Tricia Wang on What Autonomous AI Actually Needs

As businesses race to deploy AI agents that can plan, act and execute tasks with minimal human input, a quieter question is starting to shape the next phase of the industry: what do agentic systems actually need in order to work reliably in the real world?

For Tricia Wang of the Advanced AI Society, the answer comes down to two requirements that sound simple, but quickly become complex once you try to build them at scale.

“Autonomous systems need to be provable and controllable,” Wang said.

It’s a statement that cuts through the noise around AI automation. The past year has been filled with demos of agents booking meetings, writing code, answering customers, analysing documents and connecting tools together in increasingly fluid ways. Some systems can now trigger payments, move funds, deploy software updates, or manage inventory without a person touching the keyboard. The promise is clear: more speed, more output, fewer bottlenecks.

But Wang’s point is that none of that matters if the system can’t be trusted, verified, or governed in a way that holds up under pressure.

In practical terms, provability means being able to confirm what an agent did, why it did it, and whether it completed a task correctly. Control means being able to set boundaries, enforce privacy, and ensure the agent behaves within rules that can be audited and maintained.

Wang framed the issue as one of evidence, not optimism.

“We need proof that the work has been done as expected,” she said. “And that proof has to be tamperproof.”

That emphasis on proof reflects a growing tension in the AI space. The industry is moving quickly from AI as a “suggestion engine” to AI as an “execution layer”. A chatbot recommending a marketing tagline is one thing. An agent approving supplier invoices, rebalancing portfolios, or adjusting access permissions is something else entirely.

The more autonomy an agent has, the more it becomes part of operational infrastructure rather than a productivity add-on. And infrastructure has to be dependable.

For many organisations, the first wave of agent deployments has exposed an uncomfortable reality: AI systems can be impressive while still being hard to manage. Agents can fail silently. They can succeed in ways that are difficult to explain. They can perform tasks using tools and permissions that are poorly mapped. They can generate outputs that look plausible but are subtly wrong. They can also behave inconsistently across environments, especially when models, plugins, or cloud services change.

That’s where provability becomes a requirement rather than a bonus.

In a typical enterprise setting, a “provable” system would be one where an operator can trace an action back to a clear chain of events. If an agent sends an email to a client, the organisation needs to know which prompt or instruction triggered it, which data sources it referenced, and whether the message was reviewed by any safeguards. If an agent updates a database, there should be a verifiable record of what changed, when, and under which permissions.

Without that, accountability becomes blurry. And blurred accountability is exactly what regulated industries, security teams, and risk officers are trained to reject.

Tamperproof proof, as Wang describes it, is about confidence that records haven’t been altered after the fact. This matters because audit logs are only useful if they can be trusted. If an agent can rewrite its own history, or if logs can be edited without detection, the organisation has no reliable way to investigate incidents or demonstrate compliance.

This is not a hypothetical risk. As AI systems gain access to more tools, they also gain more ability to cover mistakes, whether intentionally or accidentally. Even in non-malicious scenarios, systems can overwrite files, remove data, or change settings in ways that leave little trace. That can make post-incident analysis frustrating at best and impossible at worst.

Wang’s second requirement, controllability, is equally important and arguably harder.

Control in agentic systems is not the same as control in traditional software. Conventional automation follows defined rules and predictable pathways. Agents, by design, are meant to reason, plan, and adapt. They often operate in open-ended environments, with multiple tools available and multiple possible solutions.

That flexibility is powerful, but it creates a new category of governance challenge. Instead of asking “what does the software do?”, teams now have to ask “what could the agent do, given the tools and permissions it has?”

This is why privacy and portability have become central to the discussion. Wang argued that autonomy depends on provable control over both, particularly in complex environments where organisations rely on multiple vendors and multiple cloud platforms.

“For agents to be autonomous (and trusted) their needs to be provable control over privacy and portability (multi-vendor, multi-cloud),” she said.

In a multi-cloud reality, businesses might run customer data in one environment, analytics in another, and internal tools in a third. They may rely on different AI model providers for different tasks, or mix proprietary models with open-source ones. They may also work with external partners, contractors, and platforms that sit outside their direct control.

In that context, portability is not a technical preference, it’s a resilience requirement. If an agent is tightly locked into one vendor’s ecosystem, the organisation becomes dependent on that vendor’s policies, pricing, reliability, and roadmap. It also becomes harder to switch providers if a model changes behaviour, if costs spike, or if new regulatory demands emerge.

Portability is also about continuity. Organisations want to be able to move workloads, replicate workflows, and maintain operational standards across environments. If agentic systems are going to become a foundational layer for work, they need to travel with the business rather than tie the business to one platform.

Privacy, meanwhile, is about preventing agents from becoming uncontrolled data pipelines.

Agents often need access to sensitive information to be useful. They may read internal documents, customer records, financial reports, HR systems, or engineering repositories. If privacy controls are weak, agents can accidentally leak information, store it in places it shouldn’t be stored, or share it with tools that are not approved.

Even when AI providers promise not to train on customer data, the question becomes: can the organisation prove what data was accessed, where it went, and whether it was retained?

That’s where provable privacy becomes essential. It’s not enough to say “we think the agent behaved”. Organisations increasingly need to demonstrate it.

This shift is also changing what “trust” means in AI. Trust is no longer about whether a model sounds confident or produces fluent language. Trust becomes operational: can you verify outcomes, enforce boundaries, and audit actions?

It’s a move away from personality and towards governance.

There is also a practical reason why these requirements are gaining attention now. Agentic systems are moving into higher stakes areas faster than many expected. Customer service agents are being given authority to issue refunds. Finance agents are being asked to reconcile transactions. DevOps agents are being used to deploy patches. Security teams are experimenting with agents that can triage alerts and take action.

Each of these use cases has a different risk profile, but they share the same basic need: reliable evidence and enforceable control.

The absence of provability and controllability also creates a scaling problem. Early agent deployments often work because they are small, supervised, and run by teams that understand the system intimately. But as soon as agents are rolled out across departments, regions, or thousands of employees, supervision becomes harder.

A system that depends on constant human checking is not autonomous. It’s assisted automation. True autonomy requires guardrails that can operate continuously, even when humans are not watching.

Wang’s focus on tamperproof proof suggests a future where agent actions are recorded in ways that can be independently verified. That could include cryptographic techniques, immutable logs, or infrastructure designed to make alterations detectable. The exact technical approach will vary, but the direction is clear: organisations will demand stronger evidence than “the model said it did it”.

The implications extend beyond enterprise settings as well. Consumers are beginning to interact with agents that manage personal calendars, email, shopping, travel, and finances. If these agents are going to make decisions on a user’s behalf, the user needs transparency into what happened and why.

A travel agent that rebooks a flight without explanation might save time, but it can also create stress if it makes the wrong call. A personal finance agent that moves money between accounts might be helpful, but it can also cause panic if the user can’t trace the logic. Trust breaks quickly when actions can’t be explained or reversed.

That’s why controllability matters at the individual level too. People want autonomy from their tools, not autonomy of their tools.

Wang’s comments also land at a moment when public conversations around AI safety are shifting from broad fears to concrete controls. Instead of debating whether AI might one day become dangerous in theory, teams are dealing with immediate, operational issues: data leakage, model drift, vendor dependency, and audit gaps.

Provability and controllability provide a useful framework because they can be tested. They can be measured. They can be built into procurement requirements, security reviews, and product roadmaps.

For developers and AI product teams, the message is clear. Building agents that can do impressive tasks is no longer the only goal. The next competitive advantage may come from building agents that can prove what they did, prove they followed rules, and prove they protected data.

For organisations evaluating agentic systems, Wang’s perspective offers a simple filter: if an agent can’t be audited, it can’t be trusted. If it can’t be controlled, it can’t be deployed widely.

That doesn’t mean autonomy is out of reach. It means autonomy comes with obligations. As agents move from experiments to infrastructure, the standards they must meet will look less like consumer apps and more like critical systems.

Wang’s statement, then, reads less like a prediction and more like a design requirement for the next era of AI.

Autonomous systems will earn trust the same way every other dependable system does: by producing proof, resisting tampering, and operating within boundaries that can be enforced across platforms.

The age of agents is arriving quickly. The question is whether the controls will arrive quickly enough to keep up.

Dear Reader,

Ledger Life is an independent platform dedicated to covering the Internet Computer (ICP) ecosystem and beyond. We focus on real stories, builder updates, project launches, and the quiet innovations that often get missed.

We’re not backed by sponsors. We rely on readers like you.

If you find value in what we publish—whether it’s deep dives into dApps, explainers on decentralised tech, or just keeping track of what’s moving in Web3—please consider making a donation. It helps us cover costs, stay consistent, and remain truly independent.

Your support goes a long way.

🧠 ICP Principal: ins6i-d53ug-zxmgh-qvum3-r3pvl-ufcvu-bdyon-ovzdy-d26k3-lgq2v-3qe

🧾 ICP Address: f8deb966878f8b83204b251d5d799e0345ea72b8e62e8cf9da8d8830e1b3b05f

🪙 BTC Wallet: bc1pp5kuez9r2atdmrp4jmu6fxersny4uhnaxyrxau4dg7365je8sy2q9zff6p

Every contribution helps keep the lights on, the stories flowing, and the crypto clutter out.

Thank you for reading, sharing, and being part of this experiment in decentralised media.
—Team Ledger Life

As businesses race to deploy AI agents that can plan, act and execute tasks with minimal human input, a quieter question is starting to shape the next phase of the industry: what do agentic systems actually need in order to work reliably in the real world?

For Tricia Wang of the Advanced AI Society, the answer comes down to two requirements that sound simple, but quickly become complex once you try to build them at scale.

“Autonomous systems need to be provable and controllable,” Wang said.

It’s a statement that cuts through the noise around AI automation. The past year has been filled with demos of agents booking meetings, writing code, answering customers, analysing documents and connecting tools together in increasingly fluid ways. Some systems can now trigger payments, move funds, deploy software updates, or manage inventory without a person touching the keyboard. The promise is clear: more speed, more output, fewer bottlenecks.

But Wang’s point is that none of that matters if the system can’t be trusted, verified, or governed in a way that holds up under pressure.

In practical terms, provability means being able to confirm what an agent did, why it did it, and whether it completed a task correctly. Control means being able to set boundaries, enforce privacy, and ensure the agent behaves within rules that can be audited and maintained.

Wang framed the issue as one of evidence, not optimism.

“We need proof that the work has been done as expected,” she said. “And that proof has to be tamperproof.”

That emphasis on proof reflects a growing tension in the AI space. The industry is moving quickly from AI as a “suggestion engine” to AI as an “execution layer”. A chatbot recommending a marketing tagline is one thing. An agent approving supplier invoices, rebalancing portfolios, or adjusting access permissions is something else entirely.

The more autonomy an agent has, the more it becomes part of operational infrastructure rather than a productivity add-on. And infrastructure has to be dependable.

For many organisations, the first wave of agent deployments has exposed an uncomfortable reality: AI systems can be impressive while still being hard to manage. Agents can fail silently. They can succeed in ways that are difficult to explain. They can perform tasks using tools and permissions that are poorly mapped. They can generate outputs that look plausible but are subtly wrong. They can also behave inconsistently across environments, especially when models, plugins, or cloud services change.

That’s where provability becomes a requirement rather than a bonus.

In a typical enterprise setting, a “provable” system would be one where an operator can trace an action back to a clear chain of events. If an agent sends an email to a client, the organisation needs to know which prompt or instruction triggered it, which data sources it referenced, and whether the message was reviewed by any safeguards. If an agent updates a database, there should be a verifiable record of what changed, when, and under which permissions.

Without that, accountability becomes blurry. And blurred accountability is exactly what regulated industries, security teams, and risk officers are trained to reject.

Tamperproof proof, as Wang describes it, is about confidence that records haven’t been altered after the fact. This matters because audit logs are only useful if they can be trusted. If an agent can rewrite its own history, or if logs can be edited without detection, the organisation has no reliable way to investigate incidents or demonstrate compliance.

This is not a hypothetical risk. As AI systems gain access to more tools, they also gain more ability to cover mistakes, whether intentionally or accidentally. Even in non-malicious scenarios, systems can overwrite files, remove data, or change settings in ways that leave little trace. That can make post-incident analysis frustrating at best and impossible at worst.

Wang’s second requirement, controllability, is equally important and arguably harder.

Control in agentic systems is not the same as control in traditional software. Conventional automation follows defined rules and predictable pathways. Agents, by design, are meant to reason, plan, and adapt. They often operate in open-ended environments, with multiple tools available and multiple possible solutions.

That flexibility is powerful, but it creates a new category of governance challenge. Instead of asking “what does the software do?”, teams now have to ask “what could the agent do, given the tools and permissions it has?”

This is why privacy and portability have become central to the discussion. Wang argued that autonomy depends on provable control over both, particularly in complex environments where organisations rely on multiple vendors and multiple cloud platforms.

“For agents to be autonomous (and trusted) their needs to be provable control over privacy and portability (multi-vendor, multi-cloud),” she said.

In a multi-cloud reality, businesses might run customer data in one environment, analytics in another, and internal tools in a third. They may rely on different AI model providers for different tasks, or mix proprietary models with open-source ones. They may also work with external partners, contractors, and platforms that sit outside their direct control.

In that context, portability is not a technical preference, it’s a resilience requirement. If an agent is tightly locked into one vendor’s ecosystem, the organisation becomes dependent on that vendor’s policies, pricing, reliability, and roadmap. It also becomes harder to switch providers if a model changes behaviour, if costs spike, or if new regulatory demands emerge.

Portability is also about continuity. Organisations want to be able to move workloads, replicate workflows, and maintain operational standards across environments. If agentic systems are going to become a foundational layer for work, they need to travel with the business rather than tie the business to one platform.

Privacy, meanwhile, is about preventing agents from becoming uncontrolled data pipelines.

Agents often need access to sensitive information to be useful. They may read internal documents, customer records, financial reports, HR systems, or engineering repositories. If privacy controls are weak, agents can accidentally leak information, store it in places it shouldn’t be stored, or share it with tools that are not approved.

Even when AI providers promise not to train on customer data, the question becomes: can the organisation prove what data was accessed, where it went, and whether it was retained?

That’s where provable privacy becomes essential. It’s not enough to say “we think the agent behaved”. Organisations increasingly need to demonstrate it.

This shift is also changing what “trust” means in AI. Trust is no longer about whether a model sounds confident or produces fluent language. Trust becomes operational: can you verify outcomes, enforce boundaries, and audit actions?

It’s a move away from personality and towards governance.

There is also a practical reason why these requirements are gaining attention now. Agentic systems are moving into higher stakes areas faster than many expected. Customer service agents are being given authority to issue refunds. Finance agents are being asked to reconcile transactions. DevOps agents are being used to deploy patches. Security teams are experimenting with agents that can triage alerts and take action.

Each of these use cases has a different risk profile, but they share the same basic need: reliable evidence and enforceable control.

The absence of provability and controllability also creates a scaling problem. Early agent deployments often work because they are small, supervised, and run by teams that understand the system intimately. But as soon as agents are rolled out across departments, regions, or thousands of employees, supervision becomes harder.

A system that depends on constant human checking is not autonomous. It’s assisted automation. True autonomy requires guardrails that can operate continuously, even when humans are not watching.

Wang’s focus on tamperproof proof suggests a future where agent actions are recorded in ways that can be independently verified. That could include cryptographic techniques, immutable logs, or infrastructure designed to make alterations detectable. The exact technical approach will vary, but the direction is clear: organisations will demand stronger evidence than “the model said it did it”.

The implications extend beyond enterprise settings as well. Consumers are beginning to interact with agents that manage personal calendars, email, shopping, travel, and finances. If these agents are going to make decisions on a user’s behalf, the user needs transparency into what happened and why.

A travel agent that rebooks a flight without explanation might save time, but it can also create stress if it makes the wrong call. A personal finance agent that moves money between accounts might be helpful, but it can also cause panic if the user can’t trace the logic. Trust breaks quickly when actions can’t be explained or reversed.

That’s why controllability matters at the individual level too. People want autonomy from their tools, not autonomy of their tools.

Wang’s comments also land at a moment when public conversations around AI safety are shifting from broad fears to concrete controls. Instead of debating whether AI might one day become dangerous in theory, teams are dealing with immediate, operational issues: data leakage, model drift, vendor dependency, and audit gaps.

Provability and controllability provide a useful framework because they can be tested. They can be measured. They can be built into procurement requirements, security reviews, and product roadmaps.

For developers and AI product teams, the message is clear. Building agents that can do impressive tasks is no longer the only goal. The next competitive advantage may come from building agents that can prove what they did, prove they followed rules, and prove they protected data.

For organisations evaluating agentic systems, Wang’s perspective offers a simple filter: if an agent can’t be audited, it can’t be trusted. If it can’t be controlled, it can’t be deployed widely.

That doesn’t mean autonomy is out of reach. It means autonomy comes with obligations. As agents move from experiments to infrastructure, the standards they must meet will look less like consumer apps and more like critical systems.

Wang’s statement, then, reads less like a prediction and more like a design requirement for the next era of AI.

Autonomous systems will earn trust the same way every other dependable system does: by producing proof, resisting tampering, and operating within boundaries that can be enforced across platforms.

The age of agents is arriving quickly. The question is whether the controls will arrive quickly enough to keep up.

Dear Reader,

Ledger Life is an independent platform dedicated to covering the Internet Computer (ICP) ecosystem and beyond. We focus on real stories, builder updates, project launches, and the quiet innovations that often get missed.

We’re not backed by sponsors. We rely on readers like you.

If you find value in what we publish—whether it’s deep dives into dApps, explainers on decentralised tech, or just keeping track of what’s moving in Web3—please consider making a donation. It helps us cover costs, stay consistent, and remain truly independent.

Your support goes a long way.

🧠 ICP Principal: ins6i-d53ug-zxmgh-qvum3-r3pvl-ufcvu-bdyon-ovzdy-d26k3-lgq2v-3qe

🧾 ICP Address: f8deb966878f8b83204b251d5d799e0345ea72b8e62e8cf9da8d8830e1b3b05f

🪙 BTC Wallet: bc1pp5kuez9r2atdmrp4jmu6fxersny4uhnaxyrxau4dg7365je8sy2q9zff6p

Every contribution helps keep the lights on, the stories flowing, and the crypto clutter out.

Thank you for reading, sharing, and being part of this experiment in decentralised media.
—Team Ledger Life

As businesses race to deploy AI agents that can plan, act and execute tasks with minimal human input, a quieter question is starting to shape the next phase of the industry: what do agentic systems actually need in order to work reliably in the real world?

For Tricia Wang of the Advanced AI Society, the answer comes down to two requirements that sound simple, but quickly become complex once you try to build them at scale.

“Autonomous systems need to be provable and controllable,” Wang said.

It’s a statement that cuts through the noise around AI automation. The past year has been filled with demos of agents booking meetings, writing code, answering customers, analysing documents and connecting tools together in increasingly fluid ways. Some systems can now trigger payments, move funds, deploy software updates, or manage inventory without a person touching the keyboard. The promise is clear: more speed, more output, fewer bottlenecks.

But Wang’s point is that none of that matters if the system can’t be trusted, verified, or governed in a way that holds up under pressure.

In practical terms, provability means being able to confirm what an agent did, why it did it, and whether it completed a task correctly. Control means being able to set boundaries, enforce privacy, and ensure the agent behaves within rules that can be audited and maintained.

Wang framed the issue as one of evidence, not optimism.

“We need proof that the work has been done as expected,” she said. “And that proof has to be tamperproof.”

That emphasis on proof reflects a growing tension in the AI space. The industry is moving quickly from AI as a “suggestion engine” to AI as an “execution layer”. A chatbot recommending a marketing tagline is one thing. An agent approving supplier invoices, rebalancing portfolios, or adjusting access permissions is something else entirely.

The more autonomy an agent has, the more it becomes part of operational infrastructure rather than a productivity add-on. And infrastructure has to be dependable.

For many organisations, the first wave of agent deployments has exposed an uncomfortable reality: AI systems can be impressive while still being hard to manage. Agents can fail silently. They can succeed in ways that are difficult to explain. They can perform tasks using tools and permissions that are poorly mapped. They can generate outputs that look plausible but are subtly wrong. They can also behave inconsistently across environments, especially when models, plugins, or cloud services change.

That’s where provability becomes a requirement rather than a bonus.

In a typical enterprise setting, a “provable” system would be one where an operator can trace an action back to a clear chain of events. If an agent sends an email to a client, the organisation needs to know which prompt or instruction triggered it, which data sources it referenced, and whether the message was reviewed by any safeguards. If an agent updates a database, there should be a verifiable record of what changed, when, and under which permissions.

Without that, accountability becomes blurry. And blurred accountability is exactly what regulated industries, security teams, and risk officers are trained to reject.

Tamperproof proof, as Wang describes it, is about confidence that records haven’t been altered after the fact. This matters because audit logs are only useful if they can be trusted. If an agent can rewrite its own history, or if logs can be edited without detection, the organisation has no reliable way to investigate incidents or demonstrate compliance.

This is not a hypothetical risk. As AI systems gain access to more tools, they also gain more ability to cover mistakes, whether intentionally or accidentally. Even in non-malicious scenarios, systems can overwrite files, remove data, or change settings in ways that leave little trace. That can make post-incident analysis frustrating at best and impossible at worst.

Wang’s second requirement, controllability, is equally important and arguably harder.

Control in agentic systems is not the same as control in traditional software. Conventional automation follows defined rules and predictable pathways. Agents, by design, are meant to reason, plan, and adapt. They often operate in open-ended environments, with multiple tools available and multiple possible solutions.

That flexibility is powerful, but it creates a new category of governance challenge. Instead of asking “what does the software do?”, teams now have to ask “what could the agent do, given the tools and permissions it has?”

This is why privacy and portability have become central to the discussion. Wang argued that autonomy depends on provable control over both, particularly in complex environments where organisations rely on multiple vendors and multiple cloud platforms.

“For agents to be autonomous (and trusted) their needs to be provable control over privacy and portability (multi-vendor, multi-cloud),” she said.

In a multi-cloud reality, businesses might run customer data in one environment, analytics in another, and internal tools in a third. They may rely on different AI model providers for different tasks, or mix proprietary models with open-source ones. They may also work with external partners, contractors, and platforms that sit outside their direct control.

In that context, portability is not a technical preference, it’s a resilience requirement. If an agent is tightly locked into one vendor’s ecosystem, the organisation becomes dependent on that vendor’s policies, pricing, reliability, and roadmap. It also becomes harder to switch providers if a model changes behaviour, if costs spike, or if new regulatory demands emerge.

Portability is also about continuity. Organisations want to be able to move workloads, replicate workflows, and maintain operational standards across environments. If agentic systems are going to become a foundational layer for work, they need to travel with the business rather than tie the business to one platform.

Privacy, meanwhile, is about preventing agents from becoming uncontrolled data pipelines.

Agents often need access to sensitive information to be useful. They may read internal documents, customer records, financial reports, HR systems, or engineering repositories. If privacy controls are weak, agents can accidentally leak information, store it in places it shouldn’t be stored, or share it with tools that are not approved.

Even when AI providers promise not to train on customer data, the question becomes: can the organisation prove what data was accessed, where it went, and whether it was retained?

That’s where provable privacy becomes essential. It’s not enough to say “we think the agent behaved”. Organisations increasingly need to demonstrate it.

This shift is also changing what “trust” means in AI. Trust is no longer about whether a model sounds confident or produces fluent language. Trust becomes operational: can you verify outcomes, enforce boundaries, and audit actions?

It’s a move away from personality and towards governance.

There is also a practical reason why these requirements are gaining attention now. Agentic systems are moving into higher stakes areas faster than many expected. Customer service agents are being given authority to issue refunds. Finance agents are being asked to reconcile transactions. DevOps agents are being used to deploy patches. Security teams are experimenting with agents that can triage alerts and take action.

Each of these use cases has a different risk profile, but they share the same basic need: reliable evidence and enforceable control.

The absence of provability and controllability also creates a scaling problem. Early agent deployments often work because they are small, supervised, and run by teams that understand the system intimately. But as soon as agents are rolled out across departments, regions, or thousands of employees, supervision becomes harder.

A system that depends on constant human checking is not autonomous. It’s assisted automation. True autonomy requires guardrails that can operate continuously, even when humans are not watching.

Wang’s focus on tamperproof proof suggests a future where agent actions are recorded in ways that can be independently verified. That could include cryptographic techniques, immutable logs, or infrastructure designed to make alterations detectable. The exact technical approach will vary, but the direction is clear: organisations will demand stronger evidence than “the model said it did it”.

The implications extend beyond enterprise settings as well. Consumers are beginning to interact with agents that manage personal calendars, email, shopping, travel, and finances. If these agents are going to make decisions on a user’s behalf, the user needs transparency into what happened and why.

A travel agent that rebooks a flight without explanation might save time, but it can also create stress if it makes the wrong call. A personal finance agent that moves money between accounts might be helpful, but it can also cause panic if the user can’t trace the logic. Trust breaks quickly when actions can’t be explained or reversed.

That’s why controllability matters at the individual level too. People want autonomy from their tools, not autonomy of their tools.

Wang’s comments also land at a moment when public conversations around AI safety are shifting from broad fears to concrete controls. Instead of debating whether AI might one day become dangerous in theory, teams are dealing with immediate, operational issues: data leakage, model drift, vendor dependency, and audit gaps.

Provability and controllability provide a useful framework because they can be tested. They can be measured. They can be built into procurement requirements, security reviews, and product roadmaps.

For developers and AI product teams, the message is clear. Building agents that can do impressive tasks is no longer the only goal. The next competitive advantage may come from building agents that can prove what they did, prove they followed rules, and prove they protected data.

For organisations evaluating agentic systems, Wang’s perspective offers a simple filter: if an agent can’t be audited, it can’t be trusted. If it can’t be controlled, it can’t be deployed widely.

That doesn’t mean autonomy is out of reach. It means autonomy comes with obligations. As agents move from experiments to infrastructure, the standards they must meet will look less like consumer apps and more like critical systems.

Wang’s statement, then, reads less like a prediction and more like a design requirement for the next era of AI.

Autonomous systems will earn trust the same way every other dependable system does: by producing proof, resisting tampering, and operating within boundaries that can be enforced across platforms.

The age of agents is arriving quickly. The question is whether the controls will arrive quickly enough to keep up.

Dear Reader,

Ledger Life is an independent platform dedicated to covering the Internet Computer (ICP) ecosystem and beyond. We focus on real stories, builder updates, project launches, and the quiet innovations that often get missed.

We’re not backed by sponsors. We rely on readers like you.

If you find value in what we publish—whether it’s deep dives into dApps, explainers on decentralised tech, or just keeping track of what’s moving in Web3—please consider making a donation. It helps us cover costs, stay consistent, and remain truly independent.

Your support goes a long way.

🧠 ICP Principal: ins6i-d53ug-zxmgh-qvum3-r3pvl-ufcvu-bdyon-ovzdy-d26k3-lgq2v-3qe

🧾 ICP Address: f8deb966878f8b83204b251d5d799e0345ea72b8e62e8cf9da8d8830e1b3b05f

🪙 BTC Wallet: bc1pp5kuez9r2atdmrp4jmu6fxersny4uhnaxyrxau4dg7365je8sy2q9zff6p

Every contribution helps keep the lights on, the stories flowing, and the crypto clutter out.

Thank you for reading, sharing, and being part of this experiment in decentralised media.
—Team Ledger Life

As businesses race to deploy AI agents that can plan, act and execute tasks with minimal human input, a quieter question is starting to shape the next phase of the industry: what do agentic systems actually need in order to work reliably in the real world?

For Tricia Wang of the Advanced AI Society, the answer comes down to two requirements that sound simple, but quickly become complex once you try to build them at scale.

“Autonomous systems need to be provable and controllable,” Wang said.

It’s a statement that cuts through the noise around AI automation. The past year has been filled with demos of agents booking meetings, writing code, answering customers, analysing documents and connecting tools together in increasingly fluid ways. Some systems can now trigger payments, move funds, deploy software updates, or manage inventory without a person touching the keyboard. The promise is clear: more speed, more output, fewer bottlenecks.

But Wang’s point is that none of that matters if the system can’t be trusted, verified, or governed in a way that holds up under pressure.

In practical terms, provability means being able to confirm what an agent did, why it did it, and whether it completed a task correctly. Control means being able to set boundaries, enforce privacy, and ensure the agent behaves within rules that can be audited and maintained.

Wang framed the issue as one of evidence, not optimism.

“We need proof that the work has been done as expected,” she said. “And that proof has to be tamperproof.”

That emphasis on proof reflects a growing tension in the AI space. The industry is moving quickly from AI as a “suggestion engine” to AI as an “execution layer”. A chatbot recommending a marketing tagline is one thing. An agent approving supplier invoices, rebalancing portfolios, or adjusting access permissions is something else entirely.

The more autonomy an agent has, the more it becomes part of operational infrastructure rather than a productivity add-on. And infrastructure has to be dependable.

For many organisations, the first wave of agent deployments has exposed an uncomfortable reality: AI systems can be impressive while still being hard to manage. Agents can fail silently. They can succeed in ways that are difficult to explain. They can perform tasks using tools and permissions that are poorly mapped. They can generate outputs that look plausible but are subtly wrong. They can also behave inconsistently across environments, especially when models, plugins, or cloud services change.

That’s where provability becomes a requirement rather than a bonus.

In a typical enterprise setting, a “provable” system would be one where an operator can trace an action back to a clear chain of events. If an agent sends an email to a client, the organisation needs to know which prompt or instruction triggered it, which data sources it referenced, and whether the message was reviewed by any safeguards. If an agent updates a database, there should be a verifiable record of what changed, when, and under which permissions.

Without that, accountability becomes blurry. And blurred accountability is exactly what regulated industries, security teams, and risk officers are trained to reject.

Tamperproof proof, as Wang describes it, is about confidence that records haven’t been altered after the fact. This matters because audit logs are only useful if they can be trusted. If an agent can rewrite its own history, or if logs can be edited without detection, the organisation has no reliable way to investigate incidents or demonstrate compliance.

This is not a hypothetical risk. As AI systems gain access to more tools, they also gain more ability to cover mistakes, whether intentionally or accidentally. Even in non-malicious scenarios, systems can overwrite files, remove data, or change settings in ways that leave little trace. That can make post-incident analysis frustrating at best and impossible at worst.

Wang’s second requirement, controllability, is equally important and arguably harder.

Control in agentic systems is not the same as control in traditional software. Conventional automation follows defined rules and predictable pathways. Agents, by design, are meant to reason, plan, and adapt. They often operate in open-ended environments, with multiple tools available and multiple possible solutions.

That flexibility is powerful, but it creates a new category of governance challenge. Instead of asking “what does the software do?”, teams now have to ask “what could the agent do, given the tools and permissions it has?”

This is why privacy and portability have become central to the discussion. Wang argued that autonomy depends on provable control over both, particularly in complex environments where organisations rely on multiple vendors and multiple cloud platforms.

“For agents to be autonomous (and trusted) their needs to be provable control over privacy and portability (multi-vendor, multi-cloud),” she said.

In a multi-cloud reality, businesses might run customer data in one environment, analytics in another, and internal tools in a third. They may rely on different AI model providers for different tasks, or mix proprietary models with open-source ones. They may also work with external partners, contractors, and platforms that sit outside their direct control.

In that context, portability is not a technical preference, it’s a resilience requirement. If an agent is tightly locked into one vendor’s ecosystem, the organisation becomes dependent on that vendor’s policies, pricing, reliability, and roadmap. It also becomes harder to switch providers if a model changes behaviour, if costs spike, or if new regulatory demands emerge.

Portability is also about continuity. Organisations want to be able to move workloads, replicate workflows, and maintain operational standards across environments. If agentic systems are going to become a foundational layer for work, they need to travel with the business rather than tie the business to one platform.

Privacy, meanwhile, is about preventing agents from becoming uncontrolled data pipelines.

Agents often need access to sensitive information to be useful. They may read internal documents, customer records, financial reports, HR systems, or engineering repositories. If privacy controls are weak, agents can accidentally leak information, store it in places it shouldn’t be stored, or share it with tools that are not approved.

Even when AI providers promise not to train on customer data, the question becomes: can the organisation prove what data was accessed, where it went, and whether it was retained?

That’s where provable privacy becomes essential. It’s not enough to say “we think the agent behaved”. Organisations increasingly need to demonstrate it.

This shift is also changing what “trust” means in AI. Trust is no longer about whether a model sounds confident or produces fluent language. Trust becomes operational: can you verify outcomes, enforce boundaries, and audit actions?

It’s a move away from personality and towards governance.

There is also a practical reason why these requirements are gaining attention now. Agentic systems are moving into higher stakes areas faster than many expected. Customer service agents are being given authority to issue refunds. Finance agents are being asked to reconcile transactions. DevOps agents are being used to deploy patches. Security teams are experimenting with agents that can triage alerts and take action.

Each of these use cases has a different risk profile, but they share the same basic need: reliable evidence and enforceable control.

The absence of provability and controllability also creates a scaling problem. Early agent deployments often work because they are small, supervised, and run by teams that understand the system intimately. But as soon as agents are rolled out across departments, regions, or thousands of employees, supervision becomes harder.

A system that depends on constant human checking is not autonomous. It’s assisted automation. True autonomy requires guardrails that can operate continuously, even when humans are not watching.

Wang’s focus on tamperproof proof suggests a future where agent actions are recorded in ways that can be independently verified. That could include cryptographic techniques, immutable logs, or infrastructure designed to make alterations detectable. The exact technical approach will vary, but the direction is clear: organisations will demand stronger evidence than “the model said it did it”.

The implications extend beyond enterprise settings as well. Consumers are beginning to interact with agents that manage personal calendars, email, shopping, travel, and finances. If these agents are going to make decisions on a user’s behalf, the user needs transparency into what happened and why.

A travel agent that rebooks a flight without explanation might save time, but it can also create stress if it makes the wrong call. A personal finance agent that moves money between accounts might be helpful, but it can also cause panic if the user can’t trace the logic. Trust breaks quickly when actions can’t be explained or reversed.

That’s why controllability matters at the individual level too. People want autonomy from their tools, not autonomy of their tools.

Wang’s comments also land at a moment when public conversations around AI safety are shifting from broad fears to concrete controls. Instead of debating whether AI might one day become dangerous in theory, teams are dealing with immediate, operational issues: data leakage, model drift, vendor dependency, and audit gaps.

Provability and controllability provide a useful framework because they can be tested. They can be measured. They can be built into procurement requirements, security reviews, and product roadmaps.

For developers and AI product teams, the message is clear. Building agents that can do impressive tasks is no longer the only goal. The next competitive advantage may come from building agents that can prove what they did, prove they followed rules, and prove they protected data.

For organisations evaluating agentic systems, Wang’s perspective offers a simple filter: if an agent can’t be audited, it can’t be trusted. If it can’t be controlled, it can’t be deployed widely.

That doesn’t mean autonomy is out of reach. It means autonomy comes with obligations. As agents move from experiments to infrastructure, the standards they must meet will look less like consumer apps and more like critical systems.

Wang’s statement, then, reads less like a prediction and more like a design requirement for the next era of AI.

Autonomous systems will earn trust the same way every other dependable system does: by producing proof, resisting tampering, and operating within boundaries that can be enforced across platforms.

The age of agents is arriving quickly. The question is whether the controls will arrive quickly enough to keep up.

Dear Reader,

Ledger Life is an independent platform dedicated to covering the Internet Computer (ICP) ecosystem and beyond. We focus on real stories, builder updates, project launches, and the quiet innovations that often get missed.

We’re not backed by sponsors. We rely on readers like you.

If you find value in what we publish—whether it’s deep dives into dApps, explainers on decentralised tech, or just keeping track of what’s moving in Web3—please consider making a donation. It helps us cover costs, stay consistent, and remain truly independent.

Your support goes a long way.

🧠 ICP Principal: ins6i-d53ug-zxmgh-qvum3-r3pvl-ufcvu-bdyon-ovzdy-d26k3-lgq2v-3qe

🧾 ICP Address: f8deb966878f8b83204b251d5d799e0345ea72b8e62e8cf9da8d8830e1b3b05f

🪙 BTC Wallet: bc1pp5kuez9r2atdmrp4jmu6fxersny4uhnaxyrxau4dg7365je8sy2q9zff6p

Every contribution helps keep the lights on, the stories flowing, and the crypto clutter out.

Thank you for reading, sharing, and being part of this experiment in decentralised media.
—Team Ledger Life