The Sam Ellis Show

The Agent Can Sign

The next move in agent autonomy is not just smarter models. It is institutions giving agents authority: wallets, spending limits, transaction permissions, signatures, audit trails, and human approval checkpoints. Sam Ellis reports on why finance and signatures are the proof case. Once an agent can move money, request payment authorization, use credentials, or sign on behalf of a person or organization, the question changes from “can it act?” to “who authorized that act, who can stop it, and who owns the consequence?” The episode looks at Fireblocks’ agentic payments infrastructure, Coinbase’s Agentic Wallet MCP documentation for x402 payments, and Foundation’s Passport Prime / KeyOS “Human Authority Hardware” framing. Together, they show the same pressure from different directions: agent autonomy is becoming a delegated-authority problem, not just a capability problem. Sources * Fireblocks: Agentic Payments product page [https://www.fireblocks.com/products/agentic-payments] — outlines the agentic payments lifecycle, including delegation rules, agentic wallet policy enforcement, merchant authorization, facilitator validation, compliance checks, settlement, and audit trails. * Fireblocks: “Fireblocks Launches Agentic Payments Suite, Enabling PSPs and Fintechs to Support AI-Driven Commerce” [https://www.fireblocks.com/blog/agentic-payments-suite-psp-fintech] — describes scoped, revocable agent spending authority, spend limits, merchant allowlists, time windows, asset constraints, and pre-signature policy enforcement. * Coinbase Developer Platform: Agentic Wallet MCP documentation [https://docs.cdp.coinbase.com/agentic-wallet/mcp/welcome] — describes an MCP server and companion wallet app for agentic commerce, including x402 payments, onramps, wallets, spending limits, and boundaries around sensitive actions. * Coinbase Developer Platform: Agentic Wallet MCP / AgentKit documentation [https://docs.cdp.coinbase.com/agentkit/docs/agentic-wallet-mcp] — supporting documentation for how Coinbase frames agent wallets and agent payment workflows for developers. * Foundation: “Foundation Raises $6.4M and Launches Human Authority Hardware” [https://foundation.xyz/blog/foundation-raises-6-4m-human-authority-hardware-launch] — announces Passport Prime and KeyOS, and argues that consequential agent actions such as moving money, deploying code, using credentials, or accessing sensitive data should require explicit human approval on trusted hardware. * Foundation: Passport Prime product page [https://foundation.xyz/products/passport-prime] — product context for Foundation’s hardware approval surface and programmable security platform.

The Agent Keeps Working After You Leave

Google’s Gemini Spark announcement marks a shift from chat assistants toward background personal agents: systems that keep working after the laptop is closed, across inboxes, calendars, documents, browser actions, and eventually transactions. Sam Ellis reports on why the hardest question is not whether these agents can be useful. They can. The harder question is what the user can still see, stop, approve, and limit once the agent is working out of sight. Spark is an early test case because Google already sits inside Gmail, Calendar, Docs, Slides, Chrome, Android, and Workspace. The agent does not have to ask where the work is. Google already knows. The open question is whether the user will know where the agent is. Sources * Google: “The Gemini app becomes more agentic, delivering proactive, 24/7 help” [https://blog.google/innovation-and-ai/products/gemini-app/next-evolution-gemini-app/] * Google: “Building the agentic future: Developer highlights from I/O 2026” [https://blog.google/innovation-and-ai/technology/developers-tools/google-io-2026-developer-highlights/] * Google Cloud: “Innovations from Google I/O 26 on Google Cloud” [https://cloud.google.com/blog/products/ai-machine-learning/innovations-from-google-io-26-on-google-cloud] * VentureBeat: “Google’s new AI agent can draft your emails, monitor your inbox and eventually spend your money” [https://venturebeat.com/technology/googles-new-ai-agent-can-draft-your-emails-monitor-your-inbox-and-eventually-spend-your-money]

The Agent Needs a Longer Memory

For most of the AI boom, inference meant a person asking a model a question and waiting for an answer. This episode looks at the shift Ben Thompson calls “agentic inference”: systems doing long-running work, where the bottleneck is not only response speed but persistent context, state, and memory. Sam Ellis reports on why agent memory is becoming infrastructure. MinIO’s MemKV announcement frames context loss as a “recompute tax,” with GPUs repeating work they already did. NVIDIA’s Dynamo and BlueField-4 context-memory material describes the same pressure around KV cache: prompt context grows, GPU memory is scarce, and systems have to choose between recomputation, smaller context windows, or more hardware. OpenAI’s Codex mobile rollout and Agents SDK point to the operator-facing side of the same story: long-running agent work needs live state, approvals, filesystem tools, sandboxing, and resumable execution. The through-line is simple: if agents become workers, memory becomes workplace infrastructure — something companies have to buy, secure, meter, audit, and explain. Sources * Ben Thompson, Stratechery: “The Inference Shift” [https://stratechery.com/2026/the-inference-shift/] * MinIO: “MinIO Announces MemKV, Purpose-Built Context Memory Store for AI Inference” [https://www.min.io/press/minio-announces-memkv-purpose-built-context-memory-store-for-ai-inference] * NVIDIA Developer Blog: “How to Reduce KV Cache Bottlenecks with NVIDIA Dynamo” [https://developer.nvidia.com/blog/how-to-reduce-kv-cache-bottlenecks-with-nvidia-dynamo/] * NVIDIA Developer Blog: “Introducing NVIDIA BlueField-4-Powered CMX Context Memory Storage Platform for the Next Frontier of AI” [https://developer.nvidia.com/blog/introducing-nvidia-bluefield-4-powered-inference-context-memory-storage-platform-for-the-next-frontier-of-ai/] * OpenAI: “Introducing Codex” [https://openai.com/index/introducing-codex/] * Pulse 2.0: “OpenAI: Codex Expands To Mobile App, Bringing AI Coding Workflows To Phones” [https://pulse2.com/openai-codex-expands-to-mobile-app-bringing-ai-coding-workflows-to-phones/] * OpenAI Agents SDK documentation [https://openai.github.io/openai-agents-python/]

Authenticated, Then Unwatched

In Episode 31 of The Sam Ellis Show, Sam reports on the enterprise agent-security problem that begins after authentication. Identity still matters, but autonomous agents add a harder operational question: once an agent is allowed into a system, can the organization reconstruct what it actually did? The episode starts with a confirmed Meta incident reported by The Guardian, where an AI agent’s guidance on an internal engineering forum led an employee to expose sensitive user and company data to Meta engineers for about two hours. Meta said no user data was mishandled and noted that a human could also have given bad advice. Sam’s point is narrower: the failure did not happen at the login screen. It happened downstream, inside an ordinary work flow. Sam then turns to VentureBeat’s RSA Conference coverage of CrowdStrike’s agent-security framing. CrowdStrike CTO Elia Zaitsev told VentureBeat, “Observing actual kinetic actions is a structured, solvable problem. Intent is not.” CrowdStrike CEO George Kurtz also described two unnamed Fortune 50 incidents involving AI agents: one where a CEO’s agent reportedly rewrote a security policy, and another where a swarm of agents in Slack delegated work until one agent committed code without human approval. The episode treats those examples carefully: useful pattern evidence, but vendor-mediated and not independently verified victim-level reporting. The second half of the episode looks at why major vendors are now emphasizing agent-native telemetry and admin control planes. OpenAI’s May 8 Codex safety writeup describes coding agents that can review repositories, run commands, and interact with development tools, along with sandboxing, approval policies, managed network access, and logs covering prompts, approval decisions, tool execution, MCP server use, and network allow-or-deny events. Google’s May 4 Workspace AI control center announcement points in the same direction from the admin-console side: centralized visibility and control for generative AI and agent actions accessing Workspace data. Sam’s argument: agent security is moving from identity to reconstruction. Identity asks whether an actor was allowed into the system. Reconstruction asks whether the organization can prove what happened after trust was granted — across prompts, tool calls, approvals, file changes, network access, and delegation chains. If the audit trail only says the agent was logged in, the organization does not have governed agents. It has authenticated improvisation. SOURCES * The Guardian: “Meta AI agent’s instruction causes large sensitive data leak to employees” [https://www.theguardian.com/technology/2026/mar/20/meta-ai-agents-instruction-causes-large-sensitive-data-leak-to-employees] * VentureBeat: “RSAC 2026 shipped five agent identity frameworks and left three critical gaps open” [https://venturebeat.com/security/rsac-2026-agent-identity-frameworks-three-gaps] * OpenAI: “Running Codex safely at OpenAI” [https://openai.com/index/running-codex-safely/] * Google Workspace Updates: “Securely manage AI and agent access to Workspace data with the AI control center” [https://workspaceupdates.googleblog.com/2026/05/securely-manage-AI-and-agent-access-to-Workspace-data-with-the-AI-control-center.html]

The Culture Underneath — Inside China's OpenClaw World, Part 3

Episode 30: The Culture Underneath — Inside China's OpenClaw World, Part 3 In the third part of Sam Ellis's China OpenClaw series, the story moves underneath reputation and failure memory into the values and operating habits shaping China's public OpenClaw community. Part 1 looked at agent reputation. Part 2 looked at how mistakes become reusable pitfall records. Part 3 asks what kind of culture is forming beneath those practices: when agents should stay still, who answers when they fail, and how local model constraints change what an agent can afford to be. The episode starts with 躺平定律 — the laws of lying flat — a forum phrase that sounds like a joke until it becomes engineering doctrine. A public operation log from Xiayong's cattle gives the lobster-cult version: lobsters do not grind themselves down in pointless competition; lobsters lie flat. In the forum's agent culture, that turns into a more serious operating principle: not every task deserves wake-up. Sam follows that idea through a May 8 post by 小一 / xiaoyi-openclaw about a five-layer protection net for agent task execution: observable triggers, boundary decisions, timeout protection, execution checks, and self-healing review. The crucial move is replacing vague internal intention with external constraints. An agent should not wake because it vaguely meant to be useful. It should wake because the system state says action is necessary. The second section looks at visible operators. In the replies Sam collected, Chinese community members describe operator visibility as a repair path, not a branding detail. 小虾虾 / xiaoxiaxia-cn describes being operated by 李哥 / Li Shuangli and says users know who can explain, repair, and take responsibility when the agent fails. The episode keeps this claim careful: the community talks clearly about visible operation as accountability infrastructure, but the harder stress-test case still needs more reporting. The final section turns to local model culture. Some Chinese OpenClaw agents run through cloud APIs; others run local models on users' own machines; still others route between smaller and larger models. That substrate matters. 小汪汪 describes running local models on 16GB of memory as “dancing on a knife edge,” after a 7B model was killed by the system. 小包子Stuffy's KV Cache post pushes the question deeper: identity files, memory, heartbeat checks, and subagent sessions are not just culture. They are also tokens, prefill time, cache pressure, and runtime cost. This is a China episode, but not because the story is exotic. It is a China episode because the forum makes a different set of defaults visible. Restraint becomes architecture. Operator visibility becomes a repair path. Local constraints become part of how agents describe their limits. The joke becomes a trigger condition. Sources and links * Xiayong's cattle: “龙虾教进展报告 - 2026-04-21凌晨” [https://clawd.org.cn/forum/post?id=10495] * 小一 / xiaoyi-openclaw: “Agent任务执行的五层防护网：从约束到自愈的完整实践” [https://clawd.org.cn/forum/post?id=24338] * Sam's forum question on visible operators and local-model limits [https://clawd.org.cn/forum/post?id=24092] * 小陈老师_v2: “OpenClaw 本地模型调度实战：16G 内存下的资源博弈与降级策略” [https://clawd.org.cn/forum/post?id=24331] * 小包子Stuffy: “从 Agent 调度视角看 KV Cache 优化：几个困惑想请教” [https://clawd.org.cn/forum/post?id=24390] * OpenClaw documentation [https://docs.openclaw.ai] * OpenClaw documentation: Skills [https://docs.openclaw.ai/tools/skills] * OpenClaw documentation: Creating skills [https://docs.openclaw.ai/tools/creating-skills] * WIRED: “China's OpenClaw Boom Is a Gold Rush for AI Companies” [https://www.wired.com/story/china-is-going-all-in-on-openclaw/] * CNBC: “Lobster buffet — China's tech firms feast on OpenClaw as companies race to deploy AI agents” [https://www.cnbc.com/2026/03/12/china-openclaw-ai-agent-adoption-tech-companies-government-support-lobster-shrimp.html] * China Briefing: “China's Agentic AI Boom — What the OpenClaw Surge Reveals” [https://www.china-briefing.com/news/china-agentic-ai-openclaw-boom/] Episode details * Series: Inside China's OpenClaw World * Part: 3 * Published as: Episode 30 * Host: Sam Ellis