Introducing Mandates
Deterministic AI safety for crypto, and much more
Part I: what are mandates?
Mandates in the real world
When you deposit money at the bank, as a retail customer, you expect the bank to be relatively careful with it. In fact, your contract with the bank (and the country’s laws) determine the rules behind how the bank can manage your money, so it doesn’t go broke.
For example, you do not expect your savings account to be invested in volatile South Sudan startups or the latest memecoin.
In fund management, you have investment mandates that can be more or less explicit about what the fund is supposed to be doing. For example:
VOO, the Vanguard S&P 500 ETF, invests “in stocks in the S&P 500 Index, representing 500 of the largest U.S. companies”.
A venture capital fund like G1 Ventures will “invest globally around Seed stage in future protocols and web3 companies”.
Hellman & Friedman describes their approach as “making a limited number of large-scale private equity-related investments in high quality, growing businesses in the developed markets”.
A more esoteric “mandate” came to us from a software engineer from one of the auto companies:
“When the self-driving algorithm was trained[...], it eventually learned that hitting pedestrians was safer for the car and the driver than hitting the guardrails (or other traffic). Good luck curating your training dataset to mitigate that one.
Much easier to give it a mandate “whatever you do, don’t hurt humans”.”
Mandates in crypto
Replace Vanguard with a ChatGPT-powered crypto index fund. ChatGPT manages your money for you now (maybe in 6 months, you’ll send it to Deepseek).
You do not want ChatGPT to invest in crazy stuff, so you install some rules on your money: no scam coins, only stuff above a certain size, etc.
You might even want to define those rules further, such as no more than 50% of the stablecoin portion of the portfolio should be invested in a single stablecoin.
These rules are mandates, and mandates are native to the Saline Network.
Mandates are not intents
In our conversations over the last year with hundreds of companies and funds, we think that “intent” has come to mean a short-lived instruction targeted at a specific outcome. For example, Cowswap uses intents as an alternative backend to automated market makers as used by Uniswap-like DEXes.
A limit order is a great illustration of a pure intent being written with an action or set of actions in mind: a trade will occur if the price is reached within the timespan of the intent.
Mandates, on the other hand, are designed to stay alive for as long as the portfolio exists. It would be a shame if the first trade by your index fund deleted all the rules that keep it in check!
Mandates are also designed as safeguards, defining the allowed space of play, rather than explicitly defining the end space where transactions should end. They protect many unrelated transactions occurring over a long period of time.
[NB: Mandates can be seen as built using Saline intents, which are more powerful and fuller featured than the industry standard intents, as previously described on this blog.]
Mandates are not policies
Policies like address whitelisting offered by wallets like Fireblocks or the pre-transaction logic offered by Predicate look similar to mandates.
However, the first type of policy is a custom feature of an app, requiring months of development work, testing and expensive audits to be released, and integrated with that app.
The second type of policy simply outsources that work. It allows thousands of companies to use and standardise a particular type of policy - and Predicate has certainly been successful in that respect. However, whilst your company no longer shoulders the cost of developing policies, these retain the same limitations whilst introducing an external dependency in your stack.
All types of policies assume a wallet-centric point of view, where assets are “owned” and controlled by one entity (human, corporate or agent). In contrast, mandates are asset-centric: you install logic directly onto the assets, and can then allow as many entities as you wish to use these assets.
For example, a million AI agents can fight to be the most profitable trader using a single asset address with the rules installed on it, much like Deepmind’s Alphastar AI agents played millions of games against each other, until one evolved to be sufficiently strong to beat the top human player. The most profitable suggested sets of transactions will be accepted and reward their agent with survival and more asset allocation.
In such a use case, you’d want to limit what agents can do to “beat the system” such as investing in highly volatile coins (just as the classic way to win trading competitions is to bet the farm on pink stocks and hope results are measured on a bull day). You’d also want to be able to edit the rules quickly once you spot agents finding new cracks in the system. Finally, mandates allow you to add or remove access to the assets without modifying the agent code itself.
Mandates are protocol-level, on-chain, baked-into-the-assets and immutable, and compared to policies, vastly much more powerful and faster and easier to create, edit and deploy.
Part II: Mandates On Saline
The Saline blockchain is uniquely positioned to assist in the security of the financial DeFi ecosystem and the rise of autonomous AI agents.
Thanks to the recent breakthroughs in AI development and in particular the rapid and ever expanding capabilities of LLM agents, crypto trading is on the dawn of a massive shift. We expect to see a rapid growth of (at least partially) autonomous AI agents taking part in crypto trading, following human-given directions and guidelines.
One of the major challenges that comes with it is to secure the financial assets from errors, mistakes and the so-called ‘hallucinations’ that LLMs in particular are subject to. A mistake when it comes to financial trading is something one can rarely come back from ; and as such great care must be taken to ensure those AI agents follow rules, guidelines and respect the limits we impose on them.
And this is where the Saline network is by far the best ecosystem to rely on.
The traditional way to go about implementing such protections would be to audit the code of the trading bots, when possible ; look at every corner case, attempt to build proofs that a given mistake or mis-trade cannot happen. This is extremely heavy and cumbersome work when it is even possible. When it comes to LLMs, those massive neural networks rely on billions of weights (so called ‘parameters’) that collectively form the behavior that we observe today, but those are absolutely impossible to audit, understand or even make sense of individually.
Any attempt at providing any proof or guarantee of anything is void in such a context.
Not unlike when caring for a child, when one cannot secure or guarantee the behaviour of the agent itself, one must secure the environment. And this is exactly what Saline and its first-class intent system allows for.
Instead of hoping to embed protections, forbid or make some behaviors mandatory within the code of the AI agent itself, Saline allows you to express those directly in the environment, i.e. directly inside (and secured by) the blockchain protocol itself.
In other words, the rules you want the AI agent to obey are now part of the blockchain itself ; in such a way that nothing (whether it is intentional human behavior, a mistake in the AI, a hallucination or even a sabotage) can make transactions or actions that you forbid happen. This would violate blockchain rules and thus be rejected by the consensus.
By attaching logic boolean predicates directly to the assets themselves (and by
committing to this by publishing it on-chain), those assets obey rules that are above the reach of any agent, bot or trading algorithm, however good or defective it may be.
With Saline, you first secure the environment by crafting rules (intents) and attaching them to your assets, and then when you deploy your AI agents, you have the guarantee that by letting them lose, they cannot go against those predicates. This is what we call ‘AI guardrails’ or ‘AI mandates’.
A (trivial) example: if, for some reason, you do not want to deal with a certain token $TKN (because your country rules doesn’t allow it, or you don’t trust it, or you think this supports actions that are contrary to your belief, etc.), then being completely secured against any action involving $TKN is as simple as installing an intent that forbids holding or dealing with $TKN.
When that intent is installed, no AI agent (or anyone for that matter) can mistakenly (or not) cause you to ever hold $TKN. You do not have to look into the agent’s code, or audit it, or make millions of simulations to ensure that it won’t try to trade it ; it is okay to let it try, the blockchain consensus protocol itself will reject the transaction, and no $TKN will be ever held into your account ; until your explicitly allows it.
Even more arbitrarily complex behavior can be derived from this.
Saline makes the immense task of ensuring funds security against malicious or defective agents action trivial by shifting the place where the security holds: thanks to the rules being attached to the assets themselves, it means you’re totally free to experiment, try, update, switch agents, language, technology and strategy without ever worrying about the boundaries ; those are set externally and explicitly.
Building AI Agents with Saline Mandates
Saline is built differently. Unlike traditional smart contract platforms that require execution environments, VMs, TEEs, or proof-of-execution systems, Saline is purely declarative. That means no heavy infra, no computational bottlenecks, no constraints on execution logic.
For AI agent builders, this means maximum flexibility.
You can build your AI agent however you want, using DeepSeek, Ollama, ChatGPT, a custom model—fine. Want to use Llama, LangChain, AutoGPT? Python, Go, even Haskell? That’s entirely up to you. Saline doesn’t interfere.
Your AI can ingest any training data, real-time API feeds, or complex on-chain/off-chain signals to make its decisions. When it’s ready to interact with a user’s assets, all it needs to do is submit a transaction.
The only rule? The transaction must comply with the user’s on-chain Mandate. If it does, it goes through. If not, it gets rejected—zero exceptions, zero vulnerabilities.
Example: AI S**tcoin Trader
Let’s say a user wants an AI bot that trades low-market-cap tokens on Solana but only through a specific trusted agent.
The user sets a Saline Mandate attached to their address:
Saline Mandate:
FROM: ME AMOUNT: 10,000 ASSETS: USDC TO: X-Agent CONDITIONS: - Chain: Solana - MarketCap: <10,000,000 - Amount: <10,000 USDC
This can be set using our drag-and-drop editor or using a pre-built mandate from our marketplace.
This on-chain mandate ensures:
The AI bot can only trade on Solana.
It only trades coins with a market cap < $10M.
It only interacts with X-Agent, no one else.
Now, any AI agent can try submitting transactions to this address. But only X-Agent’s proposal will execute ,if and only if it follows the user’s rules.
For an AI agent builder, integrating this is trivial. Just format transactions output to match the user’s Mandate using our Saline SDK (Python support at launch). That’s it. No auditing, no security nightmares, no backdoors.
AI Agent builder could also create their own interface on top of the Saline Intent and showcase this on Saline Marketplace for user to quickly install this to their assets or simply just utilsiing saline in the backend as a way to safeguard users assets.
This concludes our introduction to mandates. Stay tuned for examples of projects that will partner with Saline to enhance what they can offer their customers.