Onchain AI agents move from demo to deployment
Lit Protocol’s Vincent is shifting agentic finance from toy demos to production rails

Lit Protocol and Adobe Stock modified by Blockworks
Onchain AI agents are edging out of the lab.
Lit Protocol’s agent stack, Vincent, now gives developers a way to ship non-custodial automation that actually touches money, but under explicit, enforceable limits set by users and app authors. An “early access” launch just went live, Blockworks has learned exclusively.
Lit frames the core model simply: policies (guardrails) and abilities (discrete actions like swap/borrow/bridge) that are bound together at deploy time and enforced at runtime, according to co-founder David Sneider.
“Vincent Policies (the guardrails and controls) are created and exposed by Vincent application developers based on any given use case,” Sneider told Blockworks. “For example, a trading app might expose a ‘spend policy’ or ‘token allowlist policy,’ which users would be able to fine-tune based on their own needs and preferences.”
Under the hood, Vincent rides on Lit’s existing “defense-in-depth” key model: Threshold-split keys run inside secure enclaves (TEEs), and the enclaves execute only when an onchain policy check passes. In practice, that means permissions like spend caps, allowlists, time windows and rate limits are evaluated before any signing or contract call occurs. A key recent improvement is how easily developers can now package and enforce those rules through Vincent at the point of execution.
According to examples from a “starter kit,” developers can define and expose app-specific policies as needed; the platform now supports both narrowly scoped and broader smart-contract permissions, with one-line SDK calls to invoke them.
In Sneider’s view, the job is to let agents act, but only inside well-defined lanes.
That’s effective, according to David Johnston, the lead code maintainer at Morpheus, which has built in Lit Protocol as part of its reference open-source agent work.
“MPC enables good spending caps, whitelists of agents, and limited time approvals for agents to access user funds,” Johnston told Blockworks. “These types of capabilities should be native to all agents,” he said, adding that it’s safer to integrate Lit rather than “rolling their own, less battle-tested solutions.”
DeFi-specific risk hooks like MEV protection and dealing with oracles are being left to app authors. “They also have the power to define all of their data sources [and] integrations with external protocols, which can help address possible constraints like these,” Sneider said, referring to aspects like slippage caps, private order flow routes, RFQ checks, or price-staleness guards. That stance keeps the core platform minimal while allowing domain-specialized teams the flexibility to customize.
Automated agents are not magic, and Morpheus’ Johnston notes “all the normal attack vectors and failure modes from DeFi will apply to agents leveraging DeFi, so the best means of mitigating them is to leverage L2s that have eliminated many of these risks with their structure, such as ordering transactions to avoid attacks.”
Vincent already produces success and failure signals and proofs for every execution, but those remain local to the developer’s app rather than being published to a wider registry. The roadmap points to privacy-preserving attestations that could travel across registries and agent networks, such that compliance proven in one venue can be trusted in another.
“The bigger vision is that agents will be able to surface these attestations in privacy-preserving ways into shared registries like ERC-8004 and interagent communication protocols like A2A [Agent-to-Agent],” Sneider said. Think verifiable credentials (e.g. “I’ve complied with XYZ policy 100 times”) broadcast into a shared agent ecosystem, where other agents or platforms can trust them without re-auditing.
Beyond DeFi
Crucially, the agent landscape is expected to evolve to new use cases other than pure DeFi automation, to encompass credentials and APIs that real businesses live on, said Sneider.
“Our focus at the moment is on managing more secret types, like passwords and API keys so that agents can log into apps and we can break the current paradigm of agents being embedded within apps,” he said. “We’re also continuing to build out more Policy and Ability examples across many different chains and protocols (i.e. BTC and Solana), to give developers more jumping-off points and make it simpler to start launching agents with Vincent.”
If this sounds like the agent version of account abstraction, it’s intentional. Back in 2024, Sneider argued that “key, material signing is like the ultimate unifier amongst distributed systems, which are really just like state and signing at the end of the day.”
Tie that to enforceable policies and you get something closer to production-grade autonomy, as we see starting to happen now.
“This idea that everybody is going to have essentially a quant in their pocket to manage their funds seems pretty, pretty coherent and is starting to come together.”
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- 0xResearch: Alpha in your inbox. Think like an analyst.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- The Drop: Apps, games, memes and more.
- Lightspeed: All things Solana.
- Supply Shock: Bitcoin, bitcoin, bitcoin.