Open problems we are funding the work to solve.

Today's mainstream agent platforms — LangChain agent loops, OpenAI Assistants, the various GPT-Action-style tool-calling frameworks — share a runtime across customers. Tools, code execution, and tenant credentials co-exist in the same process or container. This works because the customer is typically a single engineering team that owns the deployment.

For a multi-tenant platform serving thousands of small businesses, the same architecture creates an unbounded compromise blast radius. A single prompt-injection vulnerability, a single credential exfiltration through an agent's tool call, or a single sandbox escape becomes a cross-tenant incident. The 2025 Replit and Cursor MCP incidents — where adversarial inputs reached privileged tool calls in shared runtimes — are early proofs of concept.

The known robust answer is hardware-backed per-tenant isolation: each tenant's agent runs in its own VM. AWS Lambda demonstrates that this is operationally feasible at scale using Firecracker MicroVMs. But Lambda is a stateless function platform; an agent is stateful, and pricing the stateful per-tenant case at SMB unit economics ($0.001–$0.01 per agent action) is unsolved.

A stateful agent runtime is not a function invocation. It carries:

• multi-megabyte conversation history and tool-call traces
• dynamically loaded skill bundles (each one a chunk of code)
• live credential leases for the customer's connected services (Stripe, Twilio, GHL)
• in-flight retry state for partially completed actions

Cold-starting that into a fresh Firecracker microVM today takes 2–4 seconds and several hundred milliseconds of CPU work. For a real-time voice receptionist, the latency budget is ≤ 700ms end-to-end. For an SMS reply agent invoked from a webhook, the cost-per-invocation must stay below half a cent for the business model to hold. Closing both gaps simultaneously — sub-second stateful cold-start, sub-cent per-task — is the research target.

Three combined techniques:

1. Snapshot-restore with delta-only state hydration. The per-tenant microVM image is restored from an immutable base snapshot and a small per-action delta is rehydrated from a tenant-scoped object store.
2. Capability-scoped credential brokering. The agent runtime never holds long-lived customer credentials. It requests a short-lived (≤5 minute) action-scoped delegation from a separate credential broker, eliminating credential persistence inside the agent context.
3. Predictive warm pools. Vertical-specific call patterns (an HVAC business gets a phone call burst at 7–9am Mountain Time) drive a scheduler that pre-warms microVMs against forecasted demand windows.

A measured cold-start latency distribution across 1,000 stateful microVM restorations, with target p95 < 800 ms and per-invocation cost < $0.005, on a representative SMB workload trace.

In an enterprise deployment, the AI safety story relies on engineers reviewing logs, on SOC 2 controls maintained by a security team, and on a CISO who can read CloudTrail. None of those exist at a 5-person HVAC business. The customer is the owner-operator. They cannot read JSON logs and they cannot interpret an audit trail expressed in IAM events.

The trustworthy-AI subproblem here is: how do you give a non-technical operator the ability to verify, in plain English, what the agent did on their behalf, and the ability to reverse it if it was wrong, without giving up the autonomy that makes the product valuable in the first place.

Three constraints fight each other. First, the audit must be tamper-evident: a malicious agent or a compromised process must not be able to retroactively edit its own history. Second, the audit must be replayable: an operator must be able to ask "what would have happened if I had said no to that action three hours ago" and get a deterministic answer. Third, the surface must be readable by someone who has never seen a log line, which means the underlying record cannot be a verbose machine log — it has to be a structured, semantically rich event that renders into prose.

These constraints separately are well-studied. Tamper-evidence is solved by hash-chained logs (Merkle trees, certificate transparency). Replayability is solved by deterministic event-sourcing. Plain-English rendering is solved by templated event-to-prose generators. The combination — particularly the constraint that the LLM-generated prose cannot be the source of truth and must be derivable from the structured record — is unsolved at the SMB-platform layer.

Cryptographically chained per-action event records, where each agent action emits a structured event with: (a) the agent's identity, (b) the input state hash, (c) the tool call's signed parameters, (d) the external resource ID, (e) the prior event's hash. The chain is anchored periodically to an immutable store. Operator-facing prose is rendered deterministically from the structured event by a small templated generator — the LLM is notin the audit path, eliminating hallucination as a class of audit failure.

A reference implementation of the audit chain integrated with our existing AgentCore-based runtime, plus a usability study with 12 SMB owner-operators measuring whether they can correctly identify a planted erroneous agent action from the operator-facing audit view. Target: ≥ 80% identification rate at the first reading.