BITCOIN

Foundation bets hardware sandboxes can contain AI threats

Saturday, May 16, 2026 · from 2 podcasts, 3 episodes

Foundation’s Passport Prime moves beyond Bitcoin to become a universal security device for passwords, 2FA, and digital identity.
It uses a 9,000-line microkernel OS to sandbox apps, arguing legacy operating systems cannot safely run AI agents.
The company rejects biometric IDs and closed ecosystems, pitching open hardware as the defense against AI-powered fraud.

Hardware wallet makers are no longer just selling Bitcoin safes. They are building the personal security platforms they claim are essential for the AI era, arguing current digital identity and computer security are fundamentally broken.

Zach Herbert of Foundation Devices says the approval buttons in modern AI agents are theater. On TFTC, he argued that once an agent like Claude has your AWS keys, any request for permission is a software-side choice, not a hard barrier. If the model is subverted, those guardrails vanish, creating massive risk. His solution is to rebuild the operating system from scratch.

“We are running hyper-intelligent agents inside the same monolithic operating systems that manage our keyboards and screens.”
- Zach Herbert, TFTC: A Bitcoin Podcast

Foundation’s answer is KOS, a microkernel OS written in Rust with a core under 9,000 lines. This architecture uses message passing to force containment, isolating every driver and app. It’s a direct critique of bloated, 30-million-line kernels like Linux’s, which Herbert says cannot distinguish between a human moving a mouse and an AI agent taking control.

This technical pivot enables a business one. Foundation is positioning its Passport Prime as an open alternative to Ledger’s walled garden. By using a security processor with a Memory Management Unit, KOS can isolate third-party apps at the hardware level, giving developers like Cake Wallet a hardened child key instead of master seed access. The goal is a Swiss Army knife for security that handles Nostr keys, FIDO authentication, and file encryption alongside Bitcoin.

The urgency for this shift is underscored by what Gerald Glickman, also on TFTC, calls an identity security collapse. He notes at least 3,000 Americans become victims of identity theft every hour, a rate he calls unacceptable, accelerated by AI deepfakes. He warns that biometric projects like WorldCoin create permanent honeypots - you cannot change your iris.

“You cannot change your iris or your fingerprint. Once a biometric database leaks... the victim is compromised forever.”
- Gerald Glickman, TFTC: A Bitcoin Podcast

Both voices converge on a shared threat model: legacy systems are obsolete, and centralized, trackable identity is a trap. Foundation’s bet is that the market will embrace a dedicated, open hardware device that applies Bitcoin’s principles of explicit human approval and trusted hardware to secure a user’s entire digital life, not just their coins. The window to define this architecture, Glickman warns, may only be open for another year or two.

Custody AI Infrastructure Startups Payments

Ledger Worldcoin Bitcoin Cake Wallet Claude

Source Intelligence

- Deep dive into what was said in the episodes

Bitcoin Takeover Podcast

S17 E24: Zach Herbert on AI & Hardware Wallets • May 15

Zach Herbert says Foundation’s operating system Kiosk uses a 9000-line microkernel for granular app sandboxing, isolating each app's memory and requiring kernel permission for actions like camera access.
Herbert explains Passport Prime's Magic Backup uses Shamir secret sharing split into three parts: two stored on NFC keycards, one encrypted in Envoy app via iCloud Keychain.
Herbert estimates the total hardware wallet market outside China is around 10-15 million devices sold, with Ledger holding roughly 90% of that market.
Passport Prime includes 50GB of encrypted storage usable as a flash drive and functions as a security key for FIDO authentication via USB or NFC, with automatic backup.
Herbert criticizes Ledger's newer E Ink devices like Stax and Flex for lacking haptic feedback and being manufactured by Foxconn in Vietnam instead of France.
Foundation assembles Passport Prime in the USA using industrial-grade components, a point Herbert contrasts with Ledger's shift to Foxconn production.
Herbert sees Passport Prime as a personal security platform beyond hardware wallets, aiming to consolidate YubiKey functions, 2FA codes, encrypted storage, and password management.
Herbert argues duress PIN modes are ineffective against educated attackers, recommending passphrases for plausible deniability instead.
Cake Wallet has over 750,000 downloads and is building the first third-party app for Kiosk, allowing users to bring their UI and brand onto Passport Prime.
Passport Prime's active tamper circuit wipes the seed if the device is opened, subjected to liquid nitrogen, or loses power, protecting against physical attacks.
Herbert praises Trezor Safe 7 and BitKey for improving their designs with screens and privacy fixes, but critiques most other hardware wallets as subpar.
Foundation's NFC keycards offer better data retention than SD cards, quoted at 25 years, addressing longevity concerns for backup storage.
Herbert envisions AI integration where Passport Prime reviews and approves critical actions like financial transactions, storing credentials securely off phones and computers.

Also from this episode: (2)

Protocol (2)

Foundation's app store requires all apps be open source and reproducible, with the CLI allowing developers to build and release apps that run in a sandbox with hardened child seeds.
The Quantum Link protocol uses post-quantum encryption MLKEM over Bluetooth for firmware updates and connections, with a V2 update switching to AES-256 for faster streaming.

Startups Digital Sovereignty

TFTC: A Bitcoin Podcast

Marty Bent

#745: The AI Approval Layer Is Fake with Zach Herbert • May 13

Herbert argues the common Bitcoin-AI intersection narrative - Lightning for machine-to-machine payments - is a 15-year-old concept from projects like 21.co's Balaji machine-payable web.
Foundation's Passport Prime runs on a custom microkernel operating system called KOS, with a kernel under 9,000 lines of code written in Rust, designed for minimal attack surface and app sandboxing.
Herbert criticizes Ledger for dominating 90% of the hardware wallet market with a legacy platform built on 30-year-old smart card/Java Card technology, forcing a closed, app-reviewed ecosystem.
KOS sandboxes third-party apps via a message-passing microkernel, memory isolation using an MMU, and grants apps only hardened derived child keys - never the master seed.
Herbert says Foundation will release an SDK and a developer mode for Passport Prime with an MCP server, allowing AI models to autonomously test apps on the real hardware.
Herbert highlights potential KOS app use cases: Nostr signers, password managers, computer login locks, enterprise custody solutions, and storing AI tool credentials securely.
Herbert argues enterprise Bitcoin custody is critically vulnerable, relying on outdated HSMs, internal iPhone apps, or locked-down Linux PCs - all using the same insecure legacy tech available to anyone.
Herbert warns that AI models like Claude's Mythos will likely expose zero-day vulnerabilities in massive codebases like the Linux kernel or Chromium weekly, making current operating systems untenable for security.

Also from this episode: (6)

Protocol (2)

Zach Herbert advocates for Bitcoin as the ultimate winner in a global currency war where central banks are devaluing fiat currencies.
Marty Bent observes that Bitcoiners have a unique, low-time-preference perspective on security and institutional trust, which is essential for guiding the AI industry away from its current growth-over-security trajectory.

AI & Tech (4)

Zach Herbert says Foundation's AI integration has accelerated their development pace significantly, though AI models still struggle with low-level firmware and driver code.
Herbert says Foundation's core mission is applying Bitcoin principles of explicit human approval and trusted hardware to secure AI, not just enable AI payments.
Herbert identifies a security crisis in current AI: the approval layer is fake because models ask for permission to perform actions they already have the full technical capability to execute, creating massive risk.
Herbert blames legacy operating systems like Mac OS, Windows, and Linux, built on 30-year-old Unix code with massive attack surfaces, for being unable to distinguish between human and AI agent actions.

AI Infrastructure Startups Privacy Adoption Digital Sovereignty

#744: Your Face Is Not A Password with Gerald Glickman • May 11

Key loss is a major friction point. Solutions include key pre-rotation protocols like KERI and collaborative custody models familiar to Bitcoiners. Glickman stresses the need for deliberate, context-dependent recovery mechanisms.
Glickman believes the architectural choices made in the next 1-2 years will lock in the system for a generation. He cites accelerating state rollouts of digital driver's licenses and age verification laws as evidence of this narrow window.

Also from this episode: (11)

Digital Sovereignty (5)

Gerald Glickman argues the US digital identity model is fundamentally broken because it uses compromised public identifiers like Social Security numbers as secret authenticators, equivalent to using your home address as your front door key.
Glickman advocates for a credential system where states issue verifiable credentials bound to a user's DIDs. This allows credential revocation (e.g., a driver's license) without destroying the user's foundational identity, giving control back to the individual.
Marty Bent notes age verification laws, like the Senate Judiciary Committee's 22-0 vote on the GUARD Act, are a common Trojan horse for imposing centralized digital identity systems under the framing of protecting children.
Glickman rejects Worldcoin's model of using biometrics as identifiers, though he approves of local device authentication like iPhone's Secure Enclave. The fight is for open systems against closed-garden solutions pushed by big tech lobbying.
The call to action is to engage now: examine your state's mobile driver's license implementation, support open standards work at W3C or Trust over IP, and advocate for policies like Utah's SETI that embed privacy and individual control.

AI & Tech (3)

The rise of AI and LLMs has drastically accelerated identity fraud, collapsing the half-life of new security controls. Glickman notes at least 3000 Americans become victims of identity theft every hour, a rate he calls unacceptable.
Zero-knowledge proofs and selective disclosure enable privacy-preserving verification. A user can prove they are over 21 without revealing their birthdate, or prove they own a red hat without handing over the entire credential.
The ideal credential flow involves an issuer crafting a signed credential bound to a public key, allowing the holder to generate a one-time, non-replayable ZK proof for a verifier. No personal information is stored or transmitted.

China (1)

Glickman warns against using biometrics like face or fingerprints as identifiers, as they are irrevocable and will be compromised. He points to China's social credit system as a real-world example of authoritarian control enabled by such systems.

Coding (1)

The proposed solution is using cryptography and open standards for decentralized identifiers (DIDs). This allows for cryptographic proof of authorship via digital signatures, shifting from probabilistic inference to mathematical certainty.

Protocol (1)

The current identity verification industry has misaligned incentives, as its business model depends on charging per verification. Glickman argues states and open standards bodies must lead, as seen with Utah's SETI legislation which includes a digital identity bill of rights.

Agents Privacy Digital Sovereignty Regulation

Source Intelligence

- Deep dive into what was said in the episodes

Bitcoin Takeover Podcast

S17 E24: Zach Herbert on AI & Hardware Wallets • May 15

Zach Herbert says Foundation’s operating system Kiosk uses a 9000-line microkernel for granular app sandboxing, isolating each app's memory and requiring kernel permission for actions like camera access.
Herbert explains Passport Prime's Magic Backup uses Shamir secret sharing split into three parts: two stored on NFC keycards, one encrypted in Envoy app via iCloud Keychain.
Herbert estimates the total hardware wallet market outside China is around 10-15 million devices sold, with Ledger holding roughly 90% of that market.
Passport Prime includes 50GB of encrypted storage usable as a flash drive and functions as a security key for FIDO authentication via USB or NFC, with automatic backup.
Herbert criticizes Ledger's newer E Ink devices like Stax and Flex for lacking haptic feedback and being manufactured by Foxconn in Vietnam instead of France.
Foundation assembles Passport Prime in the USA using industrial-grade components, a point Herbert contrasts with Ledger's shift to Foxconn production.
Herbert sees Passport Prime as a personal security platform beyond hardware wallets, aiming to consolidate YubiKey functions, 2FA codes, encrypted storage, and password management.
Herbert argues duress PIN modes are ineffective against educated attackers, recommending passphrases for plausible deniability instead.
Cake Wallet has over 750,000 downloads and is building the first third-party app for Kiosk, allowing users to bring their UI and brand onto Passport Prime.
Passport Prime's active tamper circuit wipes the seed if the device is opened, subjected to liquid nitrogen, or loses power, protecting against physical attacks.
Herbert praises Trezor Safe 7 and BitKey for improving their designs with screens and privacy fixes, but critiques most other hardware wallets as subpar.
Foundation's NFC keycards offer better data retention than SD cards, quoted at 25 years, addressing longevity concerns for backup storage.
Herbert envisions AI integration where Passport Prime reviews and approves critical actions like financial transactions, storing credentials securely off phones and computers.

Also from this episode: (2)

Protocol (2)

Foundation's app store requires all apps be open source and reproducible, with the CLI allowing developers to build and release apps that run in a sandbox with hardened child seeds.
The Quantum Link protocol uses post-quantum encryption MLKEM over Bluetooth for firmware updates and connections, with a V2 update switching to AES-256 for faster streaming.

Startups Digital Sovereignty

TFTC: A Bitcoin Podcast

Marty Bent

#745: The AI Approval Layer Is Fake with Zach Herbert • May 13

Herbert argues the common Bitcoin-AI intersection narrative - Lightning for machine-to-machine payments - is a 15-year-old concept from projects like 21.co's Balaji machine-payable web.
Foundation's Passport Prime runs on a custom microkernel operating system called KOS, with a kernel under 9,000 lines of code written in Rust, designed for minimal attack surface and app sandboxing.
Herbert criticizes Ledger for dominating 90% of the hardware wallet market with a legacy platform built on 30-year-old smart card/Java Card technology, forcing a closed, app-reviewed ecosystem.
KOS sandboxes third-party apps via a message-passing microkernel, memory isolation using an MMU, and grants apps only hardened derived child keys - never the master seed.
Herbert says Foundation will release an SDK and a developer mode for Passport Prime with an MCP server, allowing AI models to autonomously test apps on the real hardware.
Herbert highlights potential KOS app use cases: Nostr signers, password managers, computer login locks, enterprise custody solutions, and storing AI tool credentials securely.
Herbert argues enterprise Bitcoin custody is critically vulnerable, relying on outdated HSMs, internal iPhone apps, or locked-down Linux PCs - all using the same insecure legacy tech available to anyone.
Herbert warns that AI models like Claude's Mythos will likely expose zero-day vulnerabilities in massive codebases like the Linux kernel or Chromium weekly, making current operating systems untenable for security.

Also from this episode: (6)

Protocol (2)

Zach Herbert advocates for Bitcoin as the ultimate winner in a global currency war where central banks are devaluing fiat currencies.
Marty Bent observes that Bitcoiners have a unique, low-time-preference perspective on security and institutional trust, which is essential for guiding the AI industry away from its current growth-over-security trajectory.

AI & Tech (4)

Zach Herbert says Foundation's AI integration has accelerated their development pace significantly, though AI models still struggle with low-level firmware and driver code.
Herbert says Foundation's core mission is applying Bitcoin principles of explicit human approval and trusted hardware to secure AI, not just enable AI payments.
Herbert identifies a security crisis in current AI: the approval layer is fake because models ask for permission to perform actions they already have the full technical capability to execute, creating massive risk.
Herbert blames legacy operating systems like Mac OS, Windows, and Linux, built on 30-year-old Unix code with massive attack surfaces, for being unable to distinguish between human and AI agent actions.

AI Infrastructure Startups Privacy Adoption Digital Sovereignty

#744: Your Face Is Not A Password with Gerald Glickman • May 11

Key loss is a major friction point. Solutions include key pre-rotation protocols like KERI and collaborative custody models familiar to Bitcoiners. Glickman stresses the need for deliberate, context-dependent recovery mechanisms.
Glickman believes the architectural choices made in the next 1-2 years will lock in the system for a generation. He cites accelerating state rollouts of digital driver's licenses and age verification laws as evidence of this narrow window.

Also from this episode: (11)

Digital Sovereignty (5)

Gerald Glickman argues the US digital identity model is fundamentally broken because it uses compromised public identifiers like Social Security numbers as secret authenticators, equivalent to using your home address as your front door key.
Glickman advocates for a credential system where states issue verifiable credentials bound to a user's DIDs. This allows credential revocation (e.g., a driver's license) without destroying the user's foundational identity, giving control back to the individual.
Marty Bent notes age verification laws, like the Senate Judiciary Committee's 22-0 vote on the GUARD Act, are a common Trojan horse for imposing centralized digital identity systems under the framing of protecting children.
Glickman rejects Worldcoin's model of using biometrics as identifiers, though he approves of local device authentication like iPhone's Secure Enclave. The fight is for open systems against closed-garden solutions pushed by big tech lobbying.
The call to action is to engage now: examine your state's mobile driver's license implementation, support open standards work at W3C or Trust over IP, and advocate for policies like Utah's SETI that embed privacy and individual control.

AI & Tech (3)

The rise of AI and LLMs has drastically accelerated identity fraud, collapsing the half-life of new security controls. Glickman notes at least 3000 Americans become victims of identity theft every hour, a rate he calls unacceptable.
Zero-knowledge proofs and selective disclosure enable privacy-preserving verification. A user can prove they are over 21 without revealing their birthdate, or prove they own a red hat without handing over the entire credential.
The ideal credential flow involves an issuer crafting a signed credential bound to a public key, allowing the holder to generate a one-time, non-replayable ZK proof for a verifier. No personal information is stored or transmitted.

China (1)

Glickman warns against using biometrics like face or fingerprints as identifiers, as they are irrevocable and will be compromised. He points to China's social credit system as a real-world example of authoritarian control enabled by such systems.

Coding (1)

The proposed solution is using cryptography and open standards for decentralized identifiers (DIDs). This allows for cryptographic proof of authorship via digital signatures, shifting from probabilistic inference to mathematical certainty.

Protocol (1)

The current identity verification industry has misaligned incentives, as its business model depends on charging per verification. Glickman argues states and open standards bodies must lead, as seen with Utah's SETI legislation which includes a digital identity bill of rights.

Agents Privacy Digital Sovereignty Regulation

Foundation bets hardware sandboxes can contain AI threats

Source Intelligence

Related Stories

Foundation bets hardware sandboxes can contain AI threats

Source Intelligence

Related Stories