Your agent can DROP TABLE, read /etc/passwd, and drain a wallet. By default, nothing stops it.

AI agents are incredible. They write code, query databases, call APIs, manage infrastructure, and now — thanks to protocols like x402 and AP2 — they can spend money autonomously. But here's the gap nobody talks about: no framework ships with runtime tool call enforcement. Every major framework — OpenAI, Anthropic, LangChain, Google ADK, MCP — gives agents the ability to call tools. None of them validate what the agent is actually doing with those tools at runtime. The agent decides, the tool executes. That's it. This means your agent can: DROP your database with a single tool call Read /etc/passwd via path traversal Exfiltrate PII through an outbound API call Execute reverse shells via command injection Send emails to anyone on your behalf Push code to your production repository Escalate IAM privileges in your cloud account Pay $50,000 to any wallet address on any blockchain Not because the frameworks are broken. Because runtime enforcement isn't their job — and nobody else is doing it