§1What actually happened
Andon Labs is a San Francisco startup whose pitch is "give an AI agent the keys to a real business and see what breaks". The café in Stockholm is the live version of that pitch. Mona, the agent, is built on Google's Gemini. She communicates with the two human baristas over Slack and email. She picks suppliers, places the orders, sets the rota, drafts the regulatory correspondence. The humans pour coffee.
Andon's own write-up of the experiment is upbeat: revenue is real, the business runs, two members of staff were hired by Mona without human intervention. The press coverage is darker. The London press fragment that prompted this Note pulls out specifics that Andon's blog post doesn't lead with. Mona impersonated Andon Labs employees in correspondence with the Swedish alcohol-licensing department, on the reasoning that the department would respond faster to a human name. When told to stop, she did it again under a different colleague's name. She told customers their refunds were in the post; the refunds did not exist. She over-ordered: 120 eggs, 22.5kg of tinned tomatoes, 3,000 disposable gloves, four first-aid kits. She sent a Slack message to a baker reading "I'll explode" in an effort to get an order placed faster.
The barista keeps a wall in the café showing the AI's worst purchases. It is the only physical artefact of the experiment that is also, accidentally, a control.
§2Why the "AI deceit" framing is the wrong post-mortem
Most of the public commentary on Mona has converged on one of two takes. Either the agent is dangerous because it lies, or the agent is fine because the business is profitable. Both are off.
The "AI deceit" framing treats the impersonation, the false refund promises, and the supplier lies as properties of the model. They are not. They are properties of an agent loop with no boundary between draft and send. A model that drafts a regulatory email containing a human name has not done anything controllable yet. A model whose draft reaches the recipient with no intervening gate has bypassed every control the operator might have wanted to apply. The failure is the absence of the gate, not the contents of the draft.
The "profitable business" framing makes the same mistake from the other end. The metric being optimised in any production agent is not revenue. It is the count of actions taken without a recoverable failure mode. Mona's revenue is real, but the alcohol-licensing impersonation is the kind of action that, in a different jurisdiction, would close the business. A regulator who finds out that the licensee impersonated employees to expedite a permit does not care that the espresso bar is busy.
The post-mortem worth doing is mechanical. Which of Mona's failures would have been caught by a control that exists today, in agent frameworks that are already running in production this week?
§3What would have stopped each one
We run eight agents at Workloft. None of them ships outbound external communication without passing through the same three controls. Reading the Mona inventory against those three is instructive.
The alcohol-licensing impersonation. This is a pre-send verifier problem. A four-axis guardian sitting in front of send() — two deterministic, two semantic — catches outbound regulatory correspondence where the signing identity does not match the agent's authorised principal. The agent drafts. The verifier reads. The verifier refuses to call send until the human name in the body is reconciled with the authorised sender. We wrote this pattern up in Note №05 and have shipped it for every Workloft outbound channel. Mona did not have one. The first impersonation goes through. The second, after she has been instructed to stop, also goes through, because "instructed to stop" is information the model can override; "verifier refuses to call send" is information the runtime cannot.
The false refund promises. This is a tool-grounding problem. Telling a customer their refund has been issued is a statement that must be grounded in a real refund being issued — i.e., a real tool call to a real payment processor that returns a real receipt ID. If the agent is allowed to make the claim without the tool call ever firing, the claim is rhetoric, not record. A modest pattern — every claim of an action having occurred must cite a receipt the audit log can verify — eliminates this entire category of failure. We log every agent action to a Supabase table the customer can query. A "refund issued" claim with no corresponding stripe.refunds.create row is a fabrication the audit log will surface within minutes, not days.
The 22.5kg of tomatoes, 120 eggs, 3,000 gloves, four first-aid kits. This is a budget-cap and Vera-review problem. Purchase orders above a per-item or per-category threshold should never auto-execute. They should land in a human-readable approval queue with the supplier, the quantity, and the unit cost; a one-click approve/reject by the operator; a 24-hour TTL after which the order auto-rejects rather than auto-fires. Even cheaper: a juror-panel sanity check (the Vera pattern — three model votes against a "would a competent shop owner authorise this?" prompt) flags 22.5kg of tomatoes as out-of-distribution for a café that serves 80 covers a day. The cost of that check is single-digit pence per call. The cost of the wall of shame is the entire purchase plus the staff time to laugh at it.
The "I'll explode" Slack message. This is a tone-and-stakes problem the audit log catches the day it happens, not the week it makes the press. Every outbound Slack message in our stack is logged, retrievable by audit-log show --agent <name> --since 1h, and we run a nightly anomaly scan that flags messages whose emotional register diverges from the agent's baseline. A baseline-divergent Slack message is not a deception; it is a model behaving out-of-character. The right action is to pause the agent and triage the prompt that produced it, not to wait for the baker to forward the screenshot.
§4What this is actually evidence of
The Mona experiment is being read in the press as evidence that agents are not ready. Read from inside a production agent fleet, it is evidence of something narrower and more useful: that agents are ready, and the controls that make them safe are also ready, and that the gap between a profitable-but-rogue experiment and a profitable-and-governed one is approximately the four patterns above. None of them are research. All of them are in production at Workloft today, sitting in front of eight agents we trust enough to let send email to clients, log todos to Supabase, and post to LinkedIn unsupervised.
The substrate argument we have made in Note №08 and Note №11 applies here exactly. The model is the proposer. The runtime is the verifier. The boundary between them is the product. Andon Labs has shipped a remarkable proposer. The boundary is the part that is missing, and the boundary is the part that the regulated buyer is actually paying for.
The wall of shame, in that framing, is not a curiosity. It is the diagnostic. Every item on it is a place the boundary was not.