The mechanism is real, which is exactly the case for building agents the disciplined way instead.
At Davos this year, Signal president Meredith Whittaker told Bloomberg that AI agents are quietly making end-to-end encryption irrelevant. Her argument is short and hard to dodge: to be useful, an agent needs system-level access to your messages, your browser, your files, and your clicks. The moment it has that access, an app's privacy promise stops meaning what you think it means. Signal can encrypt a message perfectly in transit, but if an agent reads the decrypted text on your screen to "help," the encryption protected nothing at the end that matters.
This is not a one-off quote chasing a news cycle. She has been making the same case since at least March 2025. And on the core mechanism she is simply right. An agent operating at the screen or operating-system layer sees plaintext after decryption. That is not an opinion you can argue with. It is how the layers stack.
So we want to be the firm that says it plainly: the danger she is describing is real, and most of the TikTok clips selling you an AI assistant are selling you the dangerous version.
Read the warning carefully and it is not a blanket "agents are evil." It targets a specific kind of agent, and naming that kind is the whole point.
The agent she is worried about has two properties. First, it has unscoped, system-level access, the digital equivalent of root, because that is the fastest way to make a flashy demo work. Second, it sits inside a business whose model is to see everything, so the convergence of autonomous agents, on-device scanning, and ad targeting becomes, in her words, a new architecture of surveillance. The sharpest version of her fear is an operating-system vendor building the agent below the app layer, where no individual app can defend against it.
Strip those two properties out, unscoped access and a watch-everything business model, and most of the nightmare dissolves into an ordinary engineering problem. That is not a loophole. It is the difference between how agents are being marketed and how they can actually be built. Her own list of mitigations gives the game away: she calls for no reckless deployment, opt-in by default, and radical, auditable transparency. Those are not the demands of someone who thinks the category is impossible. They are a specification for doing it responsibly.
We build agents, and every property Whittaker warns about, we treat as a decision to make on purpose rather than a default to inherit. The same commitments that make our Solon security agents trustworthy are the ones that make a client's everyday assistant safe to install.
Scope the task, not the tool. "An AI assistant" is a vibe. "Triage the support inbox" or "reconcile these two spreadsheets every Monday" is a real, measurable job. A narrow capability surface is a narrow attack surface. We pin one or two workflows and automate those, instead of granting an agent the run of your accounts so it can do everything badly.
Least privilege, read before write. The agent gets the minimum access the task requires and nothing more, and it starts read-only. It does not get your whole Google account because the demo was smoother that way. The access it holds is the only access it can misuse.
Autonomy is earned, not switched on. We place each task on a ladder. At the bottom the agent only advises and a human does everything. One rung up it proposes an action and a person clicks yes. Higher up it acts within written rules. There is a permanent ceiling no task crosses on its own: anything irreversible or outward-facing, sending money, deleting data, anything that reaches a client or the public, stays behind a human. An agent advances a rung only after it has earned the trust, with evidence.
Receipts on everything. Every action the agent takes is logged: what it did, when, and why. That record is both the safety control and the proof of value. Nothing happens silently.
A separate identity and a kill switch. The agent acts as its own service identity, never as your personal login, so its actions are attributable and revocable. One control pulls all of its access immediately.
No surveillance behind it. We do not run an ad business. We do not monetize what the agent sees. The data boundary is explicit, the vendor does not train on it, and for multi-client work each tenant is isolated. The watch-everything incentive that worries Whittaker is simply not present.
Line those up against her triage list and they are the same list. The responsible deployment she is asking the industry to adopt is the deployment we already sell.
Her strongest point is the one an app-layer firm cannot engineer away. If the operating-system vendor itself runs an agent beneath the app, Apple, Microsoft, or Google building it into the platform, no guardrail we put around an app defends against it. We can scope our agent, gate its writes, and log its actions, and the OS agent still sits underneath all of it.
So we will not pretend otherwise. The mitigation there is not clever code, it is platform choice and device governance: keep the agent scoped at the app layer with access you control rather than OS-level god-mode, and for genuinely sensitive work keep it on controlled endpoints rather than whatever consumer agent ships in the operating system. We architect so you do not depend on the OS layer. We cannot out-engineer it from inside an app, and anyone who tells you they can is selling you something.
We are not claiming agents are safe by default. They are not. The default is exactly the unscoped, unsupervised version Whittaker is right to fear.
We are not claiming our way is the fast way. Scoping a workflow, gating every write, logging every action, and earning autonomy a rung at a time is slower than installing a consumer agent and granting it everything. The speed of the reckless version is real. We give it up on purpose, because the bill it defers arrives as a quiet compromise instead of a faster Tuesday.
We are not claiming a tool replaces the discipline. Least privilege, bounded autonomy, audited inputs, and a human between deciding and doing are posture, not a purchase. The agents we set up embody that posture. They do not exempt you from it.
The Signal president is right that an AI agent with system-level access and a surveillance business model quietly destroys the privacy guarantees you rely on, which is precisely why the version worth installing is the opposite one: scoped to a task, least-privilege and read-first, gated on every irreversible action, logged end to end, and run by a firm with no incentive to watch.
If your team is about to hand an AI agent the keys to your inbox, your files, or your customers, that is exactly the conversation we are good at: which task is worth automating, how much autonomy it has earned, what stays behind a human, and where the convenience is worth it versus where it is a liability you cannot yet see. We will tell you on the call where a guardrail is missing and where you do not need us at all.
We do not take every engagement, and we will tell you whether we are the right partner.