trump postponed signing an AI executive order hours before the May 22 ceremony after calls from Mark Zuckerberg, Elon Musk, and David Sacks. POLITICO obtained the seven-page draft: a voluntary 90-day pre-launch review process for frontier models, with NSA and CISA leading classified evaluations rather than a civilian regulator. The order explicitly forbade mandatory licensing but included one mandatory provision β CFAA enforcement against end-users who misuse AI β while keeping company compliance voluntary.
Why it matters
The interesting governance fact isn't that the EO was postponed; it's the architecture it would have established. The US frontier-AI evaluation track is being designed to route through intelligence agencies under classified review, with asymmetric liability (end-users mandatory, companies voluntary). That's structurally incompatible with EU-style transparent conformity assessment, and it confirms the three-jurisdiction story for the foreseeable future: opaque US classified evaluations, public EU legal-binding review, UK outcomes-based supervision. Multi-jurisdiction compliance now requires three different proof formats.
Sui activated protocol-level gasless transfers on May 20 for seven stablecoins (USDC, USDsui, suiUSDe, USDY, FDUSD, AUSD, USDB) via a new Address Balances system, with fee-paying transactions retaining priority to prevent network degradation. Users no longer need SUI tokens to move stablecoins. Fireblocks integration signals institutional-grade recognition, and Sui reports cumulative stablecoin volume of roughly $1T since August 2025.
Why it matters
Worth noting because it's protocol-level, not relayer-subsidized β the gasless behavior survives without temporary funding pools or third-party gateways, and Sui's object-centric model is what makes per-transaction-type fee rules tractable without spaghetti logic. The chicken-and-egg problem of needing a chain's native token just to move money has been one of the durable UX barriers to mainstream stablecoin payments; removing it at protocol level resets the bar for competing L1s. For the agentic-payments thesis, gasless stablecoin movement is a hard prerequisite β agents shouldn't have to manage SUI balances to pay each other in USDC.
Agent identity moves from prompt to cryptographic primitive Uber's JWT-per-hop with SPIRE workload anchoring, Foundation's $6.4M hardware authorization device, Cord Protocol's PQ identity SDK, and ERC-8004 registries on BNB Chain all point to the same conclusion: 'name-based' agent identity is dead, and verified-actor-chain propagation is becoming the deployment standard for regulated agent workflows.
Compliance architecture eats runtime guardrails From Tigera's accountability pillars to Datadog's guardrail placement analysis to the ORCHIDEAS framework, the consensus is shifting: probabilistic alignment doesn't gate compliance. Deterministic enforcement at the orchestration boundary β capability tokens, pre-execution policy, complete mediation β is what regulators will accept. The 'just add guardrails to output' era is ending.
Three-jurisdiction divergence sharpens EU pushes 160-page high-risk classification guidance and extends deadlines to 2027 while explicitly rejecting human-in-the-loop as an exemption. UK's FCA shifts to outcomes-based evidence with audit-ready artifacts. The US, with Trump's postponed AI EO, is routing frontier evaluation through classified intelligence channels instead. Multi-jurisdiction compliance now requires three different proof architectures.
PQC moves from standards to silicon and source Apple ships CoreCrypto with ML-KEM/ML-DSA on GitHub with full formal verification artifacts (Cryptol β SAW β Isabelle/HOL). NIST advances nine more signature candidates. WISeKey embeds PQC into tamper-resistant MCUs. AmericanFortress proposes ZK-STARK soft forks for HD wallets. The migration window is no longer hypothetical.
MCP becomes the choke point β and the gap The 2026-07-28 RC ships stateless protocol with formal extension governance, NSA publishes its first threat model, Versa patents zero-trust MCP, and Tanmay Deshpande points out the inversion-of-control problem the NSA missed. MCP is now load-bearing infrastructure for agent-tool binding, which means its design flaws are now systemic compliance risks.
What to Expect
2026-06-02—AmericanFortress presents full Bitcoin construction for ZK-STARK post-quantum HD wallet protocol in Paris.
2026-06-23—EU Commission public feedback deadline on draft high-risk AI classification guidelines (160+ pages).
2026-06-25—NXP webinar with Dr. Joost Renes on integrating PQC into hardware roots of trust and embedded products.