Agentic Trading: When Your AI Agent Manages Real Positions

For the past two years, the relationship between AI assistants and your portfolio was read-only at best. You could paste in a screenshot and ask what to think. The agent could reason about markets; it just couldn't touch them. That line has now moved. Agents can hold scoped credentials, read live account state, and route real orders — and the interesting question has shifted from can they to under what controls should they.

I've been running an agent against a live trading account for a while now, and the experience is different from what both the hype and the skepticism suggest. It is not a money printer, and it is not a runaway robot. Done properly, it feels like hiring an extremely fast analyst who can also press the button — but only the buttons you explicitly handed over, with you confirming the ones that matter.

What Agentic Trading Actually Means

Agentic trading is an AI agent participating in the full trading loop: reading your balances and positions, pulling market data, reasoning about what it sees, and executing or managing orders — through natural language instead of a trading terminal. Agentic finance is the broader version of the same idea applied to payments, treasury, and portfolio operations.

The unlock was not a smarter model. It was plumbing. The Model Context Protocol (MCP) gave agents a standard way to connect to external tools, and once trading venues exposed MCP servers, any compatible agent — Claude, ChatGPT, or an open-source client — could connect to an account the same way it connects to a calendar or a code repository.

That standardization matters more than it sounds. Before MCP, every "AI trading" product was a closed bot with its own model, its own strategy, and your funds on its balance sheet. With MCP, the agent, the account, and the venue are separate parts you compose — and you can revoke any one of them without touching the others.

What An Agent Can Do With A Trading Account

Connected to a live account, a competent agent handles the work that is tedious for humans and trivial for machines:

• Account context on demand. "What's my exposure right now?" returns positions, margin, open orders, and recent fills — no app-switching, no squinting at a position screen.
• Funding and cost audits. "Which position is costing me the most in funding? Should I close it?" is exactly the kind of cross-referencing agents are better at than people.
• Market scans. Mid prices, funding rates, leverage caps, and minimum sizes across hundreds of markets, summarized against your actual positions.
• Order preparation. "Short ETH, 3x, stop above the local high" becomes a structured order with size, leverage, and TP/SL — laid out for review before anything executes.
• Position management. Tightening stops, scaling out, closing what hit its thesis — the maintenance work that gets skipped when you're busy.

What agents are not good at is conviction. They will happily build a case for whatever direction you nudge them toward. The honest division of labor in 2026: the human owns the thesis and risk appetite, the agent owns the monitoring, arithmetic, and execution hygiene.

The Architecture That Makes It Safe — Orus As The Worked Example

The reason agentic trading was a bad idea until recently is that the early versions got custody backwards: you gave a bot your API keys or your funds, and hoped. The current architecture inverts that. Orus, the MCP server that connects AI agents to a Farao account, is a clean example of what the safe pattern looks like:

• Keys never reach the agent. Farao is self-custodial, and the agent only ever holds a session token — private keys stay in secure infrastructure, never in the model's context.
• Scoped permissions. When you approve the connection from the Farao app, OAuth scopes define exactly what the agent can request. Read-only access is a real option; an agent that can check funding but not trade is a perfectly good setup.
• Two-step execution. Trading actions are prepared first — validated, priced, and summarized — and nothing reaches the venue until the prepared action is confirmed. The agent proposes; confirmation is a separate, deliberate step.
• Revocation and audit. Connected sessions are listed in the app and can be revoked instantly, and every write action traces back to the user, the grant, the request, and the resulting order.

Under the hood, trades route to Hyperliquid's onchain order book across 300+ markets — crypto, tokenized stocks, commodities, indexes — so the agent gets the same market universe as the app, with the same self-custodial settlement.

The setup itself is one command in a terminal (claude mcp add --transport http orus https://orus.getfarao.com/mcp) or a pasted URL in an agent's connector settings, followed by an approval inside the Farao app. That approval step is the entire trust model: the venue asks you, not the agent, what to allow.

What It Feels Like In Practice

The workflows that stick are not "make me money while I sleep." They are narrower and more useful:

The morning check. One message — "anything I should know?" — returns overnight P&L, funding paid, positions drifting toward liquidation, and stops that no longer make sense. Two minutes instead of fifteen.

The disciplined entry. You bring the idea; the agent brings the checklist. It will not forget the stop-loss, fat-finger the size, or skip checking the funding rate before a swing entry — the mechanical errors that cost real money on phones at midnight.

The cost audit. Funding is the silent tax on perp positions. An agent that cross-references funding rates against your holding periods catches the position that quietly cost more to carry than it ever moved in your favor.

The guardrailed experiment. With trading scopes granted but confirmation required, you can let the agent propose trades for a week and approve only what survives your own judgment. It is a remarkably fast way to find out whether its reasoning adds anything to yours.

The Risks, Stated Plainly

Agentic trading inherits every risk of leveraged trading and adds new ones. The model can be confidently wrong, and fluent reasoning is not the same as good judgment. Prompt injection is a real attack surface: an agent that reads the open web and holds trading scopes needs a hard confirmation gate between its conclusions and your collateral. And convenience itself is a risk — making positions easier to open makes overtrading easier too.

The mitigations are the same controls described above: minimum necessary scopes, confirmation on every write, small allocations while you build trust, and revocation the moment something feels off. Treat an agent like a new hire on a trading desk — supervised access first, autonomy earned slowly, and never more authority than the damage you can absorb.

Frequently Asked Questions

What is agentic trading?

An AI agent participating directly in the trading loop — reading account state, analyzing markets, and preparing or executing orders through natural language, typically connected to a venue via the Model Context Protocol.

What is Orus?

Orus is the MCP server that connects a Farao account to AI agents like Claude or ChatGPT. It lets an agent read balances, positions, orders, fills, and market data, and route supported trading actions through your connected Farao session — with private keys never exposed to the agent.

Can the agent trade without my approval?

Only if you grant it that scope. The default pattern is two-step: the agent prepares an action and a separate confirmation releases it. Sessions are managed from the Farao app and can be revoked at any time.

Which AI agents work with this?

Any MCP-compatible client — Claude via the desktop app, claude.ai, or Claude Code, plus ChatGPT and other clients as their MCP support matures.

Is agentic trading safer than letting a bot trade for me?

It is a different model. Classic trading bots held your keys or funds and executed a fixed strategy. The agentic pattern keeps custody with you, scopes what the agent can do, and keeps a human confirmation in the loop — the risk shifts from counterparty failure to how much autonomy you choose to grant.

Does it cost anything?

Orus is free to connect. Normal venue trading fees and funding apply to any trades, the same as trading in the app directly.