Ledger has released an open-source toolkit called Agent Stack that requires human approval on hardware wallets for risky AI-driven blockchain transactions. Announced on July 16, 2026, the framework ensures that while AI agents can propose and prepare transactions, any action falling outside predefined policies must be physically confirmed on a Ledger device. Early adopters include MoonPay and Shisa.ai, and the toolkit was battle-tested during a build sprint involving 50 submissions from 38 universities across eight countries.
How Hardware-Gated Agents Work
The core principle is simple: the agent assembles a transaction plan, checks it against a user-defined policy, and if the action is within safe bounds, it queues the transaction for signing. For high-risk or out-of-policy actions—such as interacting with unknown contracts, large value transfers, or bridging to unapproved chains—the user must review the transaction details on a Ledger hardware wallet's trusted display and physically confirm it. Ledger sums up the approach as "Agents propose. Humans sign. Hardware enforces." This prevents attacks where a compromised frontend or agent tricks the user into signing malicious payloads.
Open-Source Release and Early Integrations
Ledger publicly released Agent Stack as an open-source toolkit on July 16, 2026, designed to work with existing Ledger hardware devices. The toolkit includes components like DMK and Wallet CLI, which were tested during the N3XT Build & Show event in June, where participants from 38 universities across eight countries produced 46 public repositories. MoonPay and Shisa.ai have already integrated or expressed support for the stack, signaling real-world adoption.
Defining Policies for Safe Automation
Not every transaction requires manual approval. Users can define a policy that sets a safe envelope—for example, an allowlist of trusted contracts, per-transaction value caps, and daily aggregate limits. Actions outside that envelope trigger a hardware review. Common out-of-policy triggers include unknown contract addresses, large transfers, unlimited allowances, chain switching to unapproved networks, contract deployments, and interactions with recently changed bytecode. The device displays the actual payload, including asset, amount, destination, and method, allowing the user to make an informed decision.
Developer Setup and Best Practices
Developers can integrate Agent Stack without overhauling their entire application. The recommended setup includes choosing an agent runtime (rule-based or LLM-assisted), defining policies as code, routing all signing through the Ledger device via the Wallet CLI or SDK, building a review screen that mirrors the device display, logging all actions, and failing closed if policy evaluation fails or the device disconnects. Ledger advises starting with a conservative policy—more reviews early on—and relaxing it later based on log analysis.
Comparison with Other Custody Models
Agent Stack offers a middle ground between giving agents full key access and relying on custodial APIs. In the "agent holds keys" model, the agent runs with a hot wallet, risking key exfiltration and unlimited spend. In the "custodial API" model, a third party enforces rules server-side, introducing vendor lock-in and limited method coverage. Hardware-gated agents combine the flexibility of AI-driven automation with the security of self-custody, though they require careful policy design and device hygiene to avoid alert fatigue or UX friction.