Tested In Production

Authorized agents don’t always act alone. Newton’s architecture permits AI agents sourced from the Model Registry to execute trades under user defined policy constraints enforced at the pretransaction layer, but the documented enforcement model assumes a clean one-to-one relationship between a single authorized agent and a single policy scope, meaning the circuit evaluates one agent’s proposed trade against one finalized constraint set and generates one proof for that isolated interaction. What happens when an authorized agent programmatically delegates a subtask to a secondary agent model, either another registry entry or an externally called model endpoint, is where the policy inheritance logic gets quiet in a way that makes me uncomfortable. The child agent executing a subtask didn’t get its own Keystore authorization, but it’s generating real transactions under the parent’s permission umbrella.


Here’s the technical failure path I keep reconstructing. Parent agent clears policy enforcement, generates a valid ZK proof for its authorized scope, and begins executing its strategy, part of which involves routing a specialized subtask to a secondary model that handles a specific market condition the parent wasn’t optimized for. That secondary model’s transaction submissions inherit the parent’s active authorization because the Keystore doesn’t see a new principal requesting permissions, it sees the same authorized session continuing to execute. But the secondary model’s risk parameters, position sizing logic, and exit conditions weren’t what the user evaluated when they set the parent’s policy constraints. And the policy circuit can’t distinguish between the parent’s native execution and a delegated subtask it has no direct visibility into.


My cynical read, and I’ve audited enough multi-agent pipelines to know this pattern gets skipped in early documentation. This isn’t a theoretical edge case, it’s a standard operational pattern in any sufficiently capable agent system where task decomposition is a feature rather than an exception, and the Newton Model Registry is explicitly designed to host a diverse ecosystem of specialized models that capable agents will naturally want to compose. I want Newton to publish explicit documentation on whether policy enforcement scope travels with the authorization session or with the specific model instance that was evaluated at constraint setup time, what the defined behavior is when a parent agent routes execution through a secondary model endpoint not covered by the original Keystore authorization, and whether the TEE can detect cross-model delegation chains at the proof generation stage. Until that’s answered in technical writing rather than marketing language, every composable multi-model strategy running under Newton’s policy enforcement has a constraint boundary that ends exactly where agent collaboration begins.

$NEWT

@NewtonProtocol $NEWT #Newt