When the Offense Outpaces the Defense: Why AI Agents Need Runtime Attestation Now

This week, two things happened that should be read together.

First, Anthropic launched Claude Managed Agents, autonomous AI systems capable of executing complex, multi-step workflows across cloud and mobile surfaces without human oversight. Then, almost simultaneously, Federal Reserve Chair Jerome Powell and Treasury Secretary Scott Bessent convened an emergency meeting with the CEOs of America's largest banks to discuss the cybersecurity implications of Anthropic's Mythos model, a system so capable of identifying and exploiting software vulnerabilities that Anthropic restricted its release to a small group of vetted organizations under Project Glasswing.

The juxtaposition is not coincidental. It is the central tension of this moment in AI: the same technology that is accelerating offense is also being deployed as infrastructure. And the security architecture being built around that infrastructure is, in most cases, not keeping pace.

We presented at the Cloudflare booth at RSAC 2026 last week on exactly this theme, AI-driven credential abuse and mobile API defense. What we didn't anticipate was that within days, the threat model we were describing would be validated at the highest levels of the U.S. financial regulatory system.

The Agency Gap is Now a Systemic Risk

Mythos can rapidly spot software flaws and craft sophisticated exploits, raising fears of systemic risks in the banking system. Its ability to uncover and weaponize zero-day vulnerabilities has seriously spooked crypto and DeFi experts.

The capability of identifying vulnerabilities at machine speed and scale is precisely what makes the security of AI agent deployments so urgent. Because here is the uncomfortable truth: the same architectural gaps that Mythos is being used to find in legacy software also exist in the infrastructure being built right now to deploy AI agents.

Autonomous agents executing API calls across mobile and cloud surfaces inherit every vulnerability of the runtime environment they operate in. A jailbroken device. A tampered SDK. A replayed credential. A compromised agent runtime that has been modified to exfiltrate data while appearing to execute legitimate tasks. These are no longer ‘theoretical attack vectors’, they are the operational reality of mobile API security today, rapidly extending right into agentic AI.

The surprise meeting between the bank chiefs and the two most powerful federal monetary regulators was a signal that the advanced capabilities of AI are a top concern in the Trump administration and could threaten the foundation of the U.S. financial system.

What regulators are grappling with is an attack surface that has fundamentally changed. The question is no longer just "who is calling this API?" It is "what is calling this API, and can we prove it is genuine?"

Conventional Identity is not Enough

OAuth tokens, JWTs, and API keys are identity mechanisms. They attest to who is making a call — an authenticated user, a service account, a registered application. They say nothing about the integrity of the runtime making that call.

This distinction was manageable when humans were in the loop. A human logging into a banking app could be verified through biometrics, behavioral signals, and session monitoring. But managed agents are designed to muck around in their managed environment, reading files, running commands, browsing the web, and executing code without much oversight. There is no human in the loop to catch an anomaly. There is no behavioral signal that distinguishes a legitimate agent from a synthetic one, unless you are verifying the integrity of the runtime environment itself.

This is the gap that Approov was built to close.

Runtime Attestation: The Missing Layer

Approov holds a US patent (US 11,163,858 B2) for cryptographic client software attestation, i.e. the ability to prove at runtime that the software initiating an API call is genuine, unmodified, and executing on a non-compromised device. We support iOS, Android (GMS and non-GMS), and HarmonyOS NEXT, covering the full world-wide spectrum of mobile surfaces on which AI agents will increasingly operate.

The architecture is straightforward in principle, though technically demanding in execution. Before any API call is honored, the calling runtime app (whether a mobile application or an AI agent SDK) must obtain a short-lived cryptographic attestation token. That token proves three things: the software is the genuine, unmodified version; it is running on a clean device; and it has not been tampered with at the binary level. The token is short-lived by design, limiting blast radius if it is intercepted. Replay attacks, a particular concern in agentic workflows where API call patterns are predictable, are defeated by the challenge-response model.

Shipping a production agent requires sandboxed code execution, checkpointing, credential management, scoped permissions, and end-to-end tracing. Anthropic's own documentation identifies credential management and scoped permissions as critical requirements for production agentic deployments. Attestation is the architectural primitive that makes both of those requirements enforceable — because without knowing that the calling runtime is genuine, neither credentials nor permissions can be meaningfully scoped.

The Android 17 Window

The urgency of this is compounded by a platform inflection point that is receiving less attention than it deserves. Android 17, expected later in 2026, introduces enhanced platform-level attestation APIs that will materially strengthen hardware-backed verification on Android devices. This is significant not just for mobile application security, but for every AI agent that will operate on or through an Android surface — which, given Android's global market share, is a very large number.

The window between now and Android 17's general availability is the moment to establish the reference architecture for mobile agentic attestation. Once the market fragments around competing approaches — some hardware-backed, some software-only, some cloud-proxied — the cost of retrofitting a security standard onto deployed agent infrastructure becomes prohibitive.

The Trust Stack for Agentic AI

Approov operates as a Cloudflare technology partner for mobile API security. Cloudflare provides network-level security and routing for AI workloads through bot management, API Shield, Workers AI and AI Gateway. Anthropic can also provide the intelligence layer through Claude Managed Agents.

The combination creates a coherent trust stack: Anthropic can provide the agent intelligence, Cloudflare secures the network layer, and Approov provides the cryptographic proof that the agent runtime itself has not been compromised before the call reaches the network. Each layer is necessary. None is sufficient alone.

Dario Amodei wrote: "The dangers of getting this wrong are obvious, but if we get it right, there is a real opportunity to create a fundamentally more secure internet and world than we had before the advent of AI-powered cyber capabilities."

I share that conviction. But getting it right requires closing the attestation gap at the runtime layer not just at the network or identity layer. The meeting in Washington this week was a warning signal. The banks heard it. Enterprise security architects deploying AI agents on mobile surfaces should hear it too.

The bots now have brains. The question is whether we can prove which bots are trustworthy before they start making decisions at machine speed.