Concepts in this episode
AI terms discussed here — each links to a plain-language definition.
Chapters
- 0:00Why securing an AI agent in software alone is impossible
- 0:30Delegating execution power inside your security perimeter
- 2:28The attack-defense asymmetry AI is erasing
- 6:00The alignment problem and delegating rights to agents
- 9:24Policy engines, intents, and hardware-enforced signatures
- 13:19From developer experience to agent experience
- 15:12Secure elements, HSMs, and execution integrity
- 20:00Zero-knowledge proofs, proving without revealing
- 27:24Convincing the skeptics on agent-driven payments
- 34:49Why Ledger bet on dedicated hardware
- 36:15Hardware as a determinism layer for agents
- 38:52How Ledger uses hardware authorization internally
- 43:42Classifying assets by threat model
- 46:55When attack and defense become symmetric
- 48:44Deepfakes, voice cloning, and the scam wave
- 50:04Closing thoughts on staying safe in the agentic economy
Show notes
Charles Guillemet is CTO of Ledger and the founder of the Donjon, Ledger's internal offensive security lab whose job is to break the company's own products before attackers do. He spent a decade in cryptography and hardware security before Ledger, including designing secure integrated circuits.
His argument is blunt: you cannot secure an AI agent with software alone. As agents start moving real money, API keys and trust scopes leave no physical verification layer, and Charles makes the case that hardware has to sit in the loop.
This one turned into a wide-ranging thought piece (and some debate) on what the agentic economy actually looks like, and how to stay safe inside it.
We cover:
- Why Charles thinks "securing an AI agent" with software permissions and API keys is a false promise
- The economic asymmetry between attackers and defenders, and how AI is collapsing it
- How a policy engine plus a hardware-enforced signature can delegate rights to an agent safely
- Why Charles thinks the agentic economy settles on blockchain rails over Visa and Mastercard
- Secure elements, HSMs, and zero-knowledge proofs as execution-integrity guarantees
- How Ledger uses hardware authorization internally for passkeys, signed releases, and multisig
- A practical way to classify assets by threat model and match security to value
(0:00) Why securing an AI agent in software alone is impossible
(0:30) Delegating execution power inside your security perimeter
(2:28) The attack-defense asymmetry AI is erasing
(6:00) The alignment problem and delegating rights to agents
(9:24) Policy engines, intents, and hardware-enforced signatures
(13:19) From developer experience to agent experience
(15:12) Secure elements, HSMs, and execution integrity
(20:00) Zero-knowledge proofs, proving without revealing
(27:24) Convincing the skeptics on agent-driven payments
(34:49) Why Ledger bet on dedicated hardware
(36:15) Hardware as a determinism layer for agents
(38:52) How Ledger uses hardware authorization internally
(43:42) Classifying assets by threat model
(46:55) When attack and defense become symmetric
(48:44) Deepfakes, voice cloning, and the scam wave
(50:04) Closing thoughts on staying safe in the agentic economy
Connect with Charles Guillemet:
- LinkedIn: https://www.linkedin.com/in/charles-guillemet/
- Twitter/X: https://x.com/P3b7_
- Ledger: https://www.ledger.com
Connect with Chain of Thought host Conor Bronsdon:
- Newsletter: https://newsletter.chainofthought.show/
- Twitter/X: https://x.com/ConorBronsdon
- LinkedIn: https://www.linkedin.com/in/conorbronsdon/
- YouTube: https://www.youtube.com/@ConorBronsdon
More episodes: https://chainofthought.show
Transcript
37 segmentsCharles Guillemet 0:00 Securing an agent is not something possible. People are telling differently. I think they are either a little bit too optimistic or maybe they don't understand what we are talking about. This is not something that is really possible. The only way to have very strong security guarantees is to have the dedicated hardware. And when it comes to your money, the incentives for the attacker are very high. So hardware will be part of the equation.
Conor Bronsdon 0:30 AI agents are already managing our email, they're scheduling meetings, they helped me write this talk track, and in some cases they're executing transactions, including financial transactions. Giving an agent access to your systems means delegating execution power inside your security perimeter. And the current model, with software permissions, API keys, trust scopes, has no physical verification layer. Maybe it should. Welcome back to Chain of Thought, everyone. I am your host, Connor Bronsdon. Today's guest has spent over a decade at the intersection of cryptography and hardware security. He runs one of the world's most unusual security teams, a group whose job it is to break into his own company's products before attackers do, which is always a blast. And his view on AI agents and enterprise systems is differentiated from most security leaders that I've talked to. It's not add AI to the defensive stack, though we may talk about that a bit. It's rather that the problem is architectural, and you need hardware in the loop. Charles Guimet is CTO of Ledger. He built and leads the Donjon, Ledger's internal offensive security research lab, and before Ledger he spent a decade in cryptography and hardware security. including designing secure integrated circuits at Tiempo and working at France's national research organization. Charles, welcome to Chain of Thought. Are you joining us from France today?
Charles Guillemet 1:54 yes definitely i'm currently in France
Conor Bronsdon 1:57 Fantastic. Where are you based? I actually don't know.
Charles Guillemet 2:00 i can't i cannot see it
Conor Bronsdon 2:02 Ah, okay. Yes, that is very fair. And I think that speaks to the security postures that you have to handle in your work.
Charles Guillemet 2:13 yeah OPsec is important yeah
Conor Bronsdon 2:16 Yeah, yeah. Well, let's dive right into it then. You know, I mentioned at the start of the show, but why do you think hardware backed authorization is necessary in today's world?
Charles Guillemet 2:28 Let me try to rewind a little bit. I think AI is a huge opportunity. It unlocks plenty of new things. It unlocks plenty of new science, new research, new use cases, and it's incredibly exciting. But when it comes to security, it's equally an opportunity and a threat. I like to say that a system is secure if you achieve to create an asymmetry between attack and defense. If breaking your system would cost more dollars than what you could retrieve as an attacker, then your system is secure. It's the economic angle. You also have the timing angle, like if you need 10 years to brute force my password and in 5 years my account is no longer relevant, then the system is secure. And before AI, like maybe before last year, finding vulnerabilities was extremely difficult and expecting them was also very difficult. And with AI, all of this is changing rapidly. And now we see that finding vulnerability is very easy. You just have to prompt code and ask it, please find a vulnerability on this service and make no mistake. The make no mistake part is important. And just like this, it will find availability. So if you're a security researcher, you will have more enhanced prompt and better security harness. Basically, finding availability is trending towards zero, which is an issue because now we're recreating this asymmetry between attack and defense. is incredibly difficult and we are seeing this. We are in the very beginning of a big security armageddon. We can see this in the blockchain world, in DeFi, but also in every single IT. Maybe last year, extracting the database of any e-commerce website, no one would do it because it would have taken, I don't know, two months for a talented security researcher and at the end, you would have sold the database for 5,000 on darknet, no one would do it. Now, it costs zero, so people are doing it, and we can see that there are plenty of data leaks every day, unfortunately. So, I would just want you to set the scene, like we are at the beginning of this very big security armadillon, and recreating this asymmetry will be very difficult. When it comes to your question, definitely agents are very convenient. You just prompt something very high level, you give the high level targets, and then the agent will just figure out and execute what you just asked. But then you have like two main issues. The first one is the alignment problem. Like how do you make sure that what you prompted actually matches with what the agent is executing. And this one is definitely not easy to solve just because the English language and the French language are not the mother of the country. is ambiguous. So translating something ambiguous into something deterministic is difficult. Secondly, agents are not deterministic at all, there are plenty of heuristic, probability, so sometimes they will do exactly what you wanted, sometimes something slightly different. So this is really the alignment program. And the second one is a simple security product. Like as soon as you want to ask your agent to do stuff with your data or with your value, then it means that you need to provide credentials, API keys, or even your like 24 words when it comes to crypto. And by the way, I think really the crypto blockchain is the native rails for agents. Today, Visa and Mastercard are winning in terms of volumes, it's pretty clear, even if like stablecoin volume is increasing a lot. But the main reason why Visa and Mastercard are winning is just because they have the distribution and also that the UX is more convenient. But an agent doesn't care about the UX. An agent will optimize for speed, for cost, and for that, blockchain is definitely more efficient, faster, cheaper, you also have composability and so on. So there is no doubt that the agentic economy will be on blockchain alerts. And finally, what I wanted to say, so you want to your agent to do stuff on your behalf but you don't really want to give your credentials to your agent because featuring an agent is not something possible. People who are telling this telling differently I think they are either a little bit too optimistic or maybe they don't understand what we are talking about. This is not something that is really possible. So what we would like to do is rather like delegating rights to an agent so that the agent can do stuff freely within this context. So you could define policies and so on so that the agents would respect those policies. And above, outside your desk policies, then you might want to, as an interviewer, to verify what kind of transactions, we talk about financial transactions, your agent would like to execute. And then there are two main security problems there. On one side, you have the policy engine. It's not that easy to do like to design a secure policy engine. For various reason, again, it's difficult to create intents. like the formalization of intents and make sure that an intent actually match with a specific action. So creating this formalization is not that simple.
Charles Guillemet 9:24 It's doable, but not that simple. And secondly, when you approve a virtual policy, how do you trust the system that will approve this policy? A good idea would be to use like a hardware-enforced signature so you are using your ledger device for instance to review the policy and sign it so that the policy engine is certain that this policy comes from you and then that your agent can access to a resource that belongs to you. So this is a model. And the other one would be like the keys themselves. So again, like I wouldn't give my private key, my crypto private keys to an agent because for sure I would lose everything that is behind this private key. Either it would do like action that I didn't want it to do. or like an attacker would be able to prompt inject the agent so that it reveals the keys and this is not something like hypothetical there are plenty of stories like this on the net on the internet and recently on twitter there was an account that was prompt injected just by tweeting to the to the account and i don't remember how much money they lost But again, so you really need to create like a strong field with a position giant that is harder and fast. And when it comes to actually sending transactions, then you need another. For me, the good model is really this. So you create a formalization of intents and policies. And if you are able to formally prove this thing, like this policy engine, I think it's clearly better. You also need guarantees that this policy engine is properly executed. So for that, you have like two main ways to do that. Either you implement the policy engine inside a secure enclave, inside the niche system, a TEE. TEE is not that secure, but it's better than full software. or you could even use like a zero knowledge proof to do that. Like zero knowledge proof is quite efficient to provide you integrity guarantee on the execution of something and policy engineering in particular. And when it comes to the keys, the keys who should live in a secure enclave so that whenever the agent is proposing an intent, it goes through the policy engineering and the secure enclave receive this approval that comes from the policy engine and then the security enclosure can simply issue the signature for the transaction. So here you have like a full end-to-end security design where you have like a strong guarantee in terms of alignment. You are sure that the agent is doing an action that is inside authorized action. And the second one is security, like the keys stay in an enclave and the enclave doesn't sign anything if it's not approved. So this would be like the ideal design in such setup. But again, it also depends like what you want to secure. If you just want to secure, I don't know, $5
Charles Guillemet 12:51 per day because there is not less than $5 maybe you can put the private key that secure your $5 inside the agent because you don't really care if it's stolen. It's also a trade-off between what you want to secure and how much you spend into the design of the security of your agent.
Conor Bronsdon 13:19 You brought up quite a few very interesting and I think important concepts here that we should drill down on a bit. So one is this idea of the change from developer experience to agent experience and how this enables new payment rails, particularly in the crypto space. To your point, one of the challenges for a lot of call it like non-native economy approaches to exchanging economic value on the internet, it has been that the experience has been odd for folks. They're saying, oh, this isn't the MasterCard Visa experience I expect, as you put it. And, you know, transitioning to something like Solana, Bitcoin, whatever, whatever you pick here can be just a, it's got a learning curve, if nothing else. whether or not the actual application is developed well, whether or not the rails are developed well, even if they're faster, even if they have cryptographic benefits, there are challenges there. But now with the preponderance of content out there about how to operate, I'll take a Solana wallet here as an example because it's one of the more popular currencies that has high speed and low transaction cost. And It is, there is a whole concept now around agentic capital that has been discussed because we are now designing for agent experience and they are able to go execute these things on our behalf. But to your point, this creates a lot of risk. And you brought up another really interesting concept here around this idea of zero knowledge proofs and actually ensuring that agents have authorization or humans and their agents have authorization in these areas. Can you expand a bit on what's actually required to validate success here and maybe talk a bit about how at Ledger hardware is built into that workflow of validation.
Charles Guillemet 15:12 Yeah, sure. So for the first item, I think it's really important to highlight this. Today, we don't even notice this anymore, but we are using always the same rails when it comes to payment, financial transaction. just because we are used to it. But they are far from perfect, that you cannot do a wire transfer outside of weekdays, outside of business hours. It takes several days, it's costly, like all of this, same with Visa, MasterCard and so on. But we are just very used to it and this is the reason why we use them. But when you want to use your money, you don't really care about this raise, you are just used to it. But now, tomorrow, you are going just to prompt to your agent to buy a flight ticket. And you won't say to your agent, please use this credit card or this account or whatever. You just want to pay, okay? And the agent will just like create this abstraction layer so that you don't even have to think about where your money is and so on. You just want your money to be secure and your transfer to be fast, cheap. You don't want to have high fees and so on. And the complexity of the UX and the learning curves and so on, You don't care. It's the problem of the agent. And by the way, for the agent, it's not a problem. All of this is the same. Visa is not more complex or more simple than using Sobana or whatever L2 on Ethereum when it comes to paying anything. So let's really think like this. And when it comes to the benefits as a user, it's faster, cheaper, composable, and so on. Everything is better. So on this, I think there is really no doubt, it's really just a matter of time, but agents will use wallets everywhere to finish the transactions. And the second is really about having guarantees in the execution of code. At the end, this is really what we want to achieve. And at Legion we are using a secure enclave for two different things. So a secure enclave is a piece of hardware that has different guarantees. And the main guarantee is on one side you have the confidentiality of the secret that you put inside. So at Ledger, we are using two types of security. We are using like a secure element. This is like a tiny integrated circuit that you find in your passport or in your banking accounts, but also in Ledger products. For those who can see the video, this is one of the Ledger products. And inside this, there was a secure element. It's a very tiny chip and an integrated circuit that is completely designed for security. You don't have much flash, you don't have much RAM, you just have strong security guarantee because the attack surface is very small and also because it was designed for security. So we are using SecureElement and on the other side, we are using HSM. HSM stands for Hardware Security Module. So it's basically like a secure server that we are putting in some dedicated data center. And the same appearance like a very small attachment phase dedicated for security. And we are using both of them. And SecureEnclave, we are using them to have like two properties. The first one is the confidentiality of the secrets. So secrets are generated inside the enclave and they never leave the enclave. Like it's really, it's an enclave, like the secrets stay there. And even if you have like, as an attacker, even if you have a physical access to the C tournament or the HSM, it would be like incredibly difficult to extract the secret. So they are really designed for that. and secondly like the cryptography is implemented inside the enclave so that as a user as a developer you don't have to ask the enclave the secret to compute cryptography you just ask for cryptography services please assign this transaction please encrypt this message please so this is really like the the model And the second property that we like with enclave is the fact that you have a strong guarantee that the code that is executed inside the enclave has not been tampered with. And this is quite important because in most attack vectors the thing is you have like some program that runs on the machine and quite often like very often you have an attacker that has another process and try to change the way the main program is running so that the program is doing like something else and that's that's the That's really how the hack works. When you are trying to access a database, what you're going to do is to talk with the backend and inject specific vectors so that the program that is managing the database behaves differently. And then, as an attacker, you can access the database. So this is really the idea. And the secure enclave is very good for that because it really prevents another program, another attacker to modify the execution of the program. So this is really the kind of guarantee you have. The program that is running inside a secure enclave, you have execution integrity guarantee that are given by Jango. However, you can also use a zero-knowledge proof to do that. A zero-knowledge proof is a very interesting cryptographic tool. At the beginning, it was designed for a very different reason. Zero-knowledge proofs were designed in order to create a proof of a property without giving you information on the data itself. So let me give an example. With zero-knowledge proof, I can prove that I'm 18 without revealing my birthdate. So this is the kind of property that you can achieve. And as an observer, I just have to verify your proof, and I'm certain that you didn't lie. There are plenty of such examples. For instance, I would like to compare my salary with yours, but both of us don't want to share our salary. So what we can do is ask a prover to create a zero-knowledge proof of this comparison. So this is really what zero-knowledge proofs are designed for. And the thing is, you can You have this anonymity property, which is great, but you also have trusted execution guarantee. For instance, the simple program I mentioned at the end is a program that is doing a comparison. But at the end, the proof gives you a strong guarantee that this comparison was executed properly. No one can lie. So that means that you could use a Zillow Edge Proof to create some kind of virtual processor where the execution will be done with a proof. And at the end, as an observer, even if you don't really know what happened in the processor, but it's not the property that we are looking for, you don't really know what happened in the processor, but you have a strong guarantee that it happened properly. No program try to inject anything inside in order to change the execution of the program. So this is really the property that is interesting in the zero-knowledge proof. Today at Ledger we don't really use zero-knowledge proof directly. We are like interacting with different blockchains that are using the Zero Knowledge Proof for different reasons, for both reasons I mentioned, sometimes it's for privacy, sometimes it's for compressing the states of the blockchain in order to have a better scalability of the blockchain. So we are interacting with the Zero Knowledge Proof, but we don't use the Zero Knowledge Proof at the device level yet. But this is an interesting area of research and we have a couple of teams that are that are working on this and for instance for the design of the policy engine that I mentioned before. This could completely run inside a zero edge proof system so that at the end, you just have a proof that your agent is actually authorized under your policy sets to do this specific action. And you don't even have to verify all of this. You have just a proof, you give it to the resource that will sign a transaction. So this is a possible design that we are working on.
Conor Bronsdon 24:37 Yeah, I think zero net or zero knowledge proofs are really fascinating for this space because it just enables so much behavior that you couldn't otherwise. I mean, you brought up early in the show OPSEC where you're like, yeah, I'm in France, but I can't really share my location. And I think it's interesting to think about these concepts and then apply them to the idea of this agentech economy, which we, I think, most folks on the show are convinced we are heading into or already starting to see. We're seeing agents rolled out around the world. People are using them all the time. They are increasingly being put into products where people don't even realize it's necessarily an agent on their behalf, depending on, you know, how involved they are with it. And being able to prove the agent's capabilities and capacity to do something is really important. So, I mean, the example I've always loved is the idea of like, If I have a safe that you can observe me unlocking, you can see that I've managed to unlock the safe, whether or not you actually get to see the combination. And I can now validate that, hey, I have the ability and the right to do this, or at least I have the capacity to do it, whereas you don't necessarily need to know how explicitly it gets done. And this is really important when we're thinking about the operational security for agents. And given how non-deterministic they are, given their ability to go out and cause trouble, as well as do a lot of very positive things for us, I think it's very important. So while I think there are many people who are listening to this show, or I think probably most, who are thinking, okay, yes, agents are going to take over, we're going to use them for so many things, totally agree with that. I'm not convinced, and maybe my listeners will prove me wrong on this, that they all agree with us that the next phase of the economy is going to include agents driving financial transactions and in particular driving financial transactions on the blockchain. is something I've started to dig into and I'm becoming increasingly convinced, I think you're farther along than I am on this, that there is a need for much faster, much more efficient payment rails for the agentic economy. And it seems like some of the technologies we have in the blockchain and crypto space are going to enable that, both from a validation perspective, it feels like it's almost been waiting for this agentic economy, in my opinion. But I know there are listeners who are going to push back on that and say, oh, this doesn't make sense. What would you say to folks who are in on AI and are saying, yes, agents are where we're going, we're building them, we're interested, we think this is happening, but aren't ready to take the next step and say, okay, financial transactions are going to be managed by agents too. And by the way, the payment rails need to change to enable that. How would you communicate with that maybe skeptical audience?
Charles Guillemet 27:24 Yeah, sure. So first of all, the reason why people could be skeptical that agent won't do a French transaction for them, this reason is just about security. This is just a matter of security. If you say an agent buy this flight for me, and at the end, you are sure that the agent will do whatever you wanted and won't lose your money, then there is no problem with that. You prefer saying to an agent that you want to fly to New York on the 25th of this month, rather than going on the websites and selecting all of this that takes time, navigation and so on. So if people are reluctant to do that, just because they have a doubt that something could go wrong. So definitely, and they are correct. For now, it's possible to do it, but not that safe. So we, as a community, as a negotiating team, we need to make this experience safer and more secure. And when we will get there, people will be like more at ease to do that. And it completely reminds me, so I'm starting to be old, it completely reminds me the beginning of the 2000 when people were reluctant to buy anything online. That was the case. People were like, oh, I'm going to lose my credit card information, I'm going to lose money, no one will deliver my package at home. So that was really the atmosphere at the time. And now, no one has any doubt about that. This is the normal way to buy stuff on the internet. So, people, humanity needs time to process, to understand how new technology works and so on. The thing is that now everything is going faster, so the adoption will be clearly faster. So you have the security and the safety part. And to your point about blockchain as a payment rail, a financial rail, So again, what's the reason why people have doubts today? So either it's a matter of security maybe, or it's more a problem of knowledge, like they don't know how blockchain works, how wallet works, there is some friction, what about the UX?
Charles Guillemet 29:59 But first of all, people have no idea how Visa and Mastercard works. You don't have to understand the blockchain to use it. You don't have to understand Visa to use it. There is this first thing. And second, when it comes to the UX, which I think is the biggest issue today, So people are reluctant using blockchain just because the U.S. is different, it's new, it's not always perfect, I have to admit it, and we are trying to improve it obviously at Ledger, but today it's not completely perfect compared to the traditional payment rails, let's say. But again, when it comes to the agentic economy, your agent doesn't care at all about the UX.
Charles Guillemet 30:52 Your agent will optimize for cost, and blockchain costs nothing, but you can send 1 million, 1 billion, whatever number of dollars you want, everywhere around the world for less than a cent this is something that's possible with poaching not in the future like now like if you have a billion you can send it send it to mexico in less than a second for less than a cent
Conor Bronsdon 31:16 But to your point, the challenge has been, is that secure? Can we trust it? And that's where I think there's plenty of innovation happening, crypto space, but also is it accurate? Am I sending it to the right wallet, for example? And so I think this is where exactly what you're talking about as far as, you know, we have to be considering what's going to block agents and blocks humans from trusting those agents. So I love that you're drilling in on that. Sorry to cut you off.
Charles Guillemet 31:39 No, this is a very, very fair summary. We need to fix the safety and security problem so that as a human, you have strong guarantees that your agent will do exactly what you want and not something slightly different. So this is the first thing. And for the rest, it's just a matter of adoption. And adoption will be very fast. And again, at some point, humans won't even know on which rails it happens. Because by the way, there is no one blockchain. There are thousands of blockchains. Some blockchains are faster. so other are stronger more secure so again this would be completely abstracted and and at the end at the end also there was no questions of liquidity like for instance you want to have like you want you want to get yield on the dollars that you have on your wallets and you don't know like where the best yield is so maybe you can ask your agent to do like the best safe yield and you want to you want to get yield on 10 000 and this is your prompt And as long as it's safe and secure to do this transaction, the agent will find that today on Arbitron, the Morpho vault number 32 gives you 8.3% with limited risk and that's it. You sign the transaction and you don't have to care about it. Because today if you want to have a yield on your money and your bank account, you have a big problem to understand that everything is bound or steady. But people trust more because they are more used to it and so on. So I really think it's a matter of changing the mindset, but also at the same time that making sure that we have safety and security in this process, which is not completely the case yet, we have to admit it.
Conor Bronsdon 33:44 Yeah, you mentioned that you think this process is going to happen really fast, where we're just going to see this back-end transition as agents go, oh, well, this is just more efficient for us. It's more useful. But there is this trust barrier, right? Which is why we're talking about security, why we're talking about safety. how do we solve this trust barrier? Is it just down to, oh, we have to redesign our security systems and add hardware in the mix with this hardware authorization? Or are there software security approaches that can get us most of the way there? When do folks need to take the leap to this deeper design? And how is that design going to actually enable this agentic capital explosion? Because I think there is some risk that you know, we are set up to have this explosion of new ways of paying, or at least ways of paying that have not been as popularized, where agents are now using all these payment rails. But there are too many security and trust concerns for that explosion to happen. So there's a blocker for at least quite a while until they figure that out.
Charles Guillemet 34:49 So, that's the reason why we created Ledger at the end, because we strongly believe that the only way to have very strong security guarantees is to have like dedicated hardware. And it seems that we were right, like the story gives us right, let's say. So yeah, so this would be like my premise. However, sometimes having something that is fully software might be sufficient depending on the use case. So maybe you could give your agent direct access to, I don't know, your Instagram account. It depends on how important it is for you. And without hardware guarantees,
Charles Guillemet 35:42 if your Instagram account is very important, maybe you don't want to do that by the way. So it really depends on the level of security that you expect. And depending on this, if you really don't want to lose access, you really don't want to lose credentials or money, then you will need at some point to have the hardware router trust in the mix. And when it comes to your money, the incentives for the attacker are very high, so hardware would be part of the equation.
Conor Bronsdon 36:15 So I almost want to say. that what you're doing by adding hardware into the authorization layer for this is injecting a determinism layer. Because we've talked a bit about how agents are non-deterministic, that topic has been discussed ad nauseum, but they're capable of incredible things because they can do things we didn't expect, which is both great and something we need to govern and guardrail against. And so I think what you're saying is, okay, let's inject a level of determinism where there are simply constraints based off of the hardware authorization that is provided, where an agent has to operate within those constraints. Because while we have implemented governance frameworks, observability, and all these things, getting to the 100%
Conor Bronsdon 37:08 accuracy that we would expect for large financial transactions, or let's say at least 99%, maybe nine nines, is truly impossible when you're looking at non-determinism if there is not some sort of hard barrier in place.
Charles Guillemet 37:25 Yeah, I think it's another way to put it, definitely hardware gives you determinism. Determinism because like everything is set in stone with the hardware, like it's physically set in stone. [37:38] Conor Bronsdon: [OVERLAP] Or [37:38] Charles Guillemet: [OVERLAP] And
Conor Bronsdon 37:38 metal, but you know.
Charles Guillemet 37:40 the second one is the execution integrity guarantee that I was talking about before, that you can have with a secure enclave or with zk so that's that's also why i like zk because it provides like determinism plus um like execution integrity bounty like but at the end the hardware will be will stay necessary at least for secrets
Conor Bronsdon 38:08 So I think the counter argument some folks would use is that, oh, hardware is expensive and, you know, wait a second, we're just talking about, you know, speed for agents. And now we're slowing things down by adding this additional layer. And in my head, it's like, okay, well, maybe that's reasonable for transactions that are a certain size initially, right? To your point where it's like, oh, if it's five bucks a day, do I care that much? Maybe not, depending on my level of risk factor or my level of care. But there is certainly like a minimal viable version of this too. How are your team at Ledger currently using hardware authorization internally? I think that could be informative to understand.
Charles Guillemet 38:52 Yes, it's a very good one. For instance, we are using internally ledger devices when it comes to authenticate to critical systems. So inside the ledger device, ledger devices are very well known for storing and managing your crypto. But at the end, inside the device there is an operating system that allows you to load different applications. And so Bitcoin, Ethereum, Solana are applications, but you also have non-crypto related applications. such as passkeys for instance, like security key, it's the name of the application, and it implements passkey. So passkey is a standard that allow you to authenticate yourself, not choosing a password, which is always weak, but choosing a symmetric program. And so we are using internally hardware to do that. You can also use your hardware to sign your commits as a developer, for instance. and it's always a good idea if you want because like I was talking about the security problem that we have because of PI and this problem is everywhere we talk about like vulnerability research it's a big one but also the integrity of your supply chain is a big one like how are you sure that the commit that was pushed on production comes from the developer you we wanted to And in order to do that, the way to ensure this is to sign commits, sign release. And I put here, when we just sign commit or releases, like this releases, not every single commit are signed with hardware, they are all signed, but not with hardware, not all with hardware. When it comes to releasing a critical piece of code, software, we are using our devices internally to verify what we are signing when what we are going to push to production. And it's very important because otherwise, like an attacker could, I don't know, pretend being ledger and create like a violation of our firmware or our wallet or whatever. Even worse, like an internal like your attacker could be hired, recruited by ledger and then try to do insider threats and for this we have like columns internally so that's to avoid that no one can push Everything is in production without the review of others at reporting the code. So we have different codes for the different things. And all of this is made at Ledger using our devices, our hardware devices. Because this is the only way to outpick a high level of productivity.
Conor Bronsdon 41:44 Yeah, I think it's really interesting to think about in that scenario where like, yes, it's you're still at risk for a bad actor within the company who gets access to hardware devices. But the point is they have to physically get access. It's a lot harder than having someone simply spin up a thousand or tens of thousands of A.I. agents to, you know, go attack different areas. It's it makes it so things like the mythos challenge that I think many of us are thinking about as that has been uh, running around the security industry, uh, are much more difficult where, okay, even if you string together some vulnerabilities, if there is a physical wall here, can you actually solve for it? And we're seeing these concepts before, right? Like we've talked about having multiple points of validation. There's a reason we have thumbprints or, you know, face locks and these other types of validation that are trying to use your own physical attributes. Now some of those are scammable in a variety of ways. They are a variety of ways harder or less hard to beat. But there are also this idea of like physical pass keys that you're starting to see anyone who's using like Google Password Manager is starting to see pass keys as an option to sign in. And, you know, obviously there's synced software passkeys you can use, and there's also hardware device bound passkeys. But can you talk a bit about really what makes the hardware authorization approach that Ledger is taking? more secure and why, I guess, like, maybe talk a little bit about, like, how it enables this deeper level of security and where you think people should be using it today. Because I want to kind of paint a picture for our listeners around, okay, as we make this transition into an agentic economy, if they have come along with us in this story and they're like, okay, I'm buying it, you know, how should they be thinking about this today and what it enables for them?
Charles Guillemet 43:42 Okay, I'm going to try to answer this. It's not easy because there is no definitive answer to that. It's really a matter of understanding your threat model, your trust assumption, classifying data, classifying risks, and depending on all of this, then you will define different level of friction and security to secure the different assets. So that would be my answer. So, you know, to give it a bit of flavor to that, something that is a low value in terms of like confidentiality, integrity, and so on. might be only secured by software and access control. Something that's starting to have a bit more value, you might want to use like a hardware with like only hardware that can automatically sign so that you have like a keys like a AshiCorp Volt for instance like this kind of Or I could have consigned data on your behalf so that the keys are secure, but not the execution. So it's a bit more secure. So it really depends on the use case. Where? The next level would be, this is something that is very important to lose the confidentiality or to load GSS to the specific data, then you will need such a hardware with a screen where you verify what you are doing. And the last one would be the same thing, using hardware with secure display, but in a multi-signature setup. Meaning that in order to sign the release of the firmware of ledger devices, this is exactly what we are using. We are using devices with a screen where we can verify what we sign in a multi-signature setup. So meaning that we need to reach a core arm in order to sign the release of the firmware before putting it in production. So I tried to take four examples where you have a different level of security depending on the asset that you want to protect. But at the end, this classification is very personal. This is my view on the classification of previous assets. So maybe another CTO would see things differently. And same. And from the personal standpoint, I was talking about like Instagram, for instance, the access of my Instagram account. I don't have Instagram, but my Instagram account wouldn't be that important. So maybe I would only put like the same password. We couldn't be that ugly because of imposter, like scammers and impersonation and so on, but still. But when it comes to, I don't know, my crypto, then I would add like a malicious setup or kind of thing. But again, so to me, when it comes to my Twitter account, I have 2FA and the second factor of authentication is hardware. So again, it really depends on the value that you put behind UltraSecure.
Conor Bronsdon 46:55 Charles, I really appreciate you bearing with me because I know I've given you some very broad questions that you have answered extremely well. And I have to credit you. I had quite a few more specific ones in the talk track that we kind of talked through for the episode. But because you have brought up so many interesting, wide ranging concepts, I think we have this this fascinating thought piece that is kind of formed within this around what does the agentic economy look like? you know, will it be on new pavement rails? I think we both think probably yes, at least over time. And how will that structure look like? Because it's pretty clear to anyone who is dealing with AI and security today that yes, you can now patch vulnerabilities and catch them. But if a mythos-like model or something stronger, it gets out into the wild and begins to go after folks, defenders are simply going to be overwhelmed. You can spin up more attackers, you can now find vulnerabilities that you wouldn't otherwise be able to find. You can now map them together in ways that give you access you shouldn't be able to have. And there is simply a larger attack surface growing than any team can watch for right now. There's a problem to be solved here.
Charles Guillemet 48:09 And the asymmetry I was talking about earlier doesn't exist anymore, because the counter, you know, could be, oh yes, like the defend, attackers have like LLN, but defense as well. Yeah, but that means there is no asymmetry anymore. That means there is symmetry. And this symmetry is not for the, is not on the advantage of the defense. because the attacker has only to find one vulnerability while the defense needs to be like 100% secure. It's very asymmetric to the advantage of the attacker. So this is really the new reality.
Conor Bronsdon 48:44 Yeah, especially with the proliferation of deep fakes, whether it's on voice, video text, there's just a scale and quality to that that is making traditional verification approaches unreliable. Even if you have multi-factor authentication already, how long is that going to hold up in the face of the ever-expanding attack capacity? It's going to be a really interesting thing to watch, but it's also potentially very dangerous for us from a financial standpoint. We've talked a little bit on this show, not a ton, about the concept of scams for folks, whether it's like, it's very easy for someone to clone my voice, especially because there are so many podcast hours of me now out there. They can easily clone my voice. They can call my grandmother or my bank. They can use that. And the validation systems that we are trying to use to catch up to that are struggling. They'll all say, I invested in a great startup, Scam.ai, that's doing great work here. I mean, there's just so much out there. It's hard to stay on top of it. And I love that you are taking this unique and interesting approach to how to solve it. Charles, thank you so much for joining us today. It's been fantastic having this conversation. I'm hoping our listeners are going to have a ton of value and interest out of this. What are some closing thoughts you want to share with the audience about how they should be thinking about the new agentic economy and how to stay safe in it.
Charles Guillemet 50:04 It's a difficult one to conclude. So we said plenty of like worrying things. I strongly think that we are entering into a difficult era where we will have a wave of security issues. I strongly think that it's going to be difficult at least for the coming months and years. So that means that every company needs to raise the bar for security and not only companies but also individuals. Unfortunately, we're going to have to get better at security. Stop using the name of your cat as your main password for every single services that you are using. use hardware, the second factor of transpiration when possible and so on. I cannot say it enough. But on a more positive note, because everyone is seeing the threat into AI. For me, AI is the most fascinating technology that we saw in my whole life. It's really exciting what is possible with AI. There's plenty of opportunities. All the progress that we made in research in only a few months with the last Frontier model is already amazing. So I'm really excited to see what kind of innovation we will do with AI in the near future. So I'm really more excited by the opportunity that AI is providing, rather than the issues that come with. And security is a big one, but let's see the positive side of things.
Conor Bronsdon 51:49 Love it. And I highly recommend folks who enjoyed this episode to check out Ledger at ledger.com. And I would also recommend Charles' Twitter account. Charles has some really interesting content on there. He's rather popular, though he may not say it himself. And I believe that's at P3B7 underscore, if you want to find him on X. And listeners, if you enjoyed this one, you should maybe subscribe to our newsletter at newsletter.chinothought.show. There's a ton more great content from guests like Charles and maybe some interesting thought pieces around the agent economy and what's to come. Follow us there. And of course, like, subscribe, rate and review across every platform. We appreciate you so much. Charles, thank you so much for joining us. It's been fantastic having this conversation and really appreciate it.
Charles Guillemet 52:34 Thank you for having me.