Only controlled Agents can enter the settlement and reputation system.
The stronger the capability, the more hard boundaries are needed: which outputs can only be drafted, which actions must be HITL, and which data will never leave the domain. The boundary is not to restrict innovation, but to turn LLM from an “unaccountable black box” into a “defensible component” - unlike Copilot, which only recommends and the user is fully responsible for, WCN must explicitly divide responsibilities at the network layer.
What the Agent can do (allowed set)
What the Agent cannot do (forbidden set)
Risk matrix (simplified)
| Risk | Performance | Control Ideas |
|---|---|---|
| Illusion | Fabricated cases, wrong laws, wrong company names | Mandatory quotation; output "unknown" if unsure; key field rule verification |
| Prompt injection | Malicious web pages/PDFs inducing leaks or unauthorized access | Tool isolation; untrusted content sandbox; outbound actions HITL |
| Data leakage | Training or logs take away confidentiality | Data classification; log desensitization; clearing keys after Retired |
| Excessive autonomy | AutoGPT-style infinite loops and fees | Task-level budget and step limit; no task means no running |
| Ambiguous responsibilities | I don’t know who approved it if something went wrong | Adoption record + approval chain + model/prompt version number |
Without boundaries, AI is not a stronger execution layer, but a lever that amplifies mistakes—especially in high-stakes copywriting and funding-related processes.
Demarcation of responsibilities with Microsoft Copilot/Universal Assistant
Copilot's general terms and conditions stipulate: It is recommended that the user be responsible for verification. The WCN network side also needs to serve multi-party attribution: Therefore, the Agent boundary must be written in type policies and task contracts, rather than relying solely on end-user self-discipline.
What WCN needs is an agent that can be explained, accountable, and can enter PoB; "the model says it" cannot be regarded as the node saying it.
TradFi revelation: Automation stops before the decision-making chain
COIN-type systems handle large amounts of document analysis, and credit decisions are still subject to bank policy and human review; Aladdin emphasizes that risk calibers are consistent, and portfolio managers still bear investment responsibilities. WCN aligns with the same principle: **Agent compresses friction and does not replace signature authority. **
One sentence for product acceptance: If you delete the Agent, the business process is still legal and can be run, but it will be slower - the boundary is roughly correct. If the process of deleting the Agent cannot close the loop, it means that the human link has been excessively eroded.