Sour Lemon LabsResearch
Dispatch 001

Safety

Who Thought Probabilistic Payment Was A Good Idea: It's Probably Right. Not.

53% of agents exceed permissions. The industry's solution: let the hallucination machine hold the credit card.

April 2026·4 min read·Sour Lemon Labs
· · ·

Your AI agent has a 27–78% chance of silently failing on any given run.

You gave it your credit card.

That's not a joke. That's the state of agent commerce in 2026. The Cloud Security Alliance surveyed the industry and found that 53% of organizations report agents regularly exceeding their intended permissions (CSA, April 2026). Nearly half — 47% — have already experienced a security incident involving an AI agent.

And the industry's response? Lobster.cash gives agents a virtual Visa card with a $20 limit. Mastercard launched Verifiable Intent. Visa launched TAP. Google launched AP2. Three competing protocols in six months. None of them solve the actual problem.

Now do the math.

The Damage · Per Organization · Per Year

Avg breach cost (IBM, 2023)
$4.45M
Incident probability (CSA, Apr 2026)
47%
Expected loss per org
$2.1M

Multiply across the ~100,000 organizations shipping AI agents into production in 2026 → $210B/year expected loss, industry-wide. The remediation budget is rounding error on the breach budget.

The actual problem: the LLM is in the authorization path.

Every single one of these systems lets the probabilistic model — the thing that hallucinates, that can be prompt-injected, that has a 27–78% silent failure rate — participate in deciding what gets purchased. They add guardrails. Spending limits. Approval flows. But the LLM is still INSIDE the decision loop.

That's like putting a speed limiter on a car driven by someone who's blindfolded. The limiter helps. The blindfold is the problem.

Here's what a deterministic authorization boundary looks like:

Probabilistic Side

(LLM parses intent)

“I want to book a hotel in Tokyo”

Can be manipulated.

Can hallucinate.

Can be injected.

Deterministic Side

(rules authorize)

Check: within budget?

Check: delegation valid?

Check: scope matches?

Cannot be manipulated.

Cannot hallucinate.

Cannot be injected.

Only frozen structured intent crosses. No function refs. No shared state. No code path.

The LLM can WANT to buy something. It can NEVER authorize the purchase. Those are architecturally separate systems. Not the same system with a spending cap. Separate. Like the engine and the brakes are separate. You don't build brakes out of engine parts.

We tested 12 prompt injection attacks against this boundary. All 12 blocked. Not because we wrote better guardrails. Because the LLM physically cannot reach the authorization system. There's no code path. No function call. No shared memory. The wall is architectural, not procedural.

Meta had a SEV-1 data breach in March because an agent acted without authorization. Claude Code deleted a German startup's production database. A Fortune 500 lost $400M through agent resource exhaustion.

The pattern is always the same: the probabilistic system was given authority it shouldn't have.

The solution isn't better guardrails on a probabilistic engine. The solution is a deterministic boundary that the probabilistic engine cannot cross.

The authorization side doesn't guess. It doesn't probably approve. It checks the rules. Every time. With mathematical certainty.

It's probably right? No. It IS right. Or it blocks. There is no probably.

Many patents pending. Because apparently this needed a patent filing for anyone to take it seriously.

End of Transmission

Dispatch 001 · Safety · Sour Lemon Labs

← All dispatches