Skip to main content

Binding Policy to Money

Catena now enforces agent policy at the signing layer itself, inside a Trusted Execution Environment (TEE) built with Turnkey. Funds can't move on the agent's say-so alone, on Catena's alone, or without the approvals you require.

Today we’re adding a new layer to the Catena control plane: policy enforced at the signing layer itself, inside a Trusted Execution Environment (TEE). It’s the strongest control we’ve shipped for agentic money movement thus far, and the property that makes it matter is simple. At this layer, funds can’t move on the agent’s say-so alone, on Catena’s alone, or without whatever approvals you require. The agent can’t go rogue, and neither can we.

Turnkey is our technology partner for this new TEE-based policy enforcement, strengthening the infrastructure that enables businesses to operate agents at scale.

From evaluation to enforcement

Catena’s core policy engine turns an operator’s rules into capabilities and limits. Which accounts an agent can touch, which counterparties, how much, how often, and what needs a human to sign off—all of this forms a unique policy, governing each and every agent’s intention before anything executes.

Until recently, an agent’s policy was evaluated at two levels: at the agent level, where its identity is defined and scoped, and at the application level, where Catena checks an agent’s permissions across different rails and features. Now, it’s also enforced at the moment a transaction is signed. This approach uses a secure enclave (TEE) that the application cannot reach into or talk its way around, so that policy moves with money instead of sitting outside money movement as a suggestion.

Think of it like a vault that opens only when the required keys turn together: the agent’s request, the operator’s policy, and any approvals you’ve set. There’s no master key to misuse, not even Catena’s, which means breaking the rule isn’t something you catch after the fact—it isn’t possible in the first place.

The process of provisioning agent identity stays simple, leveraging well-established authentication methods to delegate sending authority, but it now gets reinforced by real cryptographic signatures, securing the agent’s permissions without the need for key management.

Layered by design

The job of Catena’s policy engine is to answer a few essential questions about every agent: who is it, what is it allowed to do, and can you prove what it did afterward.

By enforcing policy directly in the signing layer, we now strengthen the most important consequence of the “who” question for agents: authorization of money movement. This is the third layer in a multi-stack control plane: customers set guardrails for what agents can attempt; application policy surfaces the appropriate actions for those attempts; the signing layer checks permissions to move funds; and the fourth layer, now possible with the technology introduced by the TEE, encodes customer guardrails directly into smart contracts.

Together, these layers produce a system designed for long-term trust and reliability. This is how you let agents move money safely at scale.

Get started and apply for private access today at app.catena.com.