№ 07·0407 · AI Agent System3 min read · Section 4 of 5

7.4 The governance boundary

The capability manifest, the per-task contract, the PoB record, and the rule that an Agent never signs, never moves funds, and never commits without a human endorsement.

Updated
7.4 · The governance boundary

Only an Agent inside the boundary can enter settlement and the record.

The more an Agent can do, the harder its limits must be. Which outputs may only be drafted, which actions require a human in the loop, and which data never leaves its domain. The boundary does not restrain the work; it turns a model from an unaccountable black box into a defensible component. WCN draws the division of responsibility at the network layer, in writing.

What this page doesDefines the allowed set, the forbidden set, and the controls
Core rulePeople keep the final commitment and the funds
You will learnThe capability manifest, the task contract, and the hard limits

The two instruments of the boundary

Every Agent carries two instruments. The capability manifest states the outer edge of what the Agent can do — its data domain, its tools, and its limits. The per-task contract grants a narrower scope for one task, inside that manifest. Beyond either, the Agent does not act.

Capability manifestThe standing statement of an Agent's reach: which data it may read, which tools it may call, and what limits apply. It is set at authorization and changed only through a recorded upgrade.
Per-task contractThe scope granted for a single task, inside the manifest. It names what this run may do and produce, so authority is granted per task rather than held open.

What the Agent may do

Research and organizeSummaries, comparison matrices, first-pass diligence screening, and points cited with a source. The output carries a default label that it is not legally verified.
Notes and processMeeting-note drafts, action items, and follow-up email templates. A timeline or a speaker attribution that is wrong is corrected by a person.
Monitoring draftsPlain-language notes on a threshold or an anomaly, drawn from read-only data. The note is a draft; whether anything goes out is a human decision.
Low-risk automationFilling forms, labeling, and syncing status fields inside an explicit permission, with the model parsing unstructured input.

What the Agent may not do

Never signsNo electronic signature, binding term, or exclusive commitment. A signature requires a person and the legal process.
Never moves fundsNo transfer, allocation, onchain authorization, or escrow instruction. Anything touching funds requires human approval and a limit.
No legal verdictIt may summarize a regulation, but a final conclusion such as "this is legal for you" is not allowed.
Never finalizes PoBThe Proof Ledger and governance decide adoption. The Agent may pre-screen and sort; it cannot pass its own work.
No commitment beyond scopeClaims about returns, regulatory status, or endorsement are not generated and sent on their own.
No bypass of the recordThe critical path stays interruptible and reversible. Calling an unregistered tool in silence is not allowed.
The rule is one line: an Agent never signs, never moves funds, and never makes a final commitment without an explicit human endorsement. The signature authority stays with the person.

The risk matrix

RiskHow it showsControl
FabricationInvented cases, wrong rules, wrong company namesRequire a source; return "unknown" when unsure; rule-check key fields
Prompt injectionA malicious page or file induces a leak or an out-of-scope actionIsolate tools; sandbox untrusted content; require a human in the loop for outbound actions
Data leakageTraining or logs carry confidential data awayClassify data; redact logs; clear keys at retirement
Excess autonomyAn open loop runs up cost with no endSet a per-task budget and a step limit; no task means no run
Unclear responsibilityAfter an error, no one knows who approved itKeep the adoption record, the approval chain, and the model and prompt version

Without the boundary, an Agent is not a stronger execution layer. It is a lever that amplifies a mistake — most of all in high-stakes statements and anything that touches funds.

The division of responsibility

A general assistant places verification on the end user. WCN serves multi-party attribution, so the boundary cannot rest on one user's care. It is written into the type policy and the task contract, where it can be enforced and reviewed.

WCN needs an Agent that can be explained, held accountable, and entered into PoB. "The model said so" is not the node saying so.

The line scoped automation holds

Across institutional practice, automation stops before the decision. A document system can parse at scale, while the credit decision stays with policy and human review. A risk platform can hold one consistent standard, while the manager keeps the investment responsibility. WCN follows the same principle: the Agent compresses friction; it does not replace signature authority.

A test for acceptance: if you remove the Agent, the business process is still lawful and can run — only slower. Then the boundary is about right. If removing the Agent breaks the loop, the human role has been eroded too far.