Hardware Is Back: The $349 Device That Wants to Be the Lock Between AI Agents and the Real World

AI agents can now wire money, deploy code, and move data at machine speed. The button that authorizes any of it is usually a phone notification or a browser prompt running on the same machine as the agent — which means a compromised agent can approve its own actions. Foundation Devices has a different answer: a $349 dedicated device with its own screen, processor, and operating system, designed to sit between an AI agent and the consequences of its decisions.

Passport Prime is what Foundation calls "the world's first Human Authority Hardware" Foundation product page. It is a Bitcoin hardware wallet, FIDO security key (the kind of hardware token that replaces a password with something you carry), 2FA storage, and 50 gigabytes of encrypted file space in one device Foundation product page. It ships today. The company raised $6.4 million to build it, led by Fulgur Ventures, bringing total funding to $16.5 million Globe Newswire press release.

That is the product. The interesting story is the one Foundation CEO Zach Herbert told without quite saying it directly: "Every era has its key management problem. For Bitcoin it was self-custody. For the agentic era it is who actually authorizes the decisions an AI agent takes on someone's behalf" Globe Newswire press release.

He is right that there is a problem. IBM and Salesforce estimate that over one billion AI agents will be in operation worldwide by the end of 2026. The global agentic AI market reached $7.6 billion in 2025 and is projected to grow at over 40 percent annually through 2034 Ledger blog. These agents can spend money, deploy code, access systems, and move data at machine speed. The authorization layer for all of that — the thing that answers did a human actually approve this — is currently a browser prompt, a phone notification, or a policy engine running on the same machine as the agent. None of that is satisfying when the action is wiring $50,000 or deploying to production.

When an agent wants to do something consequential on Passport Prime, the request surfaces on the device's display. The human approves through a confirmation prompt on hardware isolated from the host device's operating system — an app cannot spoof the system prompt, and sensitive operations like seed retrieval require the KeyOS-controlled UI to intermediate KeyOS security model. The action then executes.

This is not a new idea. Ledger has been making the same argument for crypto custody for years, and its agents-propose-humans-sign framework, as Ledger chief human agency officer Ian Rogers describes it, maps directly onto what Foundation is building Ledger blog. What Ledger has that Foundation does not is existing enterprise customers: its Ledger Enterprise Trade product is already being used by at least one quant fund to require human sign-off on AI-initiated crypto transfers, giving it real deployment data and a proof-of-concept for the governance stack. Yubico FIDO keys already serve a similar function for login across millions of users, and a firmware update could extend that pattern to agent authorization — Yubico has the manufacturing scale and existing enterprise relationships that Foundation lacks. The IETF has an active working draft on workload identity for AI agents, authored by Huawei researchers, that describes hardware-signed authorization requests as a core requirement IETF Internet-Draft. Every serious security practitioner who has looked at the agentic AI stack has reached the same conclusion: software-only authorization is not the answer when the software itself is the attack surface.

What is new is the framing. For two decades, the conventional wisdom in tech was that software ate everything and hardware was a commodity — a board to hold the chips that ran other people's code. The companies that mattered were the ones writing the software. Foundation's pitch inverts that. It positions the hardware device not as infrastructure but as governance: the point of last resort between an autonomous system and the consequences of its actions.

That positioning matters more than the $6.4 million. The real question is whether the rest of the hardware industry agrees. NVIDIA, Intel, Qualcomm, and the major chipmakers have spent thirty years watching software companies capture the value in computing. If AI agents require a mandatory hardware authorization step before they can spend money or touch production systems, the chipmakers become unavoidable infrastructure partners — not just component suppliers. Every AI agent stack that wants enterprise customers will need an answer to the same question Foundation is trying to own: who approves this, and on what hardware?

That is the bet. It is not a bet on Passport Prime specifically — $349 is niche, Ledger is bigger and already has enterprise deployments, Yubico has existing FIDO infrastructure that could serve the same function with a firmware update. The KeyOS SDK is in public beta and the AI agent authorization flow is not yet publicly documented; what Foundation is selling today is a Bitcoin wallet and FIDO key that could, in principle, serve as that authorization layer. Whether it will actually become the standard or remain a niche product for crypto-native shops is the open question.

Passport Prime is the opening move. The response from the chipmakers will determine whether this stays a niche or becomes infrastructure.