Agent code is commoditizing faster than anyone predicted. Pick a framework — CrewAI, LangGraph, OpenAI Agents, Claude Agent SDK, Pydantic AI — the scaffolding is a weekend. The prompts are a Discord thread. The orchestration is a YAML file. The "agent" part of an agent business, the part you could file a patent on ten years ago, now fits on a napkin. And the people who realize this first keep saying some version of: fine, but what does that leave?
What it leaves is everything that wraps the agent. The harness.
The harness is what gives the agent memory that survives restarts. It's what prevents the agent from draining your Stripe account at three in the morning because a prompt injection convinced it you'd approved a refund. It's what captures what the agent actually did — not what it thinks it did — in a form that you, the auditor, the insurer, and the lawsuit you'll eventually face will all accept. Context. Guardrails. Feedback loops.
I've been shipping this for fourteen months under a different name. Let me rephrase it.
Context: the memory the agent doesn't own
An agent without persistent memory is a goldfish with a larger vocabulary. Every session, it re-learns who you are, what you bought last week, which of its prior decisions worked, which blew up. Nobody is going to build real commerce on top of a goldfish. So the first instinct is to let the agent keep its own memory — a vector DB it reads and writes, a journal it appends to, a knowledge base it curates.
This works, sort of, until the agent is compromised. Prompt injection rewrites the journal. A malicious tool-call corrupts the DB. An adversarial input convinces the agent its own prior decisions were wrong, and it cheerfully edits them. The memory lies because the agent lies, and the agent lies because someone told it to.
The harness fix: memory the agent can use but not rewrite. Every recall is cryptographically tied to the moment it was written. Nothing gets mutated in place — new facts supersede old ones through a signed transaction, and the old ones remain in the chain. The agent sees a clean interface. Underneath, you see an append-only ledger of what the agent believed, when, and why. That's what MnemoPay's memory layer is. It isn't a cleverer vector database. It's a vector database with integrity you can prove to a third party.
When a prompt injection tries to rewrite history, the Merkle root moves. You know instantly. Not "the logs might show something" — the chain itself is evidence.
Guardrails: rules the agent can't argue with
Every builder who's shipped an agent to production has discovered the same thing: you can tell the model not to do something, and it will mostly listen, and the one time it doesn't is the time that matters. Natural-language guardrails are polite requests. An adversary knows they're polite requests.
The real guardrail isn't a system prompt. It's an external enforcement layer the agent physically cannot bypass because it doesn't own the call. When the agent wants to spend money, it doesn't spend money — it files a charge request, and a separate scoring service decides whether the request is in-band for this agent's historical profile. If an agent with an average ticket of $4.20 suddenly tries to wire $14,000 to a wallet it has never interacted with, the guardrail doesn't ask the agent to reconsider. It blocks the call and pages a human.
This is where Agent FICO sits. The number on an agent's homepage isn't vibe — it's a score derived from the agent's receipt history, anomaly rate, counterparty diversity, dispute frequency, identity stability. It's what lets an external party underwrite the agent's next action without trusting the agent's self-report. The agent doesn't get to set its own limit. The score sets it, and the score is read by whoever is about to take money from the agent.
A guardrail that the agent could talk its way past is not a guardrail. A guardrail sitting in a separate service with its own key, reading an immutable history, is.
Feedback loops: the part that compounds
This is the piece that people underweight the most, and it's the reason the harness becomes a moat instead of a checklist.
Every signed receipt an agent generates becomes training data for every future decision about that agent. Not training data in the ML sense — training data in the underwriting sense. A 90-day receipt history tells you what an agent does when tired, what it does when it's encountered novel merchants, how it handles failed charges, whether its spend variance widens in volatile markets. You cannot get this data from a prompt. You can only get it from the receipts the agent has already signed.
Six months in, you know more about this agent than it knows about itself. The feedback loop isn't that the agent learns from its mistakes — the agent might not learn, or might learn wrong things. The feedback loop is that the harness learns. The scoring model gets better. The anomaly detector gets sharper. The guardrails get tighter in the right places and looser in the right places. An agent that behaved well for nine months gets access to a $50k credit line. An agent that drifted gets downgraded without anyone having to argue about it.
This is the part that copies slowly. A competitor can clone the code in a weekend and the API in a month. They cannot clone nine months of another agent's behavioral history. By the time they try, the agents they'd most want in their network are already scored elsewhere — and those scores are portable between platforms, because they're signed.
Why agent founders keep building the wrong thing
Because the agent is the fun part. The harness is plumbing. Nobody raises a round on plumbing. Nobody tweets a demo of their append-only ledger. The demo is always the agent doing a thing — booking a flight, buying groceries, negotiating a refund — and the founder walks on stage with a cool product and no moat.
Then an enterprise buyer asks four questions. How do I audit what the agent did? How do I cap what it can spend? How do I know it's the same agent I onboarded last week? How do I prove, in court, that it did what your logs say it did? And the agent founder, who built a beautiful agent, discovers they're now being asked to build a harness — under deadline, for an enterprise contract, with their best engineer.
The founders who win are the ones who started with the harness and bolted the agent on. Because the harness is the part that's load-bearing under scale, under adversaries, under regulation, and under the one lawsuit that'll make the Wall Street Journal in 2027.
A practical read
If you're building in this space, the short version of all of this is: your model choice matters for a quarter. Your prompt library matters for a month. Your memory-integrity layer, your behavioral scoring, and your signed receipt chain matter for the life of the company. Pick those the way you'd pick a bank.
We chose to make ours Apache 2.0 and open source, because the thing you need when you're building trust infrastructure is for developers to be able to audit the thing themselves. The moat isn't the code. The moat is the nine months of signed receipts sitting under the code, and the fact that we're the default place those receipts are kept.
That's the harness. That's the moat. Rohit was right.
— Jerry Omiagbo