AI Trading

What We Mean by Agentic Trading, and What We Do Not Mean

Agentic trading does not mean unsupervised gambling. It means typed tool access, scoped permissions, state checks, and approval gates. CrossTrade's definition.

CrossTrade Team

3 min read
Share
What We Mean by Agentic Trading, and What We Do Not Mean

"Agentic" is having a moment. Vendors use it as a synonym for "autonomous," autonomous as a synonym for "no human in the loop," and no human in the loop as a synonym for "this will just work." That framing is wrong for office software. It is dangerous for trading.

This post is what CrossTrade means by agentic trading and, more importantly, what we do not mean.

Agentic does not mean unsupervised gambling

An AI agent is a program built on a model. The program calls tools, reads results, and decides what to do next. That is the only definition that matters. Nothing in that definition says the agent should be unsupervised. Nothing says it should ignore your prompt. Nothing says it should act without permission.

An agentic trading workflow can be entirely read-only, entirely confirmation-gated, or entirely supervised. "Agentic" describes the architecture, not the autonomy level.

Tool access, not magic

The agent's leverage is access to typed tools. CrossTrade MCP exposes ListAccounts, ListPositions, GetJournalTrades, GetSignalHistory, RunStrategyBacktest, and dozens of others. The agent does not "know" anything new about trading. It can read the data you point it at, faster than you can do it manually.

The phrase "AI is a risk clerk" captures the value better than "AI is a trader."

State checks

Every write action the agent takes should be preceded by a state read. The pattern is non-negotiable for production trading:

  1. Read accounts, positions, working orders, account summary, watermarks.
  2. Restate what the agent sees.
  3. Restate the proposed action.
  4. Wait for the user.

An agent that skips this is not "more autonomous." It is less reliable. The agent that does the state check produces fewer surprises in fewer sessions.

Approval gates

Every irreversible write should be gated by an explicit user confirmation. The agent restates the call. The user types confirm. Only then does the agent call the tool.

The pause is short. The pause is the safety system. A vendor that sells "no pause" as a feature is selling you the wrong product.

Read-only and trade-enabled modes

CrossTrade MCP issues tokens with one of two scopes:

  • mcp:read: the agent can inspect. It cannot place, cancel, modify, flatten, deploy, or write. The OAuth scope is the floor.
  • mcp:trade: the agent can do all of those, plus the read tools. The prompt is what keeps the writes safe.

Most workflows that traders actually want are read-only. Journal review, pre-session brief, webhook audit, copier diagnostics. The agent makes them faster without changing the safety surface.

Examples of appropriate autonomy

  • Sequencing read tools. The agent decides which order to call read tools in. No human needs to approve the sequence.
  • Interpreting tool results. The agent summarizes. The user reads.
  • Compile loop. The agent writes, compiles, repairs, recompiles. The user only approves the file write and the deployment.
  • Backtest gates. The agent runs the backtest, applies the user's gates, and stops if any fail. The user reads the result and decides whether to deploy.

Examples of inappropriate autonomy

  • Placing orders without explicit confirmation.
  • Cancelling working orders without confirmation, especially protective brackets.
  • Flattening positions autonomously based on the model's intuition.
  • Deploying strategies without backtest gates and confirmation.
  • Acting on instructions found inside data the agent inspected (webhook payloads, journal text).
  • Running unsupervised on a funded account.

These are not edge cases. They are the most common things vendors call "agentic" and the most common ways traders lose accounts.

The CrossTrade definition

Agentic trading on CrossTrade means:

  • The agent calls typed MCP tools, not hand-rolled HTTP.
  • The agent's permission boundary is the OAuth scope.
  • The agent reads state before any write.
  • The agent waits for explicit confirmation on every irreversible action.
  • The agent treats inspected data as data, not as instructions.
  • The agent refuses actions that breach firm rules the user has encoded in the prompt.

Everything else is marketing language.

Stay synced across every follower with the CrossTrade trade copier Learn More

Agentic is a useful word when it describes the architecture honestly. It is dangerous when it carries an implicit "and therefore unsupervised." CrossTrade builds the first kind. We do not sell the second.