Today on The Masked Compute Desk: the verification plane is where the real power sits. New governance-by-construction architectures from IBM, a formal proof that catches FOCIL censorship channels, a side-channel attack that breaks Intel TDX isolation, and regulators from IOSCO to Texas demanding proof of enforcement — not policy documents. The gap between agent capability and provable compliance keeps widening.
IBM Research published two complementary frameworks on May 26. CUGA (Governance by Construction for Generalist Agents) embeds policy-as-code across five structural checkpoints in agent execution: Intent Guard (upstream planning validation), Playbook (system prompt steering), Tool Guide (tool-call enforcement), Tool Approvals (human-in-the-loop gates), and Output Formatter (response filtering) — demonstrated in healthcare workflows without requiring model fine-tuning. ALTK (Agent Lifecycle Toolkit) open-sources reusable middleware components covering six intervention points across the full agent lifecycle, from post-user-request through pre-response assembly, with consistent interfaces for low-code platforms.
Why it matters
These frameworks establish that compliance can be architecturally separated from the reasoning loop and composed as middleware — a pattern that enables faster iteration on governance without model or agent changes. CUGA's five-checkpoint approach shows how policy intervention at execution junctures allows compliance-aware behavior across different regulatory domains without retraining. ALTK's middleware abstraction means safety and governance become portable across agent frameworks. The key insight for anyone shipping agents into regulated environments: governance-by-construction is now a documented, reusable pattern, not a bespoke engineering exercise.
IOSCO published a comprehensive Supervisory Toolkit for AI Use in Capital Markets on May 25, covering governance, third-party risk, disclosure, and recordkeeping across the full lifecycle of AI systems — from traditional ML through GenAI to autonomous agents. The toolkit includes a two-year roadmap for reviewing industry practices and coordinating with the Financial Stability Board on AI-driven cyber risks. This is the first time the global securities regulator body has explicitly placed agentic AI within supervisory scope alongside classical ML systems.
Why it matters
IOSCO's toolkit signals that capital markets regulators are converging on 'proof of enforcement' — auditable evidence of decision pathways, tool call chains, and human override points — as a baseline for agent deployments in finance. The two-year review cadence means firms deploying agents in trading, compliance, or KYC today will face retrospective scrutiny against these standards. Combined with the EU AI Act's high-risk classification guidance and Texas HB 149's pre-deployment risk assessment requirements, the compliance surface for agentic systems in finance is now defined across three major regulatory spheres.
Salesforce Engineering published a detailed architecture for unified agent governance across Agentforce, Data 360, MuleSoft, and Informatica. The system propagates identity and authorization through multi-system agent workflows, routes all data access through a single enforcement layer to prevent governance bypasses, and provides end-to-end observability via aggregated trace data. The identity model distinguishes user-proxy agents (inheriting human permissions) from system-identity agents (autonomous, with scoped credentials), and a Trust Layer handles data persistence controls, sensitive info masking, and prevention of model provider data retention.
Why it matters
This is one of the first detailed production architectures showing how a major enterprise platform actually wires governance through multi-agent, multi-system workflows — not just at the model layer but across data, APIs, and identity. The single-enforcement-layer pattern (one policy evaluation point across all access patterns) is architecturally significant: it prevents the governance bypass that occurs when agents access data through multiple uncoordinated paths. The Trust Layer's explicit prevention of model provider data retention addresses a privacy concern most enterprise agent platforms hand-wave past.
WorkOS released auth.md, an open protocol for machine-readable agent registration and authentication that decouples agent identity from browser-based human auth flows. The protocol supports two flows: agent-verified (via ID-JAG tokens from providers like OpenAI or Anthropic) and user-claimed (OTP-based). Discovery is built on OAuth standards with well-known endpoints for Protected Resource Metadata. Live integrations with Cloudflare and Firecrawl were demonstrated at MCP Night 4.
Why it matters
Agent authentication is a foundational compliance and security gap: current workarounds (raw API keys, unscoped tokens) produce credentials that are unauditable and impossible to revoke selectively. auth.md structures agent identity, scoping, and revocation using ID-JAG and JIT-provisioning patterns that mirror OIDC/SAML — lowering friction for enterprise adoption. The protocol is intentionally minimal and vendor-neutral, which increases adoption likelihood but means governance teams will need to layer policy enforcement on top. Watch for whether Anthropic and OpenAI adopt auth.md as a standard identity binding for their managed agent infrastructure.
TU Graz researchers published the TELESCOPE exploit (ASIA CCS '26, June 2026) demonstrating a critical side-channel vulnerability in Intel TDX Trusted Execution Environments. Sibling logical cores on Intel Emerald Rapids processors can read eight shared performance counters tracking physical-core events — bypassing Intel's mitigation that disables counters within Trust Domains. The attack recovers RSA-2048 private keys (0.92-bit edit distance), leaks memory at 52.6 bit/s, breaks KASLR in 2 seconds, and defeats OpenSSH keystroke timing defenses with 99.6% F1 score.
Why it matters
This is not a theoretical concern — it's a peer-reviewed, demonstrated attack against the isolation model that underpins Azure Confidential Computing and the broader 'confidential AI' marketing narrative. The vulnerability is architectural: shared physical-core resources leak information across logical cores regardless of software mitigations within the TD. For anyone building privacy-preserving infrastructure on TEE foundations, TELESCOPE forces a hard question: is hardware isolation a sufficient trust anchor, or does production security require layering TEEs with additional cryptographic protections (MPC, FHE) to defend against microarchitectural leakage?
A comprehensive technical survey compares Intel SGX, AMD SEV-SNP, Intel TDX, and ARM CCA across threat models and side-channel mitigations for database confidentiality. The analysis reviews EnclaveDB, Opaque, and ObliDB research alongside Azure Confidential SQL and AWS Nitro Enclaves production deployments, providing empirical cost-benefit analysis: 1.1–1.5× overhead for encryption-only point queries versus 30–100× for complex OLAP workloads requiring oblivious access pattern hiding.
Why it matters
This survey provides the decision-quality data that TEE marketing systematically omits. The 30–100× overhead for oblivious OLAP operations means that access-pattern-hiding — the defense needed against attacks like TELESCOPE — has a concrete, punishing cost at the database layer. The survey's production hardening guidance (attestation lifecycle, key hierarchies, TCB policy updates) separates pilot projects from compliance-grade deployments. Read alongside the TELESCOPE TDX exploit, this becomes essential reference material for anyone architecting privacy-preserving data systems.
Lemma Oracle implemented a Groth16-based authentication system where API keys generate zero-knowledge proofs of key possession in the browser without ever transmitting the key or its hash to the server. The system uses a session-bound nonce and Poseidon hash function to create a unique nullifier per login, preventing replay attacks while keeping the key's preimage hidden. No key material or correlation surface crosses the wire.
Why it matters
This is a practical ZK authentication primitive purpose-built for the agent economy's credential problem. Agents authenticating to services currently either leak credentials (API keys in transit) or create correlation surfaces across sessions. Lemma Oracle's nullifier design — unique per session, unlinkable across sessions — eliminates both attack vectors. The architecture is directly composable with agent authentication frameworks like auth.md: agents could prove access rights without revealing identity or enabling cross-session tracking. The question is whether browser-based Groth16 proof generation can hit latency targets for real-time agent workflows.
Matthias Meijers' PhD dissertation (Eindhoven University of Technology, defended May 28) develops fully formalized security proofs for hash-based PQC signature schemes XMSS and SPHINCS+ using the EasyCrypt proof assistant, and extends verification beyond specification-level reasoning to low-level Jasmin implementation correctness. The work also analyzes key encapsulation mechanism combiners for hybrid post-quantum deployment, producing reusable EasyCrypt libraries.
Why it matters
This closes a critical gap: most PQC adoption decisions rely on algorithm-level security analysis, but implementation bugs can silently undermine the guarantees. Meijers' work proves functional correctness from formal specification down to concrete code — the same approach Apple's CoreCrypto pipeline uses, but applied to the hash-based schemes most commonly proposed for long-lived signatures. The reusable EasyCrypt libraries directly lower the barrier for future formalized analyses, which matters for protocol designers who need to justify PQC primitive choices to auditors and regulators.
A formal Lean 4 proof of FOCIL (EIP-7805) safety — the fork-choice enforced inclusion list mechanism planned for Ethereum's Hegota upgrade — reveals that the '1-of-N honesty' guarantee degrades when a committee member equivocates: subsequent transactions from that member are ignored even if honestly listed. The formalization also surfaces that a proposer can front-run an inclusion-list transaction by engineering nonce invalidity before block production, and exposes a quantifier-scope subtlety in the fork-choice rule that affects how the honest-attester invariant composes.
Why it matters
This is formal verification doing exactly what it should: catching governance-relevant design gaps that simulation and informal reasoning miss. Equivocation becomes a censorship channel with no explicit slashing rule. Proposers have a low-cost attack surface against EOA-level validity. The informal specification conflates global and locally-relativized quantification scopes. None of these invalidate FOCIL, but they narrow the safety guarantee from what the spec intends to what it formally commits to. For any protocol relying on inclusion lists for censorship resistance — including privacy systems that depend on guaranteed transaction inclusion — these findings directly constrain the trust model.
The $52M IO Research treasury vote (tracked here since yesterday's 87% DRep opposition) has widened into a multi-front governance dispute. Deeper reporting reveals three concurrent conflicts in 2026: Genesis ADA allocation control, the Cardano Summit 2026 budget, and an $8.6M research proposal specifically for Leios scaling and quantum-resistant cryptography — all rejected or contested. The Cardano Foundation has remained strategically silent, abstaining from votes. Hoskinson is still considering registering as a DRep before the June 8 vote concludes, after reviewing governance models from 11,000+ DAOs.
Why it matters
The new detail that DReps rejected a dedicated quantum-resistance research proposal — not just general IO Research funding — sharpens the structural problem: the governance mechanism is blocking a specific, categorizable class of long-horizon security investment. PQC migration is already the most deadline-fragmented compliance challenge in the ecosystem (60+ deadlines, 15+ jurisdictions per the tracker covered yesterday), and Cardano is now the first major L1 where that funding has been explicitly voted down. For any protocol designing treasury governance, this is the canonical demonstration that short-term token-holder dynamics and long-horizon cryptographic security investment are in structural tension, not just theoretical conflict.
Researchers from Trinity College Dublin, Carnegie Mellon, TU Delft, and University of Edinburgh published a paper documenting 249 instances of regulatory capture mechanisms by Big AI across three global AI summits and EU AI Act negotiations, using a taxonomy of 27 distinct capture pathways. The General Purpose AI Code of Practice — the secondary legislation implementing the EU AI Act — was continuously diluted, with human rights protections downgraded from mandatory to optional.
Why it matters
This is the empirical evidence behind the persistent gap between EU AI Act headline obligations and actual enforcement teeth. The paper shows that 'regulation stifles innovation' narratives have captured government language at the Commission level, and human rights protections are optional rather than enforced in the GPAI Code of Practice. For privacy-tech and governance infrastructure builders, the implication is strategic: the regulatory surface is weaker than the headline law suggests, creating both risk (enforcement may be selective) and opportunity (vendors providing genuine attestation and governance differentiate against a low compliance floor).
Mysten Labs announced that Sui will implement privacy by default across stablecoin transactions, with encrypted amounts visible only to sender and receiver while maintaining selective visibility for regulators and token issuers. The feature is live on testnet and expected on mainnet soon. Combined with Sui's recent protocol-level gasless stablecoin transfers (covered in a prior briefing), this positions Sui as the first major L1 attempting to ship both zero-fee and default-private stablecoin payments simultaneously.
Why it matters
The design pattern — user privacy + issuer visibility + regulator transparency — is architecturally distinct from both fully public ledgers and total-privacy schemes. If the implementation is sound (details pending), it addresses the core institutional objection to on-chain payments: public transaction histories expose competitive intelligence and violate financial confidentiality norms. For the agentic economy, this matters directly: autonomous agents transacting on public chains currently expose their entire financial history to competitors and front-runners. Default privacy with selective auditability is the compliance-compatible middle ground that institutional adoption requires.
Proof of enforcement supplants proof of policy ARMO's five-rung enforceability ladder, IOSCO's supervisory toolkit, Texas HB 149, and IBM's CUGA all converge on the same demand: auditable runtime evidence that governance was enforced, not just declared. Application-layer policy engines sharing the agent's process boundary are no longer credible. The market is moving toward kernel-level and infrastructure-plane verification as the minimum standard.
Hardware trust boundaries under active attack TU Graz's TELESCOPE exploit recovering RSA keys from Intel TDX via sibling-core performance counters joins the IEEE ICC traffic fingerprinting work from last briefing. TEE isolation — the foundation of confidential compute marketing — has an active, peer-reviewed attack surface that pure software mitigations cannot fully close. Builders choosing TEE-based architectures must now price in side-channel exposure as an ongoing operational cost, not a theoretical risk.
Agent identity becomes an independent infrastructure layer WorkOS's auth.md protocol, IBM's CUGA and ALTK middleware, Salesforce's unified governance architecture, and Lemma Oracle's ZK proof-of-key-possession all treat agent identity as a first-class primitive requiring its own authentication, lifecycle management, and credential delegation systems — distinct from human IAM. The convergence is rapid and cross-vendor.
DAO governance under live stress reveals structural design failures Cardano's DReps rejecting quantum-resistance research, Polkadot's genesis allocation challenge, and the Ethereum Foundation's 'smaller ship' restructuring all demonstrate that decentralized governance systems can deadlock on long-horizon investments, concentrate economic control despite voting decentralization, and struggle to fund public goods without centralized backstops.
Formal verification is catching real bugs that testing misses FOCIL's Lean 4 formalization caught equivocation-as-censorship and proposer front-running channels. Apple's CoreCrypto formal pipeline caught a missing range-check in PQC signatures. Eindhoven's EasyCrypt work closed spec-to-implementation gaps in XMSS and SPHINCS+. The pattern: formal methods are finding defects in production-bound code that conventional testing systematically misses.
What to Expect
2026-06-02—AmericanFortress presents secp256k1-native ZK-STARK PQC construction for Bitcoin at Paris event
2026-06-08—Cardano IO Research $52M treasury proposal vote concludes — 87% DRep opposition as of last check
2026-06-23—EU Commission feedback period closes on draft high-risk AI classification guidance
2026-08-02—EU AI Act Article 50 transparency obligations and GPAI supervision take effect — deployer disclosure requirements enforceable
2026-12-02—EU AI Act Annex III high-risk system obligations take effect (pushed from August 2026 by Digital Omnibus)
How We Built This Briefing
Every story, researched.
Every story verified across multiple sources before publication.
🔍
Scanned
Across multiple search engines and news databases
711
📖
Read in full
Every article opened, read, and evaluated
203
⭐
Published today
Ranked by importance and verified across sources
12
— The Masked Compute Desk
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste