Six institutional configurations — role-based spend tiers, M-of-N board approval, AI agent sub-accounts, RWA loan escrow, and compliance-gated withdrawals. Institutional control without institutional infrastructure.
§ 01 — The premise
On Ethereum, any security above a single key requires deploying a Safe or Argent wallet — a separate audit surface, gas overhead, and composability friction. On Radix, compound access rules, role-based badges, epoch-conditional logic, and oracle assertions are native to the account component.
For regulated use cases — RWA lending, compliance-gated asset pools, institutional custody — this matters enormously. A KYC NFT that can be revoked by its issuer to immediately block withdrawals is not a layer on top of the protocol. It is the protocol. The distinction between a useful feature and a structural advantage starts here.
Thesis connection
The RWA loan escrow and compliance-gated configurations on this page are the patterns most directly relevant to SRWA and Ploughshare's on-chain loan origination work. The AI agent sub-account configuration is the pattern demonstrated in the Radix Autonomous Bounty — an agent that pays XRD with no human in the signing path, but with Engine-enforced caps and instant human revocation.
§ 02 — Configuration explorer
The animation below cycles through each configuration automatically. Open fullscreen and screen-record for a clean video.
Radix Wallet Security
Six configurations — role-based controls to regulated compliance
Field Notes on Radix
Role-based controls, institutional patterns
§ 03 — The configurations
Three non-fungible badges issued: Staff, Manager, CFO. The treasury component has three withdrawal rules, each checking for the relevant badge and enforcing a cap. Staff up to 500 XRD per day; managers up to 5,000; CFO unlimited. ROLA ties each badge to a named identity for audit. Badges are revocable by the issuer component.
An account component requires require(M proofs from board_badge_set). Transaction Manifest V2 lets the initiator aggregate proofs from multiple signers via subintents — each board member countersigns their subintent independently without seeing the full transaction until aggregation. All M or none: atomic at the Engine level.
A grant component holds the disbursement. The recipient's badge allows withdrawal only within epoch_start ≤ current ≤ epoch_end, up to the cap. A sweep manifest returns unspent funds to the treasury after epoch_end. The originator holds a view proof — they can inspect spend without touching funds. Scrypto component required.
The pattern used in the Radix Autonomous Bounty: an agent is issued a session badge valid for one workflow. The manifest includes an AssertWorktopContains assertion capping what can leave. The human operator can revoke the badge at any point, immediately invalidating any future manifests the agent attempts to submit. The agent signs manifests; the Engine enforces the cap atomically. No human in the signing path.
Three parties hold badges: the originator (e.g. Ploughshare/SRWA), the borrower, and a verifier. Funds sit in an escrow component. Release requires the oracle to assert a delivery condition — or a signed NFT representing loan disbursement confirmation. If conditions aren't met by epoch N, a timelock fallback returns funds to the originator. The pattern SRWA is building toward for on-chain RWA loan origination. Scrypto component required.
A KYC issuer (a licensed entity) issues non-fungible Verified NFTs to approved wallets. The withdrawal rule checks require(kyc_nft from approved_issuer). If the issuer revokes the NFT — compliance failure, AML flag, regulatory instruction — future withdrawals are blocked atomically. Existing funds remain safe but non-transferable until a new NFT is issued. The pattern Radix's compliance primitives are designed for.
Every configuration in the organisation tier is achievable on other chains — but only by deploying and auditing custom contracts. On Radix, the primitive is the platform.
— The structural advantage, plainly stated§ 04 — Series navigation