Your agent doesn't have a trust problem. It has an authority problem.

When you let one agent act on behalf of another — accept a task, call a tool, spend a balance, hand work to a third — the question you instinctively reach for is can I trust it? That question has no good answer. You can't inspect your way to trust; a capable system that wants to misbehave will pass every inspection you can afford to run, and a benign one will still surprise you the first time it hits an input you didn't imagine. Trust-by-inspection is a treadmill.

The question that does have an answer is the other one: what can this thing do if it turns out I was wrong to trust it? That reframes the whole problem from inspection to bounding. You stop trying to certify the agent's intentions and start sizing its blast radius. Vetting becomes a property of the grant you issue, not a property of the thing you're granting to.

This is the right move, and almost everyone who makes it stops one step too early.

Scoping feels like the finish line

The standard answer to "bound the blast radius" is to scope the grant. Don't hand the delegate your whole authority — hand it the narrowest capability that covers the task. A token that can read one bucket, not the account. A grant that can settle one invoice, not move the treasury. If the delegate is compromised, the damage is capped at what you scoped, independent of what the delegate decides to do with it.