Only an Agent inside the boundary can enter settlement and the record.
The more an Agent can do, the harder its limits must be. Which outputs may only be drafted, which actions require a human in the loop, and which data never leaves its domain. The boundary does not restrain the work; it turns a model from an unaccountable black box into a defensible component. WCN draws the division of responsibility at the network layer, in writing.
The two instruments of the boundary
Every Agent carries two instruments. The capability manifest states the outer edge of what the Agent can do — its data domain, its tools, and its limits. The per-task contract grants a narrower scope for one task, inside that manifest. Beyond either, the Agent does not act.
What the Agent may do
What the Agent may not do
The rule is one line: an Agent never signs, never moves funds, and never makes a final commitment without an explicit human endorsement. The signature authority stays with the person.
The risk matrix
| Risk | How it shows | Control |
|---|---|---|
| Fabrication | Invented cases, wrong rules, wrong company names | Require a source; return "unknown" when unsure; rule-check key fields |
| Prompt injection | A malicious page or file induces a leak or an out-of-scope action | Isolate tools; sandbox untrusted content; require a human in the loop for outbound actions |
| Data leakage | Training or logs carry confidential data away | Classify data; redact logs; clear keys at retirement |
| Excess autonomy | An open loop runs up cost with no end | Set a per-task budget and a step limit; no task means no run |
| Unclear responsibility | After an error, no one knows who approved it | Keep the adoption record, the approval chain, and the model and prompt version |
Without the boundary, an Agent is not a stronger execution layer. It is a lever that amplifies a mistake — most of all in high-stakes statements and anything that touches funds.
The division of responsibility
A general assistant places verification on the end user. WCN serves multi-party attribution, so the boundary cannot rest on one user's care. It is written into the type policy and the task contract, where it can be enforced and reviewed.
WCN needs an Agent that can be explained, held accountable, and entered into PoB. "The model said so" is not the node saying so.
The line scoped automation holds
Across institutional practice, automation stops before the decision. A document system can parse at scale, while the credit decision stays with policy and human review. A risk platform can hold one consistent standard, while the manager keeps the investment responsibility. WCN follows the same principle: the Agent compresses friction; it does not replace signature authority.
A test for acceptance: if you remove the Agent, the business process is still lawful and can run — only slower. Then the boundary is about right. If removing the Agent breaks the loop, the human role has been eroded too far.